AI-Powered Ransomware Emerges as Cyber Threats Surge in H2 2025

The cybersecurity landscape underwent dramatic transformations in the latter half of 2025, marked by unprecedented technological sophistication and rapidly evolving attack methodologies. ESET's comprehensive threat analysis reveals a pivotal moment: artificial intelligence has officially crossed from theoretical risk into operational reality.

The Dawn of AI-Generated Malware

Cybersecurity researchers documented a watershed moment when they identified PromptLock, representing the inaugural AI-powered ransomware strain observed in live attacks. Unlike traditional malicious software operating from pre-written code, this groundbreaking threat generates harmful scripts dynamically during execution.

Currently, most cybercriminals leverage AI primarily for creating persuasive phishing messages and fabricating believable scam content. However, PromptLock—alongside several other recently discovered AI-enhanced threats—signals an inflection point. The automation of malware creation through generative models fundamentally alters the threat calculus organizations must consider.

This development carries significant implications. Adaptive, self-modifying malware challenges conventional detection systems that rely on recognizing known patterns and signatures.

Lumma Stealer's Dramatic Collapse

Following its international takedown in May, Lumma Stealer attempted two brief comebacks throughout the second half. Nevertheless, these resurgence efforts failed to recapture previous momentum. Detection data reveals an 86% plunge compared to H1 2025 figures—a collapse of staggering proportions.

Contributing to this decline, HTML/FakeCaptcha trojan activity—a critical distribution mechanism exploited in ClickFix campaigns—effectively disappeared from monitoring systems. The infrastructure disruption appears to have delivered lasting damage to this once-prominent information-stealing operation.

CloudEyE's Explosive Rise

Conversely, CloudEyE (alternatively identified as GuLoader) experienced explosive growth, with detection rates surging approximately thirty times higher than previous periods. This malware-as-a-service platform functions as both downloader and cryptographic obfuscator, distributed primarily through weaponized email campaigns.

Its operators deploy CloudEyE to deliver secondary payloads spanning ransomware variants and notorious information stealers including Rescoms, Formbook, and Agent Tesla. The dramatic acceleration suggests organized criminal networks have rapidly adopted this versatile platform, recognizing its effectiveness in bypassing traditional security controls.

Ransomware Reaches Record Victim Counts

Well before December arrived, ransomware victim statistics had already exceeded 2024's full-year totals. Research projections indicate a 40% year-over-year escalation—a troubling acceleration that underscores how ransomware-as-a-service business models continue thriving.

Akira and Qilin have emerged as dominant players within the RaaS marketplace, capturing significant market share through aggressive affiliate recruitment and technical capabilities. Meanwhile, lesser-known entrant Warlock introduced novel evasion tactics designed to circumvent detection mechanisms.

EDR killer tools proliferated substantially during this period. These specialized utilities target endpoint detection and response platforms specifically, reflecting how seriously ransomware operators view modern security technologies as obstacles requiring dedicated countermeasures.

Furthermore, researchers uncovered HybridPetya—an updated derivative of the notorious Petya/NotPetya malware family. This variant poses heightened danger through its capability to compromise contemporary UEFI-based systems, reviving techniques from a threat many assumed had faded into history.

Android NFC Threats Mature Rapidly

The Android ecosystem faced intensifying challenges from near-field communication-based attacks, with detection rates climbing 87% while threat sophistication increased markedly. Several significant campaigns and technical enhancements emerged throughout this period.

NGate, originally documented in 2024 as pioneering NFC-based fraud, received substantial upgrades. Developers added contact harvesting capabilities—functionality that likely establishes infrastructure for expanded future operations. This evolution demonstrates how successful attack methods undergo continuous refinement.

RatOn introduced an entirely fresh approach to NFC fraud, uniquely combining remote access trojan functionality with NFC relay attack techniques. This hybrid architecture represents cybercriminals' persistent innovation in exploiting mobile payment systems and contactless authentication mechanisms.

Investment Scam Operations Enhance Tactics

The criminal networks orchestrating Nomani investment frauds have substantially upgraded their operational tradecraft. Investigators identified higher-fidelity deepfake content, indicators suggesting AI-generated phishing infrastructure, and dramatically shortened advertising campaign durations designed to evade detection systems.

Detection metrics show 62% year-over-year growth for Nomani-related scams, though H2 2025 witnessed modest deceleration in this upward trend. Crucially, these fraudsters demonstrate understanding that persistence through technical adaptation often proves more effective than sheer volume.

The compressed timeframes for fraudulent ad campaigns particularly stand out. By rapidly cycling through promotional materials before security researchers and platform moderators can respond, these operations maintain access to victim pools while minimizing exposure to takedown efforts.

Strategic Implications for Defenders

These developments collectively illustrate how threat actors continuously probe for weaknesses while incorporating cutting-edge technologies into criminal operations. The emergence of AI-powered malware generation represents perhaps the most consequential shift, fundamentally challenging assumptions about malware behavior and detection.

Organizations must recognize that static defense postures no longer suffice. Adaptive threats demand adaptive security architectures capable of identifying anomalous behavior patterns rather than solely matching known threat signatures. The proliferation of EDR killing tools further emphasizes that even sophisticated endpoint protection requires complementary security layers.

The resurgence of previously disrupted threats like Lumma Stealer—however brief—demonstrates that infrastructure takedowns, while valuable, rarely produce permanent solutions. Criminal networks rebuild, restructure, and reemerge with surprising resilience.

For mobile security specifically, the accelerating sophistication of NFC-based attacks highlights vulnerabilities in authentication systems many users consider inherently secure. Contactless payment convenience has created substantial attack surfaces that criminals increasingly exploit through technical innovation.

The second half of 2025 ultimately confirms that cyber threats evolve at accelerating pace, driven by criminal innovation, technological advancement, and profitable business models. Defenders face an adversary ecosystem that learns quickly, adapts continuously, and increasingly leverages the same cutting-edge technologies organizations deploy for legitimate purposes.