74 views
2 hours ago

ESET threat report reveals AI boosting cyber attacker efficiency

ESET report shows ransomware victims refusing to pay

The ESET H1 2026 Threat Report highlights how artificial intelligence is enhancing cyber attack efficiency. Key findings include the first Android malware using generative AI, a surge in QR code phishing (quishing), and the evolution of social engineering through malicious AI skills.

“Rather than relying on entirely new methods and tools, attackers are quickly adapting established techniques to new platforms, technologies, and user behaviors. The number of AI skills within this new ecosystem is growing rapidly as we speak, further expanding the attack surface,“ says ESET Director of Threat Prevention Labs Jiří Kropáč. “On the other hand, PromptSpy illustrates the potential for increased flexibility in future threats although guardrails against abuse included in LLMs are likely slowing down the adoption,” explains Kropáč.

AI skills are small add-ons or sets of instructions that instruct an AI agent how to perform a specific task, including which services or tools to use and what data to access. The published report covers details about malicious AI skills using third-party hacking tools such as Mimikatz or Impacket and a suspicious self-modifying skills designed to create a persistence mechanism (JSON file) and a tool for self-modification (Python code). This can lead to unpredictable behavior of the agent or its abuse by an attacker. And finally, there are benign but problematic skills such as those marketed as security scanners, which create a false sense of security but implement only basic scanning techniques   like AV tools from the 1990s – or simply query the reputation of hashes, URLs, and IP addresses on VirusTotal.

Meanwhile, ClickFix  a social engineering technique leveraging fake error messages – has expanded beyond fake CAPTCHA prompts into AI-themed help pages, browser extensions, and cloud authentication scenarios. AI-fix shows how adversaries exploit trust in generative AI, embedding ClickFix compromise chains into AI-generated troubleshooting content to nonexistent issues on pages that abuse domains of AI powerhouses. ConsentFix highlights an evolution toward token theft, combining ClickFix-style interaction with OAuth authorization abuse to hijack cloud accounts without the need to steal credentials, often bypassing MFA and relying entirely on legitimate login workflows. ESET detections of this vector more than doubled between H2 2025 and H1 2026, indicating sustained activity and adaptation.

Phishing campaigns are also evolving in response to user behavior. QR code phishing  also known as quishing – has reached record levels in ESET telemetry, with attackers embedding malicious links in QR codes to bypass inspection and shift user interaction to mobile devices while exploiting the implicit trust many people place in the barcodes with square patterns. Approximately 11% of all detected phishing emails in H1 2026 utilized QR codes, and QR code phishing threats were most prevalent in the US (19% of detections), Spain (17%), and Mexico (6%).

Last but not least, ransomware activity showed no signs of slowing down, with the continued use of EDR killers tools designed to disable security software during attacks. ESET Research has documented over 100 different EDR killers used in the wild, with new variants appearing regularly. The number of ransomware attacks continued to grow in H1 2026, but the number of victims willing to pay reached all-time lows. Three recent industry reports confirmed this downward trend, reporting a 14–28% share of paying victims.

Leave a Reply

Latest from Blog

Don't Miss

ESET Cybersecurity

ESET previews AI security features to protect chatbot and AI workflows

ESET has introduced upcoming AI security capabilities designed to protect chatbot interactions

ESET to showcase AI-Powered cybersecurity solutions at GITEX Global 2025

ESET is reaffirming its commitment to protecting the Middle East’s digital infrastructure

Welcome to

By signing or creating an account you agree with our Code of conduct & Privacy policy