AI-Driven Ransomware and NFC Fraud Surge

Quick Summary

• The new ESET Threat Report H2 2025 from ESET Research shows AI-powered malware moving from theory to production reality, with PromptLock emerging as the first known AI-driven ransomware and a sharp rise in AI-boosted fraud campaigns.
• Mobile and NFC fraud exploded in sophistication and volume, with an 87% increase in NFC threats, new malware families like RatOn and PhantomCard, and upgraded NGate capabilities aimed squarely at contact theft and large-scale financial abuse.
• Classic crimeware is reshuffling: ransomware victims are projected to grow 40% year-over-year, CloudEyE (GuLoader) detections surged almost thirtyfold, while Lumma Stealer detections crashed 86% after its disruption—highlighting how fast the ecosystem retools.
• CISOs need to assume AI-enhanced attackers and mobile/NFC-centric fraud as baseline reality, and respond with threat-informed controls: hardening EDR against killers, extending zero trust to mobile and NFC, and rigorously governing AI use before adversaries define the rules.

AI-driven malware is no longer hypothetical — it’s in the wild

ESET Research’s latest telemetry, summarized in the ESET Threat Report H2 2025, marks a line in the sand: AI-powered malware has exited the lab. As detailed according to this report, PromptLock – the first known AI-driven ransomware – now generates malicious scripts on the fly. That’s not just “using AI” for prettier lures; it’s using AI directly in the execution chain.

PromptLock sits alongside a broader pattern: fraud operations such as the Nomani investment scams are actively weaponizing generative models. ESET observed:

• Higher-quality deepfakes to front scams and investment pitches.
• Phishing sites with visible signs of AI generation.
• Increasingly short-lived ad campaigns designed to churn identities and infrastructure faster than defenders can blacklist.

In ESET telemetry, detections of Nomani scams grew 62% year-over-year, even though the trend declined slightly in H2 2025. These scams have also expanded beyond Meta into YouTube, proving that once a fraud playbook works on one platform, it quickly cross-pollinates.

At the same time, the ransomware economy remains brutally healthy. ESET Research projects a 40% year-over-year increase in victim numbers for 2025, with totals surpassing 2024 well before year’s end. Akira and Qilin now dominate the ransomware-as-a-service market, while newcomer Warlock introduced new evasion techniques and contributes to a sharp rise in EDR killers targeting endpoint detection and response tools directly.

For CISOs, the significance isn’t that “AI is coming” – it’s that AI now exists across the entire kill chain:

• Content and social engineering: AI-cooked phishing, synthetic personas, realistic voice and video deepfakes.
• Execution: malware like PromptLock able to generate or adapt scripts in real time.
• Operations: short-lived campaigns and infrastructure that use algorithmic churn to evade reputation-based defenses.

If your AI strategy is still confined to “using models to detect attacks,” you’re fighting an asymmetrical war. You need a full-spectrum AI posture: understand how cybercriminals use artificial intelligence, govern your internal AI usage, and ensure your detection stack can cope with polymorphic, AI-mutated behavior rather than just signatures or static IOCs. AI is now a capability layer on both sides of the field.

NFC, mobile, and the quiet pivot to physical-proximity fraud

While AI-driven scams grab headlines, ESET’s H2 2025 data shows something many enterprises still underestimate: an aggressive pivot into mobile and NFC-based fraud.

On mobile platforms, NFC threats grew 87% in ESET telemetry in H2 2025, with both upgraded families and entirely new campaigns:

• NGate, a pioneer among NFC threats first discovered by ESET, received a significant upgrade: contact stealing, which almost certainly sets up later waves of social engineering, SIM swap attempts, and payment fraud.
• RatOn, a new entrant, fuses remote access trojan (RAT) capabilities with NFC relay attacks – a rare, nasty combination that gives operators both remote control and proximity fraud capability.
• RatOn distribution relied on fake Google Play pages and ads mimicking an adult version of TikTok and a digital bank ID service – leveraging both curiosity and financial trust in one go.
• PhantomCard, NGate-based malware adapted to the Brazilian market, appeared in multiple campaigns in Brazil, showing how quickly threat actors localize and verticalize their tooling.

This isn’t random noise in the mobile threat landscape; it’s a clear signal that payment rails and identity systems relying on NFC and mobile wallets are now mainstream targets. NFC relay attacks and card-emulation frauds effectively “stretch” physical proximity, making assumptions about “tap-to-pay” security brittle.

Combine that with AI-assisted phishing and more dynamic fraud infrastructure, and you get an ecosystem capable of:

• Harvesting contacts and device data via NGate-style upgrades.
• Using RAT+NFC hybrids like RatOn for both device control and payment abuse.
• Localizing and scaling via variants like PhantomCard aligned to regional banks and regulations.

Enterprises that still treat mobile as “just another endpoint” miss the specific business risk: NFC and mobile are where identity, payments, and user trust converge. Traditional MDM plus AV does not equal resilience against targeted NFC relay campaigns, fake app stores, or full-funnel fraud operations.

This is where applying zero trust to mobile, including NFC workflows, stops being theoretical. If you’re not already examining approaches like curbing mobile malware with zero trust, you’re ceding an increasingly critical attack surface.

From Lumma’s collapse to CloudEyE’s surge: what CISOs must change now

The back half of the ESET Threat Report H2 2025 reads like a case study in adversary adaptiveness – and in defender blind spots.

After a global disruption effort in May, the Lumma Stealer infostealer briefly resurfaced twice but appears to be in serious decline. Detections dropped by 86% in H2 2025 compared to H1, and ESET telemetry shows one of its core distribution vectors – the HTML/FakeCaptcha trojan used in ClickFix attacks – almost vanishing.

On the surface, that looks like a win. In practice, the vacuum didn’t stay empty:

• CloudEyE, also known as GuLoader, surged almost thirtyfold in ESET telemetry during H2 2025.
• CloudEyE operated as a malware-as-a-service downloader and cryptor in malicious email campaigns, used to deploy ransomware and infostealers like Rescoms, Formbook, and Agent Tesla.
• Poland took the brunt of this wave, with 32% of CloudEyE attack attempts in H2 2025 detected there.

In parallel, ransomware operators continue to invest in EDR killers — a clear admission that EDR tooling, especially when well-operationalized, is one of the few real friction points they still face.

Taken together, this tells CISOs two uncomfortable truths:

1. Disrupting one family (Lumma Stealer) without degrading the underlying distribution and monetization ecosystem just shifts the revenue to the next tool (CloudEyE, GuLoader, etc.).
2. Attackers will keep funding offensive R&D around your strongest controls (EDR, MFA, mobile identity), not your weakest. Your roadmap must anticipate that.

To respond, security leaders should prioritize a few concrete moves:

• Harden and diversify EDR: Assume EDR killers exist and will be used against you. Deploy multi-vendor or multi-layer endpoint visibility where possible, and aggressively monitor for EDR tampering, service stoppage, or driver abuse. Instrument detection around “defense evasion” behaviors, not just payloads.
• Threat-model NFC and mobile explicitly: Treat NFC payment, digital ID, and mobile banking integrations as separate threat models, not a footnote under “mobile.” Simulate NGate/RatOn/PhantomCard-style campaigns in red teaming and tabletop exercises; validate that business owners understand these as fraud and brand risks, not just device hygiene issues.
• Rebuild email security for MaaS loaders: CloudEyE/GuLoader and similar downloaders thrive on gaps between email controls, endpoint protection, and user training. Tighten attachment and link detonation, enforce strict file-type policies, and inspect archive/packer abuse typical of cryptors. Correlate email telemetry with endpoint execution, rather than treating them as separate domains.
• Govern AI use before attackers define the baseline: Build explicit policies and controls for internal AI use – models, prompts, outputs, and integration points. Align these with an understanding of the evolution of AI in cybersecurity, and ensure blue teams can detect AI-mutated scripts and adaptive TTPs, not just static malware families.
• Region-aware defense: Data like “32% of CloudEyE attack attempts hit Poland” is a reminder that regional targeting is real. Tune detections, intel sharing, and law enforcement partnerships by geography; don’t rely on a purely global average threat model.

The actionable takeaway: stop thinking in terms of “families” and start thinking in terms of functions. Lumma, CloudEyE, PromptLock, NGate, RatOn, PhantomCard, Akira, Qilin, Warlock — these are branded wrappers around a few recurring capabilities: access, stealth, monetization, and fraud. Align your controls to break those functions at multiple points, and AI-enhanced or NFC-based attacks turn from an existential risk into another engineering problem you can grind down over time.