ESET Threat Report H1 2026 Highlights Rising AI-Powered Cyber Threats, QR Code Phishing, and Evolving Ransomware Tactics

Published
Written by:
Rachita Jain
Rachita Jain
VPN Staff Editor
Key Takeaways
  • ESET Threat Report H1 2026: AI threats, ClickFix attacks, and QR phishing increased as cybercriminals refined existing attack techniques.
  • AI-Driven Threats: ESET identified malicious AI skills and the first Android malware using generative AI during execution.
  • User Impact: QR phishing reached record levels while ransomware attackers continued deploying tools that disable security software.

ESET has released its Threat Report H1 2026, outlining how cybercriminals are increasingly refining existing attack methods instead of creating entirely new ones. Published on July 8, 2026, the report covers threat activity observed between December 2025 and May 2026 and is based on the cybersecurity company's global telemetry and research.

According to ESET, attackers are making greater use of artificial intelligence (AI), expanding social engineering campaigns, and continuing to improve ransomware operations. The findings come from ESET's own threat detection systems and research teams, making the report an official assessment of the cybersecurity landscape.

Executive summary from the ESET Threat Report H1 2026 highlighting AI-driven cyber threats, ClickFix expansion, QR phishing, and ransomware activity.
ESET's H1 2026 Threat Report summarizes the rise of AI-powered malware, ClickFix attacks, QR phishing, and ransomware trends | Source: ESET Threat Report H1 2026

AI Is Expanding the Cyberattack Surface

One of the report's key findings is the rapid growth of AI-related threats. ESET analyzed nearly 900,000 AI skills, small software components that allow AI agents to perform specific tasks, and identified around 25,000 suspicious and more than 3,000 malicious skills.

AI agents can perform actions such as browsing the web, executing commands, accessing files, or interacting with online services. While these capabilities can improve productivity, malicious or compromised AI skills could be abused to steal data, download malware, change an AI agent's behavior, or execute unauthorized actions.

ESET also documented PromptSpy, which it describes as the first known Android malware to use generative AI during its execution. The malware relies on Google Gemini to interpret on-screen interface elements and adapt its behavior across different Android devices without depending on fixed screen coordinates. Although ESET notes that AI-powered malware remains uncommon, PromptSpy demonstrates how AI could make future malware more flexible and harder to adapt to with traditional detection methods.

PromptSpy malware overview from the ESET Threat Report H1 2026 showing how generative AI is used during Android malware execution.
ESET explains how PromptSpy became the first known Android malware to integrate generative AI into its execution process | Source: ESET Threat Report H1 2026

ClickFix, QR Code Phishing, and Ransomware Continue to Evolve

The report shows that ClickFix, a social engineering technique that tricks users into following fake troubleshooting instructions, continues to spread into new scenarios. Originally associated with fake CAPTCHA pages, the technique now also appears in AI-themed support pages, browser extensions, and cloud authentication workflows. ESET said detections of ClickFix-related activity more than doubled between the second half of 2025 and the first half of 2026.

ESET also recorded record levels of QR code phishing, commonly known as quishing. In these attacks, criminals hide malicious links inside QR codes instead of traditional hyperlinks. Victims are encouraged to scan the code using a mobile device, which can bypass both visual inspection and, in some cases, email security tools. According to ESET's telemetry, QR code phishing accounted for approximately 11% of all detected phishing emails during the first half of 2026.

Ransomware activity also remained strong throughout the reporting period. ESET said attackers continue to deploy EDR killers, specialized tools designed to disable endpoint detection and response (EDR) software before launching ransomware. The company has tracked more than 100 EDR killers being used in real-world attacks, with new variants appearing regularly.

At the same time, ESET noted encouraging signs that fewer organizations are paying ransom demands, citing data from multiple industry sources indicating a continued decline in ransom payments despite ongoing attack activity.

Why Privacy Users Should Pay Attention

The report highlights broader trends that matter to anyone concerned about data privacy and security. The growing use of AI in malware, increasingly convincing phishing campaigns, and attacks that target authentication systems all raise the risk of credential theft and unauthorized account access.

Users should remain cautious when scanning QR codes, avoid following unexpected troubleshooting instructions from websites, and verify requests that involve account logins or authentication. ESET also recommends using reputable security software capable of detecting malicious QR codes and other modern phishing techniques.

The report does not require users to take any immediate action beyond following standard cybersecurity best practices. However, it underscores that attackers are continuously adapting familiar techniques to new technologies, making user awareness and layered security more important than ever.

The findings are based on the official ESET Threat Report H1 2026, which reflects threat telemetry collected globally between December 2025 and May 2026.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: