ESET Threat Report Highlights Surge in ‘ClickFix’ Fake Error Attacks and Evolving Cyber Threats

ESET has released its latest Threat Report, summarizing trends observed between December 2024 and May 2025. A key finding is the emergence of ‘ClickFix,’ a deceptive fake error attack vector that surged by over 500% compared to the second half of 2024. ClickFix now accounts for nearly 8% of all blocked attacks in the first half of 2025, making it the second most common attack vector after phishing.

ClickFix attacks manipulate victims into executing malicious commands on their devices by displaying a fake error. This attack vector impacts major operating systems, including Windows, Linux, and macOS. Jiří Kropáč, Director of Threat Prevention Labs at ESET, stated, “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors”.

The report also noted shifts in the infostealer landscape. SnakeStealer (also known as Snake Keylogger) has surpassed Agent Tesla as the most detected infostealer, capable of logging keystrokes, stealing credentials, capturing screenshots, and collecting clipboard data. ESET contributed to disruption operations targeting Lumma Stealer and Danabot, two significant malware-as-a-service threats, which saw increased activity before their disruption.

The ransomware scene experienced further disruption, with rival gangs, including RansomHub, impacting operations. While ransomware attacks and the number of active gangs increased in 2024, ransom payments significantly dropped, potentially due to takedowns, exit scams, or diminished trust in the gangs’ ability to deliver.

On the mobile front, Android adware detections increased by 160% due to the Kaleidoscope malware, which uses a “deceptive evil twin” strategy to distribute ad-bombarding apps. NFC-based fraud also saw a thirty-five-fold increase, fueled by phishing campaigns and relay techniques. ESET’s research into GhostTap revealed its method of stealing card details for fraudulent contactless payments. SuperCard X facilitates NFC theft as a malware-as-a-service tool, quietly capturing and relaying card data.

Kropáč summarized the report, stating, “From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring.”