ESET Threat Report H1 2026: AI Boosts Cyber Attackers
News | 14.07.2026
Cyber attackers are scaling operations faster than ever, and AI is now embedded in every stage of the attack chain.
The first half of 2026 marks a turning point in how adversaries use artificial intelligence to increase the efficiency and scalability of attacks. From malicious AI skills abused by autonomous agents to the first known Android malware using generative AI, defenders face a rapidly expanding attack surface. The new ESET Threat Report H1 2026 details these trends and provides evidence-based guidance for security leaders.
What was announced
ESET Research has released its H1 2026 Threat Report, summarizing telemetry and expert insights from December 2025 through May 2026. The report analyzes nearly 900,000 AI skills, small functional components used by AI agents, and identifies tens of thousands of suspicious and thousands of outright malicious instances. ESET researchers also uncovered PromptSpy, the first known Android malware to use generative AI within its execution flow.
Additional findings include the expansion of ClickFix social engineering into AI-themed help pages, browser extensions and cloud authentication scenarios, record levels of QR code phishing, and continued ransomware activity supported by more than 100 documented EDR killers.
Rather than relying on entirely new methods and tools, attackers are quickly adapting established techniques to new platforms, technologies, and user behaviors. The number of AI skills within this new ecosystem is growing rapidly, further expanding the attack surface
Why this matters
For CIOs, CISOs, IT directors and procurement leaders, the report signals a shift from opportunistic to industrialized attacks. Adversaries reuse mature techniques such as ClickFix and quishing but target new trust surfaces: generative AI assistants, OAuth cloud consent flows and mobile-first user journeys. ConsentFix, an evolution of ClickFix, combines interaction abuse with OAuth token theft to hijack cloud accounts without stealing credentials and often bypasses MFA. ESET detections of this vector more than doubled between H2 2025 and H1 2026.
Ransomware volumes continue to grow, but the share of victims willing to pay dropped to 14 to 28 percent according to three recent industry reports. This changes the economics of extortion and increases pressure on data protection, EDR resilience and incident response readiness.
Technical details
- AI skills analyzed: nearly 900,000, with thousands of malicious instances abusing tools such as Mimikatz and Impacket.
- PromptSpy: first known Android malware to use generative AI in its execution flow.
- ClickFix evolution: AI-fix pages abusing trusted AI domains, and ConsentFix leveraging OAuth authorization abuse.
- Quishing: approximately 11% of phishing emails in H1 2026 used QR codes; top regions US (19%), Spain (17%), Mexico (6%).
- EDR killers: more than 100 different variants documented in the wild, with new ones appearing regularly.
- Ransomware payments: paying-victim share reached all-time lows at 14 to 28%.
Softprom and ESET
Softprom is the official distributor of ESET. Our team helps enterprises deploy ESET endpoint, cloud and mobile protection, XDR and threat intelligence to counter AI-enabled threats described in the H1 2026 report.
Request a consultation and licensing options from ESET experts at Softprom.
This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.