The major threats associated with cybercrime maintain practically the same names as a few years ago. Ransomware continues to extort companies, phishing continues to be the main access route for attackers, and banking Trojans continue to evolve. However, beneath this apparent continuity, a much deeper transformation is taking place: artificial intelligence is redefining the way cybercriminals operate, allowing them to automate processes, adapt their campaigns in real time and significantly increase the effectiveness of their attacks.

That was the main message conveyed by Josep Albors, head of Research and Awareness at ESET Spain, during the presentation of the Threat Report H1 2026, a report that analyzes the evolution of threats detected between December 2025 and May 2026. The data once again places Spain as one of the countries most affected by cybercrime, concentrating 7.43% of all detections recorded by the company and ranking third world position, only behind Japan and Poland.

But, beyond the statistical data, the real change lies in the evolution of the threats themselves. “We are not seeing a replacement of traditional threats, but rather an evolution,” Albors summarized during the presentation. “AI is allowing cybercriminals to automate processes, personalize attacks and adapt much faster to new scenarios.” In other words, new malware families have not appeared capable of revolutionizing the landscape, but rather the already known ones are incorporating capabilities that make them much more effective.

Ransomware: more selective and better prepared attacks

Ransomware continues to be one of the most lucrative cybercrime activities. Although the number of organizations paying ransoms has decreased compared to four or five years ago, Albors warned during the meeting that many companies still choose to pay without reporting the incident, especially when criminals threaten to publish the stolen information. This lack of visibility prevents us from knowing the true dimension of the problem.

In Spain, the services, tourism and industry sectors continue to be among the main objectives of these campaigns. However, the most striking aspect is not so much the profile of the victims as the degree of specialization achieved by some groups.

One of them is The Gentlemen, an organization that has seen a significant spike in activity during the first semester. Unlike other gangs that launch massive campaigns, this group carefully selects their targets. “It does not look for random victims, but rather organizations that it knows can assume the ransom payment and whose defenses they can overcome by adapting their own attack tools,” Albors explained.

The report also highlights the use of a wide repertoire of cybercrime utilities, such as the so-called EDR Killers, specifically designed to neutralize security solutions before deploying system encryption. An example of the extent to which ransomware has become a highly professionalized activity.

AI is already part of malware

If until recently artificial intelligence was mainly used to write more convincing phishing emails or automate social engineering campaigns, during this semester ESET has detected a step further: the integration of generative AI in the malware itself.

One of the most representative examples is PromptSpy, considered by researchers to be one of the first malicious codes for Android that uses AI models during its execution. Instead of simply executing programmed instructions, it interprets the content of the device screen to automate complex actions, maintain persistence in the compromised system, and dynamically adapt to each situation.

«AI makes malware much more adaptable and resilient. “Criminals can modify it quite quickly to adjust it to the type of attack they want to carry out,” Albors said. A capability that reduces development times and allows cybercrime groups to react quickly to new defensive measures.

Agentic Skills open a new scenario

Another phenomenon that most worries researchers is the rapid proliferation of so-called Agentic Skills, small modules that expand the capabilities of artificial intelligence agents.

Although most have been designed to automate legitimate tasks, ESET is detecting a growing number of plugins developed for malicious purposes. These skills can facilitate data exfiltration, manipulate systems, modify the behavior of agents through prompt injection techniques or automate different phases of an attack.

During the presentation, Albors warned of the enormous growth experienced by this ecosystem in just a few months and called for extreme caution. «We are seeing how these skills can be used to filter information, manipulate systems or alter the behavior of AI agents. Cybercrime is escalating very quickly in this area,” he warned.

Social engineering remains the most effective weapon

While artificial intelligence brings new capabilities to attackers, social engineering remains the main entry point. The report reflects a 108% increase in campaigns based on ClickFix, a technique that convinces the user to voluntarily execute malicious code believing that they are solving an alleged technical problem. On this basis, new variants of cybercrime have emerged, such as AI-Fix, which takes advantage of false tutorials to install artificial intelligence models, or CrashFix, which simulates browser errors to induce the victim to copy compromised instructions.

“Criminals have found that it is much easier to convince the user to execute the malicious code themselves than to search for especially complex vulnerabilities,” summarized Albors. A reflection that explains why these campaigns continue to grow despite the improvement of protection solutions.

Spain, also a reference in quishing

Phishing continues to lead the classification of detected threats, although one of its variants stands out especially for its rapid growth: quishing, based on the use of QR codes to redirect victims to fraudulent pages.

Spain already occupies second position in the world in detections of this modality, only behind the United States. Cybercriminals distribute these codes through emails, documents or even physical media to direct users to fake pages where they capture credentials or bank details. The popularization of mobile payments and the trust that many users place in this type of code are favoring the success of these campaigns.

Along with this, ESET continues to detect intense activity from infostealers such as Formbook or AgentTesla and the return of campaigns linked to Brazilian banking Trojans that impersonate energy companies, public organizations or administrations to distribute malicious files. The report also warns of the arrival in Spain of mobile threats capable of taking advantage of NFC technology to steal bank card information through fraudulent applications, a technique initially detected in Eastern European countries and which is already beginning to spread in our country.

The scenario drawn by ESET’s Threat Report H1 2026 points to a clear conclusion: artificial intelligence is not replacing traditional threats, but rather multiplying their ability to evolve. «The data shows that the threat landscape is increasingly diverse and complex. We are no longer talking about a specific phenomenon, but rather about a consolidated trend,” concluded Albors. In this context, the challenge for companies and users no longer consists solely in reacting when an incident occurs, but in developing a continuous capacity for prevention, adaptation and awareness capable of anticipating threats that evolve practically at the same pace as artificial intelligence itself.