In terms of cybersecurity and attacks, Spain has left, for the first time in recent years, the podium of the most attacked countries, although it remains in fourth position worldwide, surpassed by Japan, Turkey and Poland, and second in ransomware attacks. This is revealed by the latest ESET Threat Report H2 2025, published by the company ESET, in which it warns of a relevant change in the way cybercriminals operate: the use of artificial intelligence to automate processes related to malware, exemplified by the discovery of PromptLock, and the expansion of attacks that abuse NFC technology, whose detections grew by 87% in the second half of 2025.

“However, in terms of ransomware, Spain is in second position, with 5% of total detections, ahead of countries such as France, Italy or Canada, and only behind the United States with 17%,” says Josep Albors, director of research and awareness at ESET Spain. “The most affected sectors in our country have been technology, business services and the manufacturing industry.”

At a global level, the ESET report indicates that the number of ransomware victims exceeded the 2024 figures before the end of the year, with forecasts for a year-on-year growth of 40%. Groups like Akira and Qilin consolidated their dominance of the ransomware-as-a-service model, while the use of tools known as EDR killers continued to proliferate to try to evade organizations’ defenses.

PromptLock: the first AI-powered ransomware

One of the most relevant milestones of the report is the discovery of PromptLock, the first known proof of concept of AI-powered ransomware to generate malicious scripts in real time, execute them and automatically fix them if they fail. Although for now this type of malware remains a minority, it marks a turning point and confirms a prediction that ESET has been making for years.

Even so, experts clarify that the main use of AI by cybercriminals continues to be in social engineering, with phishing campaigns, deepfakes and scams that are increasingly credible.

In this sense, fake investment scams, identified by ESET as HTML/Nomani, grew by 62% year-on-year globally, although a slight reduction was observed in the second half of 2025.

In Spain, researchers have detected campaigns that use the image of public figures to give credibility to this type of fraud, relying on videos and content generated with AI. These campaigns direct users to websites that imitate legitimate media and promise quick profits with investments in cryptocurrencies.

Infostealers: Lumma falls, new protagonists emerge

The global disruption of Lumma Stealer in May 2025 was one of the big events of the year. Although the malware managed to reappear briefly during the summer, its detections fell by 86% in the second half, leaving its activity practically residual at the end of the year.

However, the infostealer ecosystem is very dynamic. In Spain, ESET has observed an increase in the prominence of families like Vidar, as well as a notable growth in malicious downloaders and scripts, especially CloudEyE (GuLoader), whose detections increased almost thirty-fold in the second half of the year.

These threats come mainly through phishing campaigns that impersonate invoices, PDF documents or well-known brands, a technique that continues to demonstrate high effectiveness. In fact, during the second half of 2025, phishing continues to be, by far, the most detected threat in Spain, representing close to 20% of total detections.

“That phishing continues to be the most detected threat in our country reflects that these deception campaigns continue to be very effective, especially when they impersonate invoices, documents or well-known brands,” explains Albors. “In addition, threats that exploit old Microsoft Office vulnerabilities continue to appear in the ranking, a sign that updating and patching policies continue to be a pending issue in many organizations. The decline in techniques such as ClickFix, widely used in the first half of the year, is also significant, in line with the drop in the activity of some of the infostealers that used them most.”

Mobile and NFC-related threats

ESET’s ransomware report also focuses on the growth of mobile threats, especially those that abuse NFC technology. According to ESET telemetry, NFC malware detections increased by 87% between the first and second half of 2025.

In Spain, these threats are not yet the majority, but experts warn of their high potential for impact, since they combine advanced social engineering, impersonation of banking entities and new functionalities, such as the theft of contacts, the deactivation of biometrics or the integration of remote control capabilities.

In Spain there are campaigns that use the image of public figures to give credibility, relying on videos and content generated with AI

“Looking to 2026, we predict that cybercriminals will use AI to automate and escalate attacks, especially in social engineering campaigns, while many organizations will integrate these technologies into the enterprise and the cloud without adequate security controls, thus expanding the attack surface,” explains Albors. “Although we will see more AI-generated malware, ransomware will continue to grow by relying on traditional weaknesses such as unpatched systems or exposed access, with the continued use of EDR killers.

Added to this is a greater professionalization of cybercrime, with AI bots used for fraud, disinformation and scams, closer collaboration between state actors and criminals, and an increase in attacks on strategic sectors such as drones, in a panorama that could be altered by future police operations.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.