Cybersecurity firm ESET has reported a startling rise in ClickFix attacks, which surged over 500% in early 2025, becoming the second most common attack method after phishing.

These deceptive campaigns accounted for nearly 8% of all blocked threats between December 2024 and May 2025. ClickFix tricks users into executing malicious commands by showing fake error messages—often a phony reCAPTCHA prompt—and works across Windows, Linux, and macOS. According to ESET’s Jiří Kropáč, the resulting infections now range from infostealers and ransomware to state-sponsored malware and cryptominers.

In the same period, infostealers underwent a notable shift. While Agent Tesla declined, SnakeStealer emerged as the most prevalent, with capabilities like keystroke logging and credential theft. ESET also helped disrupt major malware-as-a-service tools Lumma Stealer and Danabot, which had seen significant activity growth—21% and 52% respectively—before their takedowns. Meanwhile, the ransomware ecosystem became more volatile, marked by infighting among major groups like RansomHub. Although attack volumes rose, actual ransom payments declined, potentially due to law enforcement crackdowns and eroding trust in the cybercriminal underground.

Mobile threats also evolved rapidly. Adware detections on Android devices soared by 160%, driven by fake app campaigns linked to the new Kaleidoscope malware. NFC-based fraud exploded 35-fold, with phishing and relay attacks targeting digital wallets. Tools like GhostTap and SuperCard X demonstrate how attackers are leveraging contactless payment systems for real-time theft, often with the help of organized fraud groups. ESET’s findings underscore how quickly threat actors adapt—employing new tools and tactics across platforms to stay ahead of defenses.