ESET Research has released its latest threat report summarising the threat landscape trends observed in ESET telemetry and analysed by ESET threat detection and research experts in the second half of 2025. According to the data, in South Africa, phishing remains the highest-risk category, accounting for 45,7% of detected threats, compared with 32,5% across Africa.
“Phishing remains the leading initial access vector affecting South African companies,” says Tony Anscombe, chief security evangelist at ESET. “The higher proportion of phishing detections reflects both attacker focus and the continued effectiveness of social engineering. Attackers are prioritising threats that allow them a greater opportunity for monetisation.”
While phishing dominates the South African market, scam activity has accelerated globally. According to the report, detections of HTML-based scam campaigns, such as the Nomani investment scam, have grown by 62% over the past year. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend slowing slightly in H2 2025. Nomani scams have recently expanded beyond Meta to other platforms, including YouTube. These threats have come with improved techniques, including higher-resolution deepfake videos, AI-generated phishing websites, and short-lived advertising campaigns, which are increasingly difficult to detect.
AI remains a pervasive threat, both locally and abroad. In the second half of 2025, ESET discovered PromptLock, the first known AI-driven ransomware capable of generating malicious scripts on demand at high speed. While AI is primarily used to craft convincing phishing and scam content, PromptLock is an example of a growing body of AI-driven, intelligent threats that signal a new era in cybercrime.
NFC threats are also gaining momentum, growing in both scale and sophistication, with an 87% increase in ESET telemetry and with notable upgrades and campaigns observed in the second half of 2025. Anscombe notes that South Africa’s widespread reliance on card-based payment systems makes this class of attack more relevant than in regions where mobile money platforms dominate. These attacks rely on social engineering to persuade victims to install malicious Android applications that relay card data and PINs in real time.
Ransomware continues to gain global momentum, with ESET Research projecting a 40% year-on-year increase in publicly reported ransomware victims compared with 2024. While South Africa is not one of the most affected countries globally – the largest number of analysed ransomware attacks were aimed at companies in the United States, followed by Spain, France, Italy and Canada – Anscombe points out that South African organisations have experienced a number of ransomware incidents during the reporting period.
Two of the ransomware-as-a-service solutions dominating the market at present are Akira and Qilin, with a newcomer, Warlock, introducing innovative evasion techniques. EDR killers are proliferating as well, underscoring the relevance of endpoint detection and response tools in mitigating the threat.
South Africa is also actively participating in efforts to counter cybercrime. The country participated in Operation Sentinel, a joint law enforcement initiative coordinated by INTERPOL and AFRIPOL, resulting in 574 arrests and the recovery of approximately $3 million linked to cyber-enabled crimes.
For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version