Thousands of Malicious AI Tools Discovered for Data Theft and Malware Execution
Thousands of malicious AI skills identified with capabilities to exfiltrate data and execute malicious payloads
Malicious AI Skills and Security Threats
Artificial intelligence agents possess functionalities that allow them to navigate web environments, interact with external tools, and perform user-assigned tasks. These agents rely on specialized modules, referred to as skills, which govern their ability to access services and data. Security researchers have uncovered that malicious implementations of these skills can exploit their capabilities to extract sensitive information, deploy malware, or manipulate agent behavior. This finding is highlighted in the H1 2026 ESET Threat Report.
Proliferation and Detection Statistics
The proliferation of malicious AI skills has significantly broadened the attack surface. Analysis of nearly 900,000 AI skills revealed over 25,000 suspicious instances and more than 3,000 confirmed malicious variants. From March to May 2026, the total number of unique skills scanned surged from 60,000 to nearly 900,000. During the same period, suspicious skills increased from approximately 10,000 to over 25,000, while malicious skills rose from 600 to 3,000.
Researcher Insights
Anton Mäčko, an ESET Malware Analyst, emphasized that AI skills enable a wide array of adversarial activities, including automated reconnaissance, red-team-style attacks, spam generation, malware modification, and distribution. He noted that threat actors are likely to refine these tactics to evade detection, potentially through obfuscation techniques or the use of region-specific, niche, or synthetic languages.
New Attack Vectors Through AI-Focused Deception Campaigns
A threat group known as ClickFix has expanded its operations by deploying fake error messages and verification prompts to coerce users into executing malicious commands. Detections of ClickFix-related activities rose by 108% between H2 2025 and H1 2026. The method has evolved beyond fake CAPTCHAs to include macOS systems, WordPress platforms, browser extensions, AI-themed help pages, and enterprise authentication workflows.
ClickFix Variants
A specific variant, AI-fix, leverages fabricated troubleshooting pages hosted on domains associated with Anthropic, OpenAI, and Microsoft. Another strain, CrashFix, employs malicious browser extensions to display deceptive security alerts. ConsentFix targets Microsoft OAuth authorization codes via fabricated verification prompts on compromised websites, enabling attackers to acquire OAuth tokens.
QR Code Phishing (Quishing) Surges in H1 2026
QR code-based phishing attacks, termed quishing, saw a sharp increase during H1 2026. Attackers embedded phishing links within QR codes, directing victims to credential harvesting sites, often accessed via mobile devices. Approximately 11% of all detected phishing emails contained QR codes, with an average of 100,000 detections monthly. April recorded the highest volume of such attacks.
Geographic Distribution
The United States accounted for 19% of QR code phishing detections, followed by Spain (17%) and Mexico (6%).
Generative AI Integrated into Android Malware
PromptSpy marked a significant development as the first Android malware to utilize generative AI during execution. The malware employs Google’s Gemini model to interpret device interfaces and generate gestures, facilitating persistent access. It intercepts lock-screen credentials, captures screenshots and video, uploads details about installed applications, and grants remote control to attackers. Researchers documented a single detection of PromptSpy following its discovery.
Ransomware Groups Adopt Advanced Techniques
Ransomware operators continue to deploy endpoint detection and response (EDR) eliminators to disable security software prior to ransomware deployment. Over 100 EDR killers have been observed in the wild, including more than 60 Bring Your Own Vulnerable Driver (BYOVD) variants that exploit over 40 legitimate vulnerable drivers. New variants emerge weekly, with attackers utilizing anti-rootkit tools, scripts, and driverless methods to disrupt security solutions.
Ransomware Trends
Ransomware payment rates declined in 2025, with 28% of victims opting to pay ransoms. Despite this, ransomware attacks increased by 50% year-over-year. The median ransom payment rose by 368% to nearly $60,000, with total ransom payments reaching $820 million in 2025.
