Thousands of malicious AI skills found capable of stealing data, running malware
AI agents can browse the web, use external tools, execute commands, and perform tasks on behalf of users. Many rely on skills that define how they interact with services and data. Malicious skills can abuse those capabilities to steal data, execute malware, or manipulate an agent’s behavior, according to the H1 2026 ESET Threat Report.
Malicious AI skills expand the attack surface
An analysis of nearly 900,000 AI skills identified more than 25,000 suspicious skills and over 3,000 malicious ones. Between March and May 2026, the number of unique skills scanned increased from 60,000 to almost 900,000. Suspicious skills grew from around 10,000 to more than 25,000. Malicious skills increased from about 600 to over 3,000.
Researchers identified capabilities including command execution, file access, downloading third-party tools, credential loading, code injection, and obfuscation. These capabilities can support legitimate tasks. They can be used to steal data, execute malware, manipulate AI agents, or gain unauthorized access to systems.
The analysis also identified red-team, self-modifying, and online purchasing skills. Some security scanner skills performed only basic checks, giving users a false sense of protection.
“AI skills can enable a wide range of agentic AI abuses, from automated reconnaissance and red-team-style attacks to spam generation, malware modification, and distribution. Adversaries will likely keep testing these approaches to bypass controls, including by obfuscating intent or using region-specific, niche, or constructed languages,” said Anton Mäčko, ESET Malware Analyst.
ClickFix expands into AI services and enterprise workflows
ClickFix is expanding into new environments by using fake error messages and verification prompts to trick users into running malicious commands. Detections of ClickFix attacks increased by 108% between H2 2025 and H1 2026. The technique spread beyond fake CAPTCHAs to include macOS, WordPress sites, browser extensions, AI-themed help pages, and enterprise authentication workflows.

A web page, abusing Anthropic’s Artifact pages domain, with AI-fix instructions (Source: ESET)
New variants include AI-fix, which uses fake AI-generated troubleshooting pages hosted on services associated with Anthropic, OpenAI, and Microsoft. CrashFix uses malicious browser extensions to display fabricated security warnings. ConsentFix steals Microsoft OAuth authorization codes through fake verification prompts on compromised websites, allowing attackers to obtain OAuth tokens.
QR code phishing reaches record levels
QR code phishing, also known as quishing, continued to grow during H1 2026. Attackers embedded phishing links in QR codes to direct victims to credential theft websites, often accessed through mobile devices. Approximately 11% of all detected phishing emails contained QR codes, with an average of 100,000 detections per month. The highest volume was recorded in April. The United States accounted for 19% of QRcode/phishing detections, followed by Spain with 17% and Mexico with 6%.
Generative AI reaches Android malware
PromptSpy became the first Android malware to use generative AI during execution. The malware uses Google’s Gemini model to interpret the device interface and generate gestures that help maintain persistence. It intercepts lock-screen PINs and passwords, captures screenshots and video, uploads information about installed apps, and provides attackers with remote access. Researchers recorded one PromptSpy detection after its discovery.
Ransomware groups expand use of EDR killers
Ransomware groups continue to use endpoint detection and response (EDR) killers to disable security software before deploying ransomware. Researchers tracked more than 100 EDR killers used in the wild, including over 60 Bring Your Own Vulnerable Driver (BYOVD) variants that abuse more than 40 legitimate vulnerable drivers. New variants appear every week. Attackers use anti-rootkits, scripts, and driverless techniques to interfere with security software.
Ransomware payment rates continued to decline during 2025. Chainalysis reported that 28% of victims paid a ransom. Ransomware attacks increased by 50% year over year. The median ransom payment rose by 368% to nearly $60,000. Total ransomware payments reached $820 million in 2025.