Supporting threat hunters and incident response teams with actionable data is critical — not only to protect organizations but also to establish a prevention-first security strategy built on proactive defense.
Translated and adapted from: Prevention-first security begins with data-enhanced insight: Meet ESET Threat Intelligence By Márk Szabó, James Shepperd, André Lameiras – September 17, 2025
In recent years, countless cyberattacks have been linked to ransomware. Although the frequency and intensity of these incidents fluctuate over time, ransomware remains one of the most pervasive and alarming threats in cybersecurity.
Only a prevention-first mindset, supported by the right decision-making tools such as Threat Intelligence, can truly help organizations minimize business disruption and strengthen their resilience against these attacks.
Key Takeaways from This Article
- AI-powered ransomware uncovered: ESET Research recently discovered PromptLock, a ransomware variant driven by artificial intelligence. The finding highlights the growing sophistication of modern malware and the potential misuse of AI by threat actors.
- Defense through understanding: Successful protection requires a deep understanding of cyber risks. Threat Intelligence serves as a crucial tool to support preventive defense strategies.
- ESET Threat Intelligence (ETI): Provides highly accurate, carefully curated, and actionable data feeds that can be directly applied to real-world security operations.
- Comprehensive malware insights: ETI classifies and analyzes large sets of malware data, detects similarities and unique patterns, identifies anomalies, and traces attack chains along with evolving tactics, techniques, and procedures (TTPs).
- Real-time, automated intelligence: The system operates in real time, continuously updating feeds to ensure customers receive the most relevant and actionable threat data for their specific environment.
- Seamless integration: ETI delivers data feeds via TAXII servers, using industry-standard formats such as JSON and STIX 2.1, ensuring easy integration with leading threat intelligence platforms.
- For researchers and security teams: From security researchers and SOC analysts to threat hunters, professionals can rely on ETI to strengthen preventive measures and build proactive, prevention-first security strategies.
The Human Factor Behind Cyber Threats
Ransomware attacks are rarely random. They’re usually meticulously planned and human-driven.
Most start with Spear-phishing campaigns targeting high-value individuals or organizations.
With the rise of Generative AI, phishing attacks have become even more persuasive and dangerous. The long-feared idea of AI-powered ransomware recently became real when ESET discovered PromptLock, a proof-of-concept ransomware using OpenAI’s gpt-oss:20b model through Ollama API to generate malicious Lua scripts.
This AI-powered ransomware can steal, encrypt, and potentially destroy data.
The destructive function hasn’t appeared in real attacks. PromptLock also hasn’t shown up in active campaigns. ESET’s research confirms that cybercriminals now exploit public AI tools to boost threats — including ransomware.
Tactics, Techniques, and Procedures (TTPs)
Regardless of whether attackers use AI or traditional methods, their ultimate goal remains the same — infiltrate networks and extract valuable information.
Through dozens of carefully planned steps — privilege escalation, credential theft, and lateral movement — attackers work systematically toward data exfiltration. By the time defenders detect such activities, they often have little room left for prevention and must focus on containment and remediation.
To effectively defend, organizations must understand each threat and its unique characteristics.
That’s where ESET Threat Intelligence makes a difference — processing hundreds of millions of Indicators of Compromise (IOCs) every day to create a living map of attacker footprints.
Turning Intelligence into Action
From researchers and SOC analysts to proactive IT administrators, everyone can gain value from actionable threat intelligence.
ETI supports everything from attack simulations (for red and blue teams) to extended prevention, digital forensics and incident response (DFIR), and other key stages across the incident-response lifecycle.
ESET Threat Intelligence delivers precise, filtered, and actionable insights, empowering organizations to follow a prevention-first approach confidently.
Combined with tools like XDR, SIEM, or SOAR, ETI helps minimize risks from ransomware and other extortion-based attacks.
The Role of ESET Threat Intelligence in Proactive Defense
When organizations use the data and insights gathered through ESET Threat Intelligence (ETI) to monitor or investigate security incidents, it’s more than just responding to alerts — it’s about building a smarter, more informed security operation.
With automation supporting human expertise, analysts can engage more effectively with incidents reported by XDR detection systems, including suspicious executables, malicious processes, infected devices, and other key threat indicators.
From there, mitigation can happen in a more informed, organized, and prioritized way. By referencing the intelligence provided by ETI, security teams gain clearer context and can take the right actions within EDR solutions like ESET INSPECT — the XDR-enabled module of the ESET PROTECT Platform — helping them respond faster, make better decisions, and strengthen overall protection.
Threat Intelligence in Action: Ransomware Tactics and Techniques
In late 2023, ESET observed SmokeLoader, a multifunctional backdoor often distributed through AceCryptor, a widely used malware packer-as-a-service.
SmokeLoader downloads and executes final payloads quietly, evading detection and emphasizing the need for strong cybersecurity mechanisms.
Fortunately, ESET Threat Intelligence collects all necessary traces to detect, mitigate, and respond to such malware. Defenders can leverage ETI’s backend tracking systems to gain a better understanding of threats like SmokeLoader and apply ETI feeds for proactive prevention.
ETI categorizes malware data on a large scale, allowing users to search for similarities or unique patterns, identify anomalies, and track attack chains along with changes in tactics, techniques, and procedures (TTPs). This automated, real-time system continuously updates all feeds to ensure customers receive the most relevant and actionable intelligence about threats targeting their environment.
The results are also summarized into dedicated APT reports, giving customers access to the most important insights without being overwhelmed by excessive data.
Expanding Access to ESET Threat Intelligence
Currently, IT administrators and security teams looking to strengthen their defenses can easily access ESET’s latest research and related threat intelligence. These insights are shared regularly through reports published on the ESET Threat Intelligence (ETI) portal and platform, which are currently available in select regions. ESET continues to expand availability to ensure that more organizations can benefit from timely and relevant threat data worldwide.
ESET Threat Intelligence provides data feeds to customers via TAXII servers, integrating directly into their existing environments — for example, Microsoft Sentinel or the OpenCTI Threat Intelligence Platform.
These feeds cover multiple aspects of cybersecurity, including malware tracking, botnets, and APT activity, as well as the identification of malicious domains, URLs, and IPs. To ensure smooth integration, all feeds are available in widely supported formats such as JSON and STIX 2.1.
ETI for Everyone
The benefits of ESET Threat Intelligence (ETI) go beyond any single vendor, allowing organizations that already use other SIEM or SOAR platforms — such as Microsoft Sentinel, OpenCTI, IBM QRadar, Anomali, Block APT, Elastic SIEM, or ThreatQuotient — to tap into ETI’s unique and actionable threat data. With API integration, these systems can easily connect to ETI and enhance their existing security workflows, giving teams broader visibility and stronger protection — even outside the ESET PROTECT Platform.
Fighting Malicious Activity
Protecting your network, business operations, and reputation from modern, multi-dimensional threats requires a strong and constantly updated knowledge base. Beyond technical defenses against ransomware and other types of malware, security teams need to build a knowledge-driven security culture — one that values continuous learning as much as daily operations.
A solid security foundation is essential for both public and private organizations that rely on well-trained SOC teams, skilled threat hunters, and experienced security professionals.
These teams need not only strong technical skills but also continuous access to up-to-date knowledge about threat actors, system configurations, and a clear understanding of what works — and what doesn’t — when it comes to protecting their systems.
This foundation is where ESET Research builds on years of collaboration with law enforcement agencies, the Joint Cyber Defense Collaborative, and initiatives such as “No More Ransom.” Through these partnerships, ESET shares its insights on ransomware, helps strengthen global cyber defense, and explains how and why the ESET Threat Intelligence (ETI) platform was created.
Explore ETI through the ESET API, APT reports, and ETI data feeds, or discover the complete suite of tools built to support a prevention-first approach — powered by ESET.