ESET Researchers Warn of New Phase of Social Engineering Driven by AI
Phishing at the Forefront, with Infostealers, Email Threats, and More Among Other Notable Threats

ESET, a global leader in cybersecurity solutions, convened an exclusive media briefing in Kuala Lumpur recently led by Senior Research Fellow Righard Zwienenberg, who highlighted that Malaysia is entering a new era of Artificial Intelligence (AI)-powered social engineering. Criminal groups are now using AI to produce highly convincing communications, manipulate trusted digital environments, and influence user behaviour in ways that traditional phishing tools never achieved.
The briefing coincided with the research team’s visit to Malaysia for AVAR 2025.
AI Is Redefining Social Engineering in Malaysia
Artificial Intelligence has now embedded itself into the anatomy of modern scams. Messages no longer arrive with broken English or generic requests. The communication feels personalised and precise, matching corporate tone, local slang, and emotional triggers engineered to prompt quick action.
Compounding this shift is the environment AI now operates in. AI systems themselves are increasingly polluted by a mix of misinformation and intentionally crafted fake content. This polluted ecosystem provides attackers with endless material to weaponise, making it harder for users to recognise when something is fabricated, distorted, or malicious.
ESET telemetry reflects how these trends are taking root in Malaysia. In the six months from December 2024 to May 2025, phishing attacks accounted for roughly 37 percent of all threats detected in Malaysia, making it the most prominent category. Other threat types appeared in far smaller volumes.
Infostealers, information-stealing malware, has also risen to become to become a major driver of phishing and identity theft. Formbook, a well-known threat designed to steal a wide variety of sensitive data, is also present in Malaysia and represented about 26 percent of all detected infostealers, surpassing multiple other families and reinforcing its status as the leading tool used to harvest credentials across the country.
More telling than the categories are the delivery mechanisms. Scripts and executable files now make up more than three quarters of all email threats in Malaysia, far exceeding malicious Office documents. This shift aligns with global patterns, where attackers increasingly rely on AI assisted automation to scale their campaigns.
Five AI-enabled methods are now shaping the threat landscape are:
- Voice cloning for highly convincing impersonation.
- AI crafted messages mirroring organisational and local writing styles.
- Chatbot interference through poisoned prompts or injected instructions.
- Browser level manipulation that guides behavior without malicious links.
- Contextual personalisation built from public digital footprints.
Zwienenberg said, “AI was supposed to make information clearer, but today it is increasingly polluted by misinformation and deliberately crafted fakes. That polluted ecosystem is now feeding the next wave of cyberattacks. Threats are moving faster, adapting quicker, and sounding more human than ever. In Malaysia, phishing and infostealing remain dominant, but the real shift is in how AI accelerates and reshapes these attacks. The goal is no longer to trick someone into clicking a link, it is to influence their judgement in a moment of urgency or trust. As long as people overshare and systems remain underdefended, attackers will continue to exploit that gap.”

New Tactics Emerging in Malaysia
Techniques once limited to more digitally mature markets are now appearing locally:
- High fidelity voice impersonation for financial and operational instructions.
-
- Manipulated chatbot interactions targeting AI powered service channels.
- Browser based influence operations operating within legitimate webpages.
- VR, AR and wearable device exploitation through malicious embedded URLs.
- Scams built around Malaysia’s high reliance on mobile and AI assisted communication.
With 99.5 percent of households owning mobile phones, and 96.8 percent with internet access, Malaysia presents a wide digital surface for attackers to exploit. Behavioral trends amplify this exposure. People worry about privacy yet overshare more than ever, especially on social platforms and messaging apps. Coupled with the country’s strong FOMO driven culture, social engineering techniques thrive. These behaviours continue to fuel ransomware cases, credential theft, and scam-related financial losses.
For consumers, the best defense remains a mix of awareness and the right tools. Cybercriminals rely on human error. Reducing that gap is key.
AI Generated Malware Marks a New Frontier
A major turning point in the global threat landscape emerged when ESET uncovered PromptLock, the world’s first AI-powered ransomware. Unlike conventional malware, which must be coded and refined by human developers, PromptLock used a locally deployed language model to generate malicious scripts in real time. The AI autonomously determined what to scan, copy, encrypt, or destroy, producing unique scripts with each execution.
ESET now detects more than 500,000 new unique malware samples every day, a number that continues to climb as generative AI makes creation of malicious code more efficient.
ESET’s Recommendations: Strengthening Human and System Defences
Drawing from ESET’s prevention-first model and the guidance shared during the briefing, Righard outlined the following steps:
For organisations:
- Introduce cybersecurity awareness training modules for employees based on real AI era manipulation scenarios.
- Implement call back verification or secondary checks for sensitive requests.
- Apply strong authentication and remove unnecessary privileges.
- Monitor irregularities in communication tone, timing, or structure.
- Strengthen chatbot governance and ensure audit trails for automated responses.
The boardroom remains a critical factor. Security expectations are rising, but investment often lags. Organisations looking to embrace AI must also commit to defending it. Security must evolve in tandem with technology.
For consumers:
- Treat urgent or emotionally charged digital requests with caution.
- Validate voice-based instructions, even when the caller sounds familiar.
- Double check instructions received through chat or messaging platforms.
- Seek advice or clarity when interactions feel unusual or pressured.
A Turning Point for Malaysia’s Cyber Resilience
As Malaysia strengthens its cyber defense posture through NACSA, CyberSecurity Malaysia, and the upcoming Malaysia Cyber Security Strategy 2025–2030, the country faces a rapidly shifting threat landscape shaped by AI. ESET emphasised the importance of continuous research, evidence-based guidance, and proactive security tools to help Malaysians stay ahead of emerging risks.
ESET reaffirmed its commitment to supporting Malaysia through local insights, global intelligence, and technologies designed to prevent attacks before they happen.



