04 November 2025

WatchGuard Technologies has unveiled its latest Internet Security Report, revealing concerning trends in malware and cyber threats observed during the second quarter of 2025.

The quarterly analysis, conducted by the WatchGuard Threat Lab, highlights a significant 40% increase in advanced evasive malware compared to the previous quarter. The report emphasises how cybercriminals increasingly utilise encrypted channels, particularly Transport Layer Security (TLS), to conceal malicious payloads, with 70% of malware now delivered via encrypted traffic. While TLS remains essential for secure web communication, attackers exploit its encryption to bypass traditional defenses, underscoring the importance for organisations to enhance their visibility into encrypted traffic and adopt flexible, adaptive security measures.

Overall malware detections grew by 15%, driven largely by an 85% rise in detections from Gateway AntiVirus and a 10% increase from IntelligentAV, reflecting the growing role of advanced detection tools in identifying sophisticated threats. The threat landscape also saw a modest 8.3% rise in network attacks, although the variety of attack signatures narrowed, with 380 unique signatures identified compared to 412 in the previous quarter. Notably, a new JavaScript obfuscation technique called ‘WEB-CLIENT JavaScript Obfuscation in Exploit Kits’ was detected, illustrating how attackers rapidly develop new methods to evade legacy security controls. Despite the emergence of new exploits, cybercriminals continue to rely heavily on well-known vulnerabilities in browsers, web frameworks, and open-source tools.

Corey Nachreiner, Chief Security Officer at WatchGuard, commented on the findings, noting that the increase in evasive malware over encrypted channels poses a significant challenge for resource-limited MSPs and IT teams. He emphasised that staying ahead requires consistent patching, proven defensive strategies, and advanced detection and response technologies capable of quickly mitigating threats.

Additional insights from the report reveal a 26% rise in unique malware threats leveraging packing encryption to evade detection, with threat actors increasingly deploying polymorphic malware that can bypass signature-based defenses. Interestingly, the Threat Lab identified two USB-based malware threats, PUMPBENCH and HIGHREPS, both of which deployed the Monero mining malware XMRig and are believed to be linked to crypto hardware wallets. Ransomware attacks declined sharply by 47%, indicating a shift toward fewer but more impactful attacks on high-profile targets, with active extortion groups such as Akira and Qilin becoming more aggressive.

The report also highlights the dominance of droppers, which accounted for seven of the top ten network malware detections, including payloads like Trojan.VBA.Agent.BIZ and PonyStealer, which exploit user macros for initial access. The Mirai botnet, after a five-year hiatus, has resurfaced predominantly in the Asia-Pacific region. Zero-day threats continue to be prevalent, representing over 76% of all detections and nearly 90% of encrypted malware, emphasising the need for advanced detection capabilities beyond traditional signature-based methods. DNS-based threats, including domains associated with the DarkGate RAT, persisted as a significant concern, reinforcing the importance of DNS filtering as part of a comprehensive security approach.