Evasive Malware Surges 40% in WatchGuard’s Latest Internet Security Report

Cybercriminals are taking stealth to new levels. According to WatchGuard Technologies’ latest Internet Security Report, evasive malware attacks jumped 40% in Q2 2025, driven by a sharp rise in threats delivered over encrypted connections.

While Transport Layer Security (TLS) encryption is essential for protecting users, attackers are increasingly exploiting it to conceal malicious payloads and evade traditional detection methods. The findings reveal that 70% of all malware now arrives via encrypted traffic, indicating that visibility into encrypted channels is crucial for modern cybersecurity defense.

The Growing Threat of Encrypted and Zero-Day Malware

The Threat Lab’s research shows a notable shift toward advanced, evasive tactics.

• Zero-day malware accounted for over 76% of all detections and nearly 90% of encrypted malware ‒ proving that signature-based defenses alone can’t keep up.
• Polymorphic and packed malware increased by 26%, reflecting the growing use of encryption and obfuscation to bypass detection.

For organizations and managed service providers (MSPs), these trends emphasize the need for advanced detection and response tools capable of analyzing unknown threats in real time.

Adversaries Double Down on Multi-Stage Attacks

Seven of the top ten malware detections were droppers‒ first-stage payloads used to deliver secondary malware such as credential stealers and remote access tools. This pattern highlights the continued effectiveness of multi-stage infection chains, where attackers use smaller, less detectable components to gain a foothold before deploying their main payload.

Meanwhile, USB-based attacks resurfaced with new threats like PUMPBENCH and HIGHREPS, both designed to install cryptocurrency miners. These findings underscore the fact that even “old-school” attack vectors remain relevant when adapted with modern tactics.

Implications for MSPs and IT Security Teams

With adversaries hiding behind encryption and relying on stealth, visibility and adaptability have become the defining challenges for defenders.
To stay ahead, MSPs and security teams should prioritize:

• TLS inspection and decryption to expose hidden threats.
• AI-driven threat detection tools such as IntelligentAV and APT Blocker to identify zero-day and polymorphic malware.
• Layered security architectures combining endpoint, network, and DNS-based protections.
• Regular patching and vulnerability management to prevent exploitation of known weaknesses.

As Corey Nachreiner, chief security officer at WatchGuard Technologies, noted: “For resource-constrained MSPs and lean IT teams, the real challenge is adapting quickly. Consistent patching, proven defenses, and advanced detection technologies that act fast are key to staying ahead.”

Stay Informed, Stay Secure

The full Q2 2025 Internet Security Report provides deeper insight into how attackers are evolving ‒ and how security professionals can defend against them. Download the full report to learn more: Q2 2025 Internet Security Report