SEATTLE – October 21, 2025 – WatchGuard® Technologies, a global leader in unified cybersecurity for managed service providers (MSPs), today released the findings of its latest Internet Security Report, a quarterly analysis detailing the top malware, network, and endpoint security threats observed by the WatchGuard Threat Lab researchers during April through June, the second quarter of 2025.
The report’s key findings reveal a 40% (quarter-over-quarter) increase in evasive, advanced malware. The data highlights encrypted channels as adversaries favored attack vector using Transport Layer Security (TLS), the encryption protocol behind most secure web traffic. While TLS is vital for protecting users, attackers increasingly exploit it to disguise malicious payloads.
Overall malware detections rose 15% in Q2, driven by an 85% increase from Gateway AntiVirus (GAV) and a 10% gain from IntelligentAV (IAV), underscoring IAV’s growing role in catching sophisticated threats. With 70% of all malware now delivered via encrypted connections, the findings highlight attackers’ increasing reliance on obfuscation and stealth, and the need for organizations to improve visibility into encrypted traffic and adopt flexible protection strategies.
The Threat Lab also observed a slight rise in network attacks, increasing by 8.3%. At the same time, the diversity of attacks narrowed, with 380 unique signatures triggered compared to 412 last quarter. Notably, a brand-new malicious JavaScript detection, “WEB-CLIENT JavaScript Obfuscation in Exploit Kits,” entered the data, underscoring how quickly new threats can proliferate using obfuscation as an evasion technique to evade legacy controls. The findings show that while novel exploits emerge, attackers continue to rely heavily on older, widely used vulnerabilities in browsers, web frameworks, and open-source tools.
“Across Q2, the report’s findings point to a rise in evasive malware over encrypted channels as attackers work hard to bypass detection and maximize impact,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “For resource-constrained MSPs and lean IT teams, this shift means the real challenge is adapting quickly with powerful measures. Consistent patching, proven defenses, and advanced detection and response technologies that can act quickly remain the most effective countermeasures to mitigate these threats.”
Additional key findings from WatchGuard’s Q2 2025 Internet Security Report include:
- Brand new, unique malware threats rose 26%, showing how common packing encryption, a type of malware evasion, is with threat actors. These polymorphic threats evade signature-based detection, driving higher hits by WatchGuard’s advanced services such as APT Blocker (Advanced Persistent Threat Blocker) and IAV numbers.
- The Threat Lab unexpectedly identified two USB-based malware threats: PUMPBENCH, a remote access backdoor and HIGHREPS, a loader. Both deployed a coin miner, XMRig, which mines Monero (XMR), and are likely tied to hardware wallet usage among crypto holders.
- Ransomware declined by 47%, reflecting a shift toward fewer but more impactful attacks on high-profile targets that result in larger consequences. Notably, the number of active extortion groups has increased, with Akira and Qilin being among the most aggressive.
- Droppers dominated network malware. Seven of the top ten detections were first-stage payloads, including Trojan.VBA.Agent.BIZ and credential stealer PonyStealer, exploiting user-enabled macros for initial compromise. The infamous Mirai botnet also resurfaced after five years, concentrated mostly in APAC. The dominance of droppers indicates attackers' preference for multi-stage infections.
- Zero-day malware continues to dominate, making up over 76% of all detections and nearly 90% of encrypted malware. These findings underscore the need for advanced detection capabilities beyond signatures, particularly for threats concealed within TLS traffic.
- DNS-based threats persisted, including domains tied to the DarkGate remote access trojan (RAT), a loader malware that acts as a RAT, reinforcing DNS filtering as a critical defensive layer.
Consistent with the Threat Lab’s previous quarterly research updates, the data in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.
For a more in-depth view of WatchGuard’s research, download the complete Q2 2025 Internet Security Report.