WatchGuard Report Finds 40% Increase in Evasive Malware

WatchGuard Technologies recently released a report detailing the latest findings in malware, network, and endpoint security threats observed by their researchers during Q2 of 2025.

Key findings show increases in malware and network attacks

WatchGuard’s Internet Security Report shows a 40 percent quarter-over-quarter increase in evasive, advanced malware.

Overall, malware detections increased 15 percent in Q2, driven by an 85 percent increase from Gateway AntiVirus (GAV) and a 10 percent gain from IntelligentAV (IAV).

The report also found that encrypted channels are adversaries’ favored attack vector using Transport Layer Security (TLS) —the encryption protocol behind most secure web traffic. Despite its importance for protecting users, threat actors are increasingly using TLS to disguise malicious payloads.

“Across Q2, the report’s findings point to a rise in evasive malware over encrypted channels as attackers work hard to bypass detection and maximize impact,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “For resource-constrained MSPs and lean IT teams, this shift means the real challenge is adapting quickly with powerful measures. Consistent patching, proven defenses, and advanced detection and response technologies that can act quickly remain the most effective countermeasures to mitigate these threats.”

Further, the report found an 8.3% rise in network attacks, along with a simultaneous narrowing in attack diversity. There were 380 unique signatures triggered compared to 412 last quarter.

Further key findings in the report include:

• New and unique malware threats increased 26 percent: This increase showed how common packing encryption, a type of malware evasion, is among threat actors. They evade signature-based detection, resulting in more hits from WatchGuard’s advanced services, such as APT Block (Advanced Persistent Threat Blocker) and IAV numbers.
• Identification of two USB-based malware threats– PUMPBENCH, a remote access backdoor, and HIGHREPS, a loader: These threats deploy a coin miner, XMRig, which mines Monero (XMR) and are linked to hardware wallet usage among crypto holders.
• Ransomware declined by 47 percent: The report states that this decline is likely tied to a shift towards fewer, but more impactful, attacks on high-profile targets. The number of active extortion groups increased, with Akira and Qilin among the most aggressive.
• Droppers dominated network malware: Seven of the top 10 detections were first-stage payloads, including Trojan.VBA.Agent.BIZ and PonyStealer, to exploit user-enabled macros for initial compromise. Mirai botnet also resurfaced after five years of dormancy, primarily in APAC. The dominance of droppers indicates attackers’ preference for multi-stage infections, WatchGuard states.
• Zero-day malware dominates, making up over 76 percent of all detections and nearly 90 percent of encrypted malware: Advanced detection capabilities are increasingly becoming more necessary, especially for threats concealed within TLS traffic.
• DNS-based threats persisted: Domains tied to DarkGate remote access trojan (RAT), a loader malware that acts as a RAT, also persisted– underscoring DNS filtering as an essential defense layer.

WatchGuard’s Firebox M Series rackmounts

WatchGuard also made additional announcements, launching next-gen Firebox M Series rackmounts that deliver double the performance, zero-trust access, and unified security for MSPs and hybrid networks.

These new rackmounts empower MSPs and their customers with enterprise-grade security for growing networks and modern hybrid environments. They integrate with WatchGuard’s Unified Security Platform for delivering sustained high throughput.

“The new series represents more than a hardware refresh; it’s a leap forward in performance and platform capability,” said Jay Jindenauer, vice president of network security at WatchGuard. “The next-generation Firebox M Series delivers significantly faster network speed and, when combined with our expanded Unified Security Platform and FireCloud integration, it becomes the ideal firewall solution for securing and simplifying complex, modern networks.”

This WatchGuard report succeeds an earlier report by the unified cybersecurity leader, which was released back in April. Read more about the previous report, which found a significant spike in network-based malware in the final quarter of 2024.