WatchGuard Sees Huge Increase in Unique Malware as Attackers Defy Traditional Defenses

A research initiative by cybersecurity vendor WatchGuard reveals a 171% (quarter-over-quarter) increase in total unique malware detections, the highest the company’s Threat Lab has recorded. Pair this with a significant increase in “zero day malware,” and this signals a sharp rise in evasive threats designed to bypass traditional security systems that rely on patterns to detect threats. Notably, proactive machine learning (ML) detection offered by IntelligentAV (IAV) surged 323%, highlighting its critical role in detecting advanced malware. Gateway AntiVirus (GAV) hits increased by 30%, and Transport Layer Security (TLS) malware increased by 11 points, underscoring encrypted channels as a primary attack vector.

The company also observed a 712% increase in new malware threats on endpoints. To underscore the severity of this figure, new malware threats have seen a consistent decline over the past three quarters. The top malware threat on the endpoint was LSASS dumper, a credential stealer used for tasks such as logging onto systems, managing passwords, and creating access tokens. Attackers exploit LSASS to access system components by bypassing user mode and performing direct kernel-mode instructions.

“The latest findings in the Q1 2025 Internet Security Report seem to support a larger cybersecurity industry trend: the AI war is here. Attackers are increasingly relying on social engineering and phishing techniques supercharged by AI tools,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “Attackers now have the capabilities to launch highly targeted campaigns at scale using automated pipelines, emphasizing the need for organizations to adopt robust, precise, and powerful security measures to stay ahead of the advancements in AI and the evolving cyber risks.”

Among the report’s other findings, ransomware declined 85% from the previous quarter, although the second most detected malware threat was a ransomware payload. This supports the industry trend of a decrease in crypto ransomware, the malware that encrypts files. Attackers are now shifting toward data theft instead of encryption, as improvements in data backups and recovery have been made.

Scripts, files derived from or using a scripting programming language, are down by about half this quarter, the lowest they’ve ever been. Historically, WatchGuard has observed scripts as the number one attack vector for malware detection on endpoints. Other Living off The Land (LoTL) techniques, such as Windows, saw the highest increase from quarter to quarter at 18%, filling the gap left by scripts.

Malware threats are continuing to emerge via email rather than the web, suggesting that threat actors are targeting users with traditional phishing techniques, as AI makes it easier to compose believable spear phishing messages. However, AI and machine learning-based tools are detecting significantly more threats at the network and endpoint perimeter in Q1 2025.

Channel Impact^®
The dramatic surge in IAV and heightened TLS malware emphasizes attackers’ reliance on obfuscation and encryption, challenging conventional defenses. The findings stress the need for enhanced visibility and adaptive security to combat these sophisticated, concealed threats at scale.