WatchGuard Technologies has reported a 1,548% spike in new, unique malware between the third and fourth quarters of 2025, highlighting what it describes as a sharp increase in both the volume and sophistication of cyber threats.
The findings are detailed in the company’s latest biannual Internet Security Report, based on anonymised and aggregated threat intelligence from its network security, endpoint and DNS filtering products. The report points to growing limitations in traditional, signature-based defences still used in many customer environments.
Across 2025, new malware increased each quarter, culminating in the Q3 to Q4 surge. WatchGuard said 23% of detected malware evaded signature-based detection entirely, qualifying as zero-day threats and reinforcing the need for behavioural and AI-driven protection models.
Encrypted delivery has become the dominant method of distribution. According to the report, 96% of blocked malware was delivered over TLS, reducing visibility for organisations that do not inspect encrypted HTTPS traffic.
The research also found shifts in endpoint attack techniques. Malicious scripts declined over the past year, while attackers increasingly relied on Windows binaries and living-off-the-land tools that leverage trusted system processes to evade detection.
On the network side, while exploit activity declined in the second half of 2025, most detections targeted long-standing vulnerabilities, particularly in modern web applications. WatchGuard said this underscores the continued importance of layered defences, including intrusion prevention systems.
Phishing campaigns observed in late 2025 used malicious PowerShell scripts to deploy malware-as-a-service tools, including remote access trojans, while attempting to bypass automated file analysis systems.
Although overall ransomware detections fell 68.42% year-on-year, WatchGuard noted that public extortion payments reached record levels, suggesting a shift toward fewer but higher-value attacks. Cryptomining remains a commonly observed monetisation tactic once access to a system is established.
The report argues that managed service providers (MSPs) face increased operational and reputational risk from client breaches and must move beyond reactive security approaches. WatchGuard said organisations are increasingly turning to unified platforms combining endpoint protection, AI-driven detection and continuous monitoring, alongside managed detection and response services, to address more persistent and complex threats.
You can read the full report here.
