Spike in evasive threats and zero-day malware signals urgent need for advanced detection tools
Cyber attackers are deploying increasingly evasive and AI-driven techniques, with unique malware detections rising 171 per cent in the first quarter of 2025, according to WatchGuard Technologies’ latest Internet Security Report. The surge marks the highest malware count recorded by the company’s Threat Lab to date, signalling a worrying trend in attacks that outpace traditional security defences.
Among the report’s key findings is a 323 per cent increase in malware identified by WatchGuard’s machine learning-powered detection systems. Encrypted malware traffic also rose significantly, with an 11 percentage point increase in threats delivered via TLS (Transport Layer Security) channels—an indication that attackers are doubling down on stealth by disguising malicious activity within encrypted connections.
Gateway AntiVirus detections saw a more modest 30 per cent uptick, reinforcing the idea that adversaries are pivoting towards threats that bypass signature-based detection altogether.
The endpoint landscape was similarly volatile. After three quarters of relative decline, WatchGuard observed a staggering 712 per cent spike in new endpoint malware detections. The most prominent of these was an LSASS (Local Security Authority Subsystem Service) dumper—a tool used to extract credentials by exploiting a core Windows process that handles authentication. Such tools are often deployed to gain privileged access, enabling lateral movement within networks.
“The latest findings in the Q1 2025 Internet Security Report seem to support a larger cybersecurity industry trend: the AI war is here,” said Corey Nachreiner, Chief Security Officer at WatchGuard Technologies. “Attackers are increasingly relying on social engineering and phishing techniques supercharged by AI tools. They now have the capability to launch highly targeted campaigns at scale using automated pipelines, which underscores the need for precise and powerful security measures.”
Despite the spike in malware, ransomware detections fell sharply—down 85 per cent from the previous quarter. Yet Termite ransomware, a known file-encrypting payload, still ranked as the second most detected malware, suggesting ransomware has evolved rather than vanished. As backup and recovery systems improve, cybercriminals appear to be shifting from file encryption to data exfiltration and extortion.
Meanwhile, scripts—long a primary attack vector—dropped by half, marking their lowest level on record. The gap appears to be filled by other “Living off the Land” (LoTL) techniques, particularly those leveraging native Windows tools, which saw an 18 per cent quarter-on-quarter rise.
WatchGuard’s report also highlighted Trojan.Agent.FZPI as the top malware detected over encrypted connections. This new HTML-based threat combines multiple phishing and obfuscation techniques into a single attachment, using encrypted communications to evade detection. Analysts warn that such hybrid threats—merging legitimate-looking files with concealed payloads—can easily slip past defences unless TLS inspection and behavioural monitoring are in place.
The findings paint a clear picture: as attackers embrace artificial intelligence and sophisticated delivery mechanisms, organisations must evolve their defences in kind. WatchGuard recommends a layered security model that includes behavioural detection, endpoint protection, and real-time threat intelligence to counter the next wave of cyber threats.
