The first quarter of 2025 marks a turning point in cybersecurity. WatchGuard Technologies’ new report has shaken the industry by revealing a staggering 171% increase in unique network malware detections compared to the previous quarter. But the most concerning aspect isn’t just the volume—it’s the growing sophistication of threats: 71% of attacks bypass traditional detection systems, utilizing obfuscation, encryption, and AI-assisted generation techniques.
The takeaway is clear: attackers are moving beyond classic methods, favoring evasive and automated tactics that conventional protection systems simply can’t keep up with.
A powerful metaphor is used in the report—comparing the digital ecosystem to a natural environment invaded by aggressive species. Similarly, the digital landscape is being overrun by new “malware species” disrupting networks, endpoints, and connected devices. While IT and cybersecurity professionals strive to maintain balance, attackers are refining their arsenal with AI-driven tools such as automatic malicious code generators and obfuscation packers.
“We’re witnessing the rise of a new malware generation that no longer relies on signatures to spread or attack. It’s smarter, faster, and more difficult to detect,” says Corey Nachreiner, Chief Security Officer at WatchGuard.
Among the key findings of the report:
| Key Indicator | Change in Q1 2025 |
|---|---|
| Unique network malware detections | +171% |
| Increase in zero-day malware | +323% (detected by AI) |
| Malware evading signatures (zero-day in network) | 71% of total |
| Malware in encrypted (TLS) connections | 71% of total (+11 points) |
| New malware variants in endpoints | +712% |
| Traditional ransomware decline | -85% |
| Attacks exploiting outdated software | High persistence (ProxyLogon, HAProxy) |
WatchGuard notes that had all active Firebox devices been reporting with all features enabled, over 1.62 billion malware incidents would have been detected in just the first three months of the year.
Despite a 22% decrease in overall malware volume on endpoints, there was a 712% surge in unique new variants, indicating a clear trend toward automation and mutation of threats to evade controls. Analysts attribute this partly to the proliferation of AI tools in underground forums, enabling rapid creation of adaptive malware, such as automatic malicious code generators or obfuscated packers.
Previously, scripting languages like PowerShell and VBScript were the most common entry vectors for endpoints. However, in this first quarter, browsers and pirated tools have gained ground, with “drive-by downloads” and malicious files hidden in dubious download software or counterfeit remote applications making a comeback. This suggests that attackers are re-exploring old vectors with new techniques to stay hidden longer.
While ransomware declined 85% compared to the previous quarter, this doesn’t signal a win. Instead, there’s a strategic shift: attackers are less interested in encrypting files and more focused on stealing data and threatening leaks. Improved backup and recovery systems are displacing the classic hostage model. An example is Termite—a ransomware payload now mainly focused on data extraction rather than encryption.
Encryption via TLS remains a preferred channel for malware delivery, with 87% of zero-day malware arriving over secure connections. This underscores the urgent need for organizations to implement deep TLS inspection. Additionally, techniques like Living off the Land (LoTL) attacks, which use legitimate system tools—such as Windows binaries—to execute assaults covertly—are on the rise.
Prominent threats of the quarter include:
- Application.Cashback.B.0835E4A4: detected in 76% of devices in Chile and 65% in Ireland, showing high regional propagation.
- Trojan.Agent.FZPI: a malicious HTML mimicking legitimate documents, hiding encrypted links to remote servers, combining old phishing tactics with secure communications to enhance lethality.
To counter these evolving threats, WatchGuard emphasizes three defensive strategies:
- Increasing visibility into encrypted traffic with tools that analyze TLS traffic without impacting performance.
- Incorporating AI in defense—not just for detection (like IntelligentAV), but also for prediction and autonomous response.
- Continuous staff training and awareness to tackle increasingly convincing phishing campaigns, many AI-generated.
In conclusion, if 2024 was the year of polymorphic malware, 2025 is proving to be the year of evasion and automation driven by AI. Just as in nature, adapting or fading away is the mantra for cybersecurity teams.