The report’s key findings reveal a 171% (quarter-over-quarter) increase in total unique malware detections, the highest the Threat Lab has recorded. Pair this with a significant increase in “zero day malware,” and this signals a sharp rise in evasive threats designed to bypass signature-based detection—that is, traditional security systems that rely on patterns to detect threats. Notably, proactive machine learning (ML) detection offered by IntelligentAV (IAV) surged 323%, highlighting its critical role in detecting advanced malware. Gateway AntiVirus (GAV) hits increased by 30%, and Transport Layer Security (TLS) malware increased by 11 points, underscoring encrypted channels as a primary attack vector. The dramatic surge in IAV and heightened TLS malware emphasizes attackers’ reliance on obfuscation and encryption, challenging conventional defenses. The findings stress the need for enhanced visibility and adaptive security to combat these sophisticated, concealed threats at scale.
The Threat Lab also observed a 712% increase in new malware threats on endpoints. To underscore the severity of this figure, new malware threats have seen a consistent decline over the past three quarters. The top malware threat on the endpoint was LSASS dumper, a credential stealer used for tasks such as logging onto systems, managing passwords, and creating access tokens. Attackers exploit LSASS to access system components by bypassing user mode and performing direct kernel-mode instructions.
“The latest findings in the Q1 2025 Internet Security Report seem to support a larger cybersecurity industry trend: the AI war is here. Attackers are increasingly relying on social engineering and phishing techniques supercharged by AI tools,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “Attackers now have the capabilities to launch highly targeted campaigns at scale using automated pipelines, emphasizing the need for organizations to adopt robust, precise, and powerful security measures to stay ahead of the advancements in AI and the evolving cyber risks.”
Additional key findings from WatchGuard’s Q1 2025 Internet Security Report include:
- Ransomware declined 85% from the previous quarter, although the second most detected malware threat was a ransomware payload: Termite ransomware. This supports the industry trend of a decrease in crypto ransomware, the malware that encrypts files. Attackers are now shifting toward data theft instead of encryption, as improvements in data backups and recovery have been made.
- Scripts, files derived from or using a scripting programming language, are down by about half this quarter, the lowest they’ve ever been. Historically, the Threat Lab has observed scripts as the number one attack vector for malware detection on endpoints. Other Living off The Land (LoTL) techniques, such as Windows, saw the highest increase from quarter to quarter at 18%, filling the gap left by scripts.
- The top malware detected over encrypted connections was Trojan.Agent.FZPI, a new malicious HTML file that merges legitimate-looking files with encrypted communication. This threat combines several techniques that threat actors have employed over the last few years into one super phishing attachment. Organizations must implement robust TLS inspection, behavioral analysis, and endpoint protection to detect and neutralize this threat.
- In Q1 2025, the most widespread malware was Application.Cashback.B.0835E4A4, a newly identified threat and among the most prevalent malware families ever recorded, with the highest impact in Chile at 76% and Ireland in second at 65%. The prevalence of Application.Cashback variants signal the need for region-specific defenses to address these sophisticated threats.
- The unique number of network signatures triggered, or known attacks detected on networks, decreased by 16% from last quarter as attackers focused on a narrower set of exploits. The network attack landscape highlights that while new exploits do emerge, attackers continue to heavily exploit unpatched legacy vulnerabilities at scale, forcing organizations to address both fronts simultaneously.
- Malware threats are continuing to emerge via email rather than the web, suggesting that threat actors are targeting users with traditional phishing techniques, as AI makes it easier to compose believable spear phishing messages. However, AI and machine learning-based tools are detecting significantly more threats at the network and endpoint perimeter in Q1 2025.
Consistent with WatchGuard’s Unified Security Platform approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.
