WatchGuard’s Internet Security Report analyzed the top malware, network, and endpoint security threats observed by the WatchGuard Threat Lab researchers during the first quarter of 2025.  

The report’s key findings reveal a 171% (quarter-over-quarter) increase in total unique malware detections, the highest the Threat Lab has recorded. Pair this with a significant increase in “zero day malware,” and this signals a sharp rise in evasive threats designed to bypass signature-based detection — that is, traditional security systems that rely on patterns to detect threats. Notably, proactive machine learning (ML) detection offered by IntelligentAV (IAV) surged 323%, highlighting its critical role in detecting advanced malware. Gateway AntiVirus (GAV) hits increased by 30%, and Transport Layer Security (TLS) malware increased by 11 points, underscoring encrypted channels as a primary attack vector. The dramatic surge in IAV and heightened TLS malware emphasizes attackers’ reliance on obfuscation and encryption, challenging conventional defenses.

The Threat Lab also observed a 712% increase in new malware threats on endpoints. To underscore the severity of this figure, new malware threats have seen a consistent decline over the past three quarters. The top malware threat on the endpoint was LSASS dumper, a credential stealer used for tasks such as logging onto systems, managing passwords, and creating access tokens. Attackers exploit LSASS to access system components by bypassing user mode and performing direct kernel-mode instructions.   

Ransomware declined 85% from the previous quarter, although the second most detected malware threat was a ransomware payload: Termite ransomware. This supports the industry trend of a decrease in crypto ransomware, the malware that encrypts files. Attackers are now shifting toward data theft instead of encryption, as improvements in data backups and recovery have been made. 

Scripts, files derived from or using a scripting programming language, are down by about half this quarter, the lowest they’ve ever been. Historically, reporters have observed scripts as the number one attack vector for malware detection on endpoints. Other Living off The Land (LoTL) techniques, such as Windows, saw the highest increase from quarter to quarter at 18%, filling the gap left by scripts. 

The top malware detected over encrypted connections was Trojan.Agent.FZPI, a new malicious HTML file that merges legitimate-looking files with encrypted communication. This threat combines several techniques that threat actors have employed over the last few years into one super phishing attachment. Organizations must implement robust TLS inspection, behavioral analysis, and endpoint protection to detect and neutralize this threat. 

In Q1 2025, the most widespread malware was Application.Cashback.B.0835E4A4, a newly identified threat and among the most prevalent malware families ever recorded, with the highest impact in Chile at 76% and Ireland in second at 65%. The prevalence of Application.Cashback variants signal the need for region-specific defenses to address these sophisticated threats. 

The unique number of network signatures triggered, or known attacks detected on networks, decreased by 16% from last quarter as attackers focused on a narrower set of exploits. The network attack landscape highlights that while new exploits do emerge, attackers continue to heavily exploit unpatched legacy vulnerabilities at scale, forcing organizations to address both fronts simultaneously. 

Malware threats are continuing to emerge via email rather than the web, suggesting that threat actors are targeting users with traditional phishing techniques, as AI makes it easier to compose believable spear phishing messages. However, AI and machine learning-based tools are detecting significantly more threats at the network and endpoint perimeter in Q1 2025. 

Download the report.