A new report shows that three of the four new malware threats in the Q1 2023 top 10 list have originated in China and Russia.

The latest Internet Security Report, released by WatchGuard Technologies, details the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q1 2023. Key findings from the data show phishers leveraging browser-based social engineering strategies, new malware with ties to nation states, high amounts of zero day malware, living-off-the-land attacks on the rise, and more.

Other key report highlights

• New browser-based social engineering trends — Now that web browsers have more protections preventing pop-up abuse, attackers have pivoted to using the browser notifications features to force similar types of interactions.
• Threat actors from China and Russia behind 75% of new threats in the Q1 Top 10 list — Three of the four new threats that debuted on the report's top 10 malware list this quarter have strong ties to nation states, although this doesn’t necessarily mean those malicious actors are in fact state-sponsored.
• Persistence of attacks against Office products, End-of-Life (EOL) Microsoft ISA Firewall — Threat Lab analysts continue to see document-based threats targeting Office products in the most widespread malware list this quarter. On the network side, the team also noticed exploits against Microsoft’s now-discontinued firewall, the Internet Security and Acceleration (ISA) Server, getting a relatively high number of hits. Although this product has long been discontinued and without updates, attackers are still targeting it.
• Living-off-the-land attacks on the rise — The ViperSoftX malware reviewed in the Q1 DNS analysis is the latest example of malware leveraging the built-in tools that come with operating systems to complete their objectives. The continued appearance of Microsoft Office- and PowerShell-based malware in these reports quarter after quarter underscores the importance of endpoint protection that can differentiate legitimate and malicious use of popular tools like PowerShell.
• Malware droppers targeting Linux-based systems — One of the new top malware detections by volume in Q1 was a malware dropper aimed at Linux-based systems. Security professionals should be sure to include non-Windows machines when rolling out Endpoint Detection and Response (EDR) to maintain full coverage of their environment.
• Zero day malware accounting for the majority of detections — This quarter saw 70% of detections coming from zero day malware over unencrypted web traffic, and a 93% of detections from zero day malware from encrypted web traffic. Zero day malware can infect IoT devices, misconfigured servers and other devices that don’t use robust host-based defenses.
• New insights based on ransomware tracking data — In Q1 2023, the Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to publish victims at a high rate; some are well-known organizations and companies in the Fortune 500.

Consistent with previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.