In 2025, new malware increased every quarter, leading up to a 1,548 percent spike from Q3 to Q4 alone. At the same time, 23 percent of detected malware evaded traditional signature-based detection, effectively qualifying as zero-day threats.
A new report, based on anonymized, aggregated threat intelligence from WatchGuard Technologies‘ network security, endpoint, and DNS filtering products, finds that with over 15 times more never-before-seen malware on the endpoint, threat actors are prioritizing new and obfuscated exploits designed to bypass static detection methods.
Encrypted delivery has become the norm too, 96 percent of blocked malware was delivered over TLS, creating major visibility gaps for organizations that do not perform HTTPS inspection.
While network-based exploits declined in H2 2025, the majority of detections continue to target long-standing vulnerabilities, particularly in modern web applications, reinforcing the need for layered network defenses such as intrusion prevention systems (IPS).
Attackers are also improving how they deliver and profit from malware. During the second half of 2025, WatchGuard observed phishing campaigns that used malicious PowerShell scripts to stage Malware-as-a-Service tools, including remote access trojans, while deliberately evading automated file analysis.
Overall ransomware activity declined 68.42 percent year-on-year, though public extortion payments reached record levels, indicating a shift toward fewer, higher-value attacks. Cryptomining activity remains a popular, low-friction monetization method for attackers once access is established.
“Today’s threat landscape has outgrown point solutions and reactive security models,” says Corey Nachreiner, chief security officer at WatchGuard Technologies. “For MSPs, the business risk is especially high. Client breaches increase support costs, damage trust, and create a clear competitive disadvantage. The MSPs that will succeed in 2026 and beyond are those that can clearly demonstrate proactive threat intelligence and unified protection across their customers’ environments.”
The full report is available from the Watchguard site.
Image credit: Olenasvetlychna/Dreamstime.com
