APAC records highest network attack levels globally in WatchGuard report

WatchGuard has published its Q2 2025 Internet Security Report outlining the latest global developments in malware, network, and endpoint threats between April and June.

The data shows a significant increase in advanced malware activity as threat actors increasingly use encrypted web traffic to evade detection. The report identifies a 40% quarter-over-quarter rise in evasive malware, and highlights that 70% of all malware deliveries are now hidden within encrypted (TLS) traffic, reflecting a shift towards stealthier cyberattacks.

Overall, malware detections increased by 15% in Q2, driven by an 85% surge from WatchGuard's Gateway AntiVirus (GAV) solution and a 10% increase from IntelligentAV (IAV) detections. The report notes that IAV is playing a greater role in identifying sophisticated threats, particularly those leveraging obfuscation techniques.

Accompanying these changes, ransomware detections fell by 47% over the quarter. However, the report observes that while total ransomware incidents declined, attackers have shifted towards fewer but more targeted campaigns focused on high-profile victims, which can result in significant impact and consequences.

Regional perspective: APAC trends

In the Asia-Pacific (APAC) region, WatchGuard data revealed particularly high levels of network attack activity. APAC was responsible for 51% of all global intrusion prevention system (IPS) detections, with an average of 198 IPS detections per Firebox device. This suggests heightened exposure to network exploitation in the region compared to other parts of the world.

While APAC accounted for only 13.3% of overall malware detections - less than the Americas at 46.5% and the EMEA region at 40.2% - the disproportionate level of network attacks highlights the unique threat landscape facing organisations in the area.

Phishing campaigns continue to be a notable concern in APAC, where the region recorded the highest global concentration of the HTML.Phishing.2 threat, which often masquerades as a fake login page. Within APAC, Japan and Hong Kong were particularly affected, capturing 19.5% and 17.5% of phishing activity respectively.

The report also draws attention to the re-emergence of Trojan.Linux.Mirai.1, the only malware in the global Top 10 specifically targeting APAC. The resurgence of the Mirai botnet, known for compromising Internet of Things (IoT) devices, marks a continued trend of increasingly complex attacks in the region.

Evasion and new tactics

The WatchGuard Threat Lab observed the continuing evolution of threat actor techniques. In Q2, over 76% of all malware detected was classified as zero-day, and for encrypted (TLS) malware, this figure rose to nearly 90%. These statistics emphasise the limitations of traditional signature-based solutions against modern, polymorphic threats that are designed to change their appearance and behaviour to escape detection.

The report also notes a 26% rise in new and unique malware threats year-over-year, much of which is attributed to packing encryption methods favoured by cybercriminals to bypass legacy controls. As a consequence, WatchGuard's advanced detection tools, such as APT Blocker and IAV, registered more frequent hits.

A new malicious JavaScript detection labelled "WEB-CLIENT JavaScript Obfuscation in Exploit Kits" emerged in this quarter's data. The finding demonstrates the rapidity with which new threats can proliferate and exploit software vulnerabilities.

Across Q2, the report's findings point to a rise in evasive malware over encrypted channels as attackers work hard to bypass detection and maximise impact. For resource-constrained MSPs and lean IT teams, this shift means the real challenge is adapting quickly with powerful measures. Consistent patching, proven defenses, and advanced detection and response technologies that can act quickly remain the most effective countermeasures to mitigate these threats.

Incident analysis

The Threat Lab identified two previously unreported USB-based malware threats during the quarter: PUMPBENCH, a remote access backdoor, and HIGHREPS, a loader. Both types were known to deploy XMRig, a tool used to mine the cryptocurrency Monero. This activity may be connected to the usage of hardware wallets among cryptocurrency holders, suggesting that attackers are seeking new vectors to exploit digital asset users.

Network malware activity was characterised by the prevalence of droppers. Seven out of the top ten detections in Q2 were first-stage payloads, including Trojan.VBA.Agent.BIZ and the credential stealer PonyStealer, which exploit user-enabled macros for initial system compromise. The return of the Mirai botnet after five years was concentrated primarily in APAC.

The report also confirms that DNS-based threats, such as those associated with the DarkGate remote access trojan, remain persistent. These threats reinforce the necessity of DNS filtering as part of an organisation's defensive strategies.

The diversity of network attacks contracted slightly, with 380 unique signatures detected this quarter compared to 412 in the previous quarter. Despite the ongoing development of novel exploits, attackers continue to target longstanding vulnerabilities in browsers, web frameworks, and open-source tools.

The report is based on anonymised, aggregated data from WatchGuard network and endpoint security products, contributed by customers who participate in the company's threat intelligence-sharing programmes.