The unified cybersecurity company for MSPs WatchGuard Technologies has published the results of its latest Internet security reporta quarterly analysis that highlights the top malware and endpoint and network security threats detected by your WatchGuard Threat Lab researchers between April and June. Among its results stands out a 40% quarterly increase in advanced and evasive malware.
Additionally, the data highlights encrypted channels as the attack vector preferred by cybercriminals. To do this, they increasingly use the TLS (Transport Layer Security) encryption protocol to mask malicious payloads.
Overall, malware detection rose 15% in the period analyzed in the WatchGuard report, thanks to an 85% increase in GAV (Gatewat AntiVirus) and a 10% improvement in IntelligentAV (IAV), signaling the growing role of IAV in detecting sophisticated threats.
Additionally, with 70% of malware distributed over encrypted connections, the results point to attackers’ increasing reliance on cloaking and stealth. Also the need for companies to improve the visibility of encrypted traffic and make their protection strategies more flexible.
WatchGuard Threat Lab has also observed an 8.3% increase in network attacks, and a reduction in attack diversity. In this case, they detected 380 unique signatures, less than the 412 in the previous quarter. In addition, the appearance of a new detection of malicious JavaScript stands out, «WEB-CLIENT JavaScript Obfuscation in Exploit Kits”, a new threat that uses obfuscation as an evasion technique to bypass legacy controls.
The results also show that, although new exploits appear, attackers continue to rely on old and widely used vulnerabilities in browsers, web frameworks and open source tools. On the other hand, new and unique malware threats have increased by 26%. This shows that the use of bundling encryption techniques, a type of malware evasion, is becoming more common. These threats bypass signature-based detection.
In addition, ransomware attacks decreased by 47%, reflecting a shift towards fewer but more impactful attacks, focused on high-profile targets, leading to more serious consequences. It is also worth noting that the number of extortion groups has increased, with Akira and Qilin among the most aggressive.
Droppers dominated network malware, indicating attackers’ preference for multiple infections. stages. 70% of the most common detections corresponded to first-phase payloads. Among them Trojan.VBA, Agent.BIZ and the credential stealer PonyStealer. These payloads take advantage of macros activated by the user to achieve a first intrusion.
The booth Mirai appeared again after five yearswith a concentration of activity mainly in Asia-Pacific, while zero-day malware continues to dominate the landscape with more than 76% of all detections and almost 90% of encrypted malware.In addition, lDNS-based threats persisted in the period analyzed in the WatchGuard report. Among them are domains related to the DarkGate remote access Trojan, which reinforces the importance of DNS filtering as a very important defensive layer.
