WatchGuard Technologies has released the findings of its latest Internet Security Report, revealing a marked acceleration in evasive and encrypted malware threats, and highlighting the need for MSPs to adopt a more proactive and unified security approach.
Based on anonymized and aggregated threat intelligence from WatchGuard’s network, endpoint and DNS filtering security products, the semi-annual report shows that attackers are increasing both the volume and sophistication of malware, exposing the limitations of reactive signature-based defenses still common in customer environments.
In 2025, new malware increased every quarter, culminating in a 1,548% spike between the third and fourth quarters alone. At the same time, 23% of detected malware evaded traditional signature-based detection, effectively qualifying them as zero-day threats and reinforcing the need for behavior-based, AI-driven protection.
Shortcomings of traditional security models
The report reveals several trends with direct implications for MSPs:
• Evasive malware is on the rise: With more than 15x more unreleased malware on the endpoint, malicious actors are prioritizing new, obfuscated exploits designed to bypass static detection methods.
• Encrypted delivery is now the norm: 96% of blocked malware was delivered over TLS, creating significant visibility gaps for organizations that do not perform HTTPS inspection.
• Endpoint techniques are evolving: malicious scripts have been gradually declining over the past year, while Windows binaries and living-off-the-land (LotL) tools have become major infection vectors, leveraging trusted processes to avoid detection.
• Network threats remain persistent: Although network-based exploits decreased in the second half of 2025, the majority of detections still point to long-known vulnerabilities, especially in modern web applications, reinforcing the need for layered network defenses such as intrusion prevention systems (IPS).
Attackers refine delivery and monetization
Research also shows that attackers are improving both how they deliver malware and how they make money. During the second half of 2025, WatchGuard observed phishing campaigns that employed malicious PowerShell scripts to deploy Malware-as-a-Service tools, including remote access Trojans, while deliberately bypassing automated file analysis.
Although global ransomware activity fell 68.42% year-on-year, public extortion payments reached record levels, indicating a shift toward fewer, but higher-value attacks. Crypto mining activity remains a popular, low-friction monetization method for attackers once they have gained access.
What this means for MSPs
“Today’s threat landscape has overtaken point solutions and reactive security models,” explains Corey Nachreiner, chief security officer at WatchGuard Technologies. “For MSPs, the risk to the business is especially high. Customer breaches increase support costs, damage trust, and create a clear competitive disadvantage. The MSPs that succeed in 2026 and beyond will be those able to clearly demonstrate proactive threat intelligence and unified protection across their customers’ environments.”
MSPs must move from reactive security to a proactive approach based on threat intelligence and unified protection
The findings reinforce the need for modern defense strategies that combine advanced endpoint protection, detection and response (EPDR), AI-powered threat detection, and continuous monitoring. As attacks become more persistent and complex, MSPs are increasingly positioned to differentiate themselves by offering 24/7 managed detection and response services that reduce risk while driving long-term value for customers.
For a more detailed look at WatchGuard’s research, you can check out the full H2 2025 Security Report.
