WatchGuard reports a 40 percent increase in evasive malware over encrypted TLS traffic. Concurrently, the threat landscape is shifting towards more zero-day attacks, targeted ransomware, and recurring USB malware.
The number of malware attacks via encrypted traffic increased by 40 percent in the second quarter of 2025, according to WatchGuard Technologies’ Internet Security Report for Q2 2025. Increasingly, cybercriminals are using Transport Layer Security (TLS) to evade detection.
Encryption as Camouflage
According to WatchGuard, 70 percent of all malware attacks are now carried out via encrypted TLS connections. This technology was originally intended to secure web traffic but is now widely misused to conceal malicious code. Advanced and so-called zero-day malware, in particular, leverages this. In 90 percent of cases involving malware that utilizes TLS, these are unknown, previously undetected variants.
The number of unique malware types increased by 26 percent in Q2. Cybercriminals are using polymorphic techniques and encrypted packers, among other methods, to bypass classic antivirus solutions. The detection tools Gateway AntiVirus and IntelligentAV registered 85 and 10 percent more alerts, respectively, compared to the previous quarter.
Resurgence of USB Malware
Although the number of ransomware campaigns decreased by 47 percent, the impact remains significant. Attacks are increasingly targeting specific high-value targets. Groups like Akira and Qilin are still active, according to WatchGuard. Furthermore, seven of the ten most detected network threats were characterized as droppers: malware that serves as an intermediate step for further infections. These spread via documents with macros or well-known botnet families such as Mirai.
USB malware also saw a resurgence. Two newly discovered variants install cryptominers on infected systems. Network attacks slightly increased by 8.3 percent, although the variation in techniques used decreased. DNS threats also remain current, including via domains linked to the DarkGate RAT loader.