SEATTLE – April 10, 2025 – WatchGuard® Technologies, a global leader in unified cybersecurity, today released the findings of its latest Internet Security Report, a quarterly analysis detailing the top malware, network, and endpoint security threats observed by the WatchGuard Threat Lab researchers during the fourth quarter of 2024.
The report’s key findings include a 94% (quarter-over-quarter) increase in network-based malware detections, reflecting a steady rise in threats. At the same time, the data shows an increase in all malware detections, including a 6% increase in Gateway AntiVirus (GAV) detections and a 74% increase in Advanced Persistent Threat (APT) Blocker detections, the most significant rises came from proactive machine learning detection offered by IntelligentAV (IAV) at 315%, indicating the growing role in more proactive anti-malware services catching sophisticated, evasive malware, like zero-day malware, when it comes from encrypted channels. The significant upticks in evasive hits suggest attackers are leaning harder into obfuscation and encryption, challenging traditional defenses.
The Threat Lab also observed a significant increase in crypto miner detection at 141% quarter over quarter. Cryptocurrency mining is a natural process for acquiring cryptocurrency on some blockchains, including Bitcoin. A malicious coin miner can look like executing software that installs a coin miner without the user’s knowledge or consent. As the price and popularity of Bitcoin go up, crypto miner detections also stand out as a malicious tactic used by threat actors.
“The findings from our Q4 2024 Internet Security Report reveal a cybersecurity landscape where attackers are both continuously relying on old habits and low-hanging fruit vulnerabilities and flaws that are easy to exploit while also leveraging evasive malware techniques to evade traditional defenses,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “The data illustrates the importance of staying vigilant with the basics: proactively keep systems updated, monitor for abnormal activity, and use layered defenses to catch the inevitable exploit attempts across networks and endpoints. By doing so, businesses can greatly mitigate the threats demonstrated this quarter and be prepared for what adversaries and the evolving threat landscape may bring.”
Additional key findings from WatchGuard’s Q4 2024 Internet Security Report include:
- In Q4, Zero-Day malware rebounded to 53%, up significantly from its all-time low of 20% in Q3. This reinforces the report’s earlier observation that malware increasingly comes in encrypted connections, with these encrypted channels typically delivering more sophisticated and evasive threats.
- Total unique malware threats are significantly down for the quarter, at a historic 91% decrease. This is likely due to a reduction in one-off targeted attacks and an increase in generic malware. However, fewer threats do not mean that the threats that attempt to slip through defenses will be simple attacks if not addressed quickly and diligently.
- Network attacks declined 27% from the previous quarter. The Threat Lab findings show that many tried-and-true exploits persisted as top attacks this quarter, underscoring that attackers stick with what they know works.
- The top phishing domains list remained unchanged from the previous quarter, highlighting the continued use of persistent and high-impact phishing infrastructure. The SharePoint-themed phishing domains, which often mimic legitimate login portals to harvest credentials, suggest that attackers still exploit business email compromise (BEC) tactics to target organizations relying on Office 365 services.
- Living off-the-land attacks (LotL), which exploit legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), or Office macros instead of relying on external malware to load malware, are trending. This can be seen in 61% of endpoint attack techniques leveraging PowerShell injection and scripts, accounting for nearly 83% of all endpoint attack vectors. Of that ~83%, 97% were from PowerShell, again pointing to PowerShell being responsible for the vast majority of threat actors’ avenues of attack.
- Over half of the top 10 network detections are generic signatures, which catch common web app flaws. This trend underscores that attackers are going after the “bread and butter” style attacks in mass.
Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.
For a more in-depth view of WatchGuard’s research, download the complete Q4 2024 Internet Security Report.