The second half (H2) of 2025 tells a malware story of contrasts and dichotomies. Like the first half of the year, network-based malware detection is up in volume. However, from the endpoint perspective, total malware is down overall in H2, dropping the most in Q4. Meanwhile, from the network perspective, evasive and sophisticated zero-day malware fell by more than half, despite the rise in overall malware volume. Yet again, the endpoint tells a different story with new and unique malware detections up in volume, exploding by over 1,500% in Q4 specifically. One thing remains the same though; despite the contrasting malware stories told by our endpoint and network products, you need to keep your eye on both types of malware detection to avoid this threat.
Meanwhile, network-based attacks and software exploits declined, as did the unique types of exploits we detected. The bulk of the top network detections continue to be older vulnerabilities, likely mass-scanned by automated botnets and exploit frameworks. We did dive further down into the top 50 to find some interesting exploits to cover later in the report though.
In the endpoint section of this report, we continue to see that the way threat actors deliver malware has been changing. Malicious scripts have been the number one malware vector for as long as I can remember, though they have been slowly dropping over the past year. However, this half, during Q4, Windows binaries became the most common way for malware to start to infect a system, likely as threat actors use living-off-the-land (LotL) tools to launch attacks, leveraging legit Windows binaries (LOLBAS).
