A 2025 cybersecurity threat report based on analysis of data collected from tens of millions of endpoints by OpenText shows that the malware infection rate for business PCs now stands at 2.39%, with 87% of that malware being based on some type of variant that was specifically created to evade detection by cybersecurity tools.

More challenging still, 43% of the business endpoints infected were found to have been subsequently reinfected.

Tyler Moffitt, a senior security analyst at OpenText Cybersecurity, said infection rates of business PCs in regions where there is a significant amount of instability are seeing much higher infection rates due to attacks linked to cybercriminal syndicates allied with Russia.

That malware is most commonly found in AppData (27%), a Temp folder (21%) and downloads (12%). While email attachments remain a popular malware delivery method, the majority—53%—now take the form of .zip files, followed by 20% using .htm, 7.5% using .pdf, and 5.6% each for .doc/x and .rar files. Most businesses are also still running Windows 10 (65%), compared to 25% running Windows 11, the report finds

As end users become more wary of attachments, threat actors are finding more creative methods to conceal their attacks. Recent innovations include QR codes opening links to malicious websites, known as quishing; more convincing telephone-oriented attack delivery (TOAD), in which branded email messages urge the recipients to call a number regarding an overdue account or other serious matter; and the use of legitimate services to conduct phishing attacks.

This latter tactic, known as “living off the land” (LotL) phishing, has become especially popular over the last year. Cybercriminals are using the URL of a legitimate service to redirect users to a malicious site or to host the phishing payload itself. Because the service is also used for legitimate business purposes, it can’t be blocklisted.

While the 171.1 million instances of this tactic in 2024 represent a decrease of 14.3% from 2023, there have been sharp increases in the abuse of several services, including Amazon Web Services (AWS), which rose 22.5% to over 13.4 million instances. New entrants in the “Top 10 Abused Services” listed by OpenText for 2024 include List manage (Mailchimp), Canva, and Cloudflare IPFS. Google APIs took the top spot at over 75 million instances, and a separate entry for Google Docs made an appearance as well, with over two million occurrences.

In general, it’s clear that cybercriminals continue to evolve their tactics, said Moffitt. For example, there has been a general increase in the ransomware attacks that simply exfiltrate data rather than going to the trouble of encrypting it. Cybercriminals then demand a ransom payment for keeping that data confidential. An OpenText survey of 1,781 C-level executives, security professionals and security and technical directors conducted last year found that even though 97% acknowledged they can recover data, nearly half (46%) said their organization still decided to make a ransomware payment to prevent data from being exposed on the Dark Web.

The tactics and techniques employed by cybercriminals are constantly evolving. However, as these threats continue to become more sophisticated, the attacks that cybersecurity teams will be asked to thwart are steadily becoming harder to detect.