- Business email compromise represents the biggest threat to the APJ region
- Cloud migration and hybrid work open up new attack surfaces
- Third-party vendors are the backdoor to high-value APJ targets
November 2025 – Darktrace, a global leader in AI for cybersecurity, has highlighted the most prolific cybercrime activities in the APJ region in the 12-months to July 2025.
Geopolitical tensions, rapid digital transformation, and deeper integration of generative AI have seen a sharp rise in the volume and sophistication of attacks across the region. State-sponsored APTs and ransomware gangs ramped up their efforts to infiltrate critical infrastructure, financial institutions, and government agencies across APAC, with notable threat groups like Lazarus, APT40, Earth Lamia, and SilverFox leading attacks.
Business email compromise represents the biggest threat. In 2024, Darktrace’s email security system, Darktrace / EMAIL, found that 32% of all phishing emails detected globally featured novel social engineering features, highlighting the increasing sophistication of phishing lures[7].
Difficulties in securing complex cloud environments amidst manual and decentralised processes highlight the need for a unified security solution.
Supply chain attacks have become an unavoidable reality, with adversaries targeting upstream suppliers and software to compromise multiple organisations in a single campaign.
Darktrace Director of Incident Response, Victoria Baldie said, “Defending against the Advanced Persistent Threats and ransomware groups that plague APJ governments and organisations has never been more important, or more challenging.
“The lines between state-sponsored and financially-motivated groups are disappearing, and the increased adoption of generative AI by threat actors has scaled operations significantly.”
State-sponsored APT Attacks Surge, Incorporate Generative AI Into Operations
Across the region, Darktrace observed APTs increasing use of generative AI to create more convincing phishing messages, automate social engineering, and even assist in malware development. This allows sophisticated attacks that are harder to detect, escalating the overall threat landscape.
Australia Chinese-linked APT40 (also known as Leviathan) repeatedly targeted the Australian government and private sector by exploiting public vulnerabilities in popular software such as Atlassian Confluence (CVE-2021-26084) or Microsoft Exchange (CVE-2021-34523)[8].
Singapore Chinese-linked UNC3886, a newly identified threat actor is drawing increasing concern as a serious risk to Singapore’s critical infrastructure[9].
Japan Chinese-linked APT41 (also known as Winnti) launched the “RevivalStone” cyberespionage campaign against Japanese enterprises in many different sectors including manufacturing, materials and energy[10].
South Korea DPRK-affiliated APT groups, namely Kimsuky and Andariel are reportedly behind the surge in attacks against South Korean government agencies and critical infrastructure to steal political and diplomatic intelligence that shapes strategic understanding of the region[11].
LLMs are Breaking Through Language Barriers
Historically, languages other than English, especially those not incorporated into LLMs, posed a significant barrier to crafting convincing spear phishing emails. This is changing – as highlighted by Darktrace’s research which uncovered a highly-sophisticated malware campaign attributed to the Chinese APT group Mustang Panda targeting the Royal Thai Police.
In addition to this, Darktrace / EMAIL observed Japanese language phishing attacks rise more than 1700% in the past year alone amongst Darktrace customers – from just 1000 in September 2024, to more than 17,000 at October 2025.
Scattered Spider (US/UK) is one of the most prolific threat actors globally and within APJ – conducting high-profile attacks on the retail, aviation and transport sectors. The group is known for its advanced social engineering techniques, and native English-speaking voice phishing methods targeting third-party vendors[12].
SilverFox (China) is repeatedly targeting organisations in Asia, specifically Taiwan, across multiple sectors, including finance, healthcare and retail[13]. The group is known to target Chinese-speaking individuals with malware baits crafted specifically for designated victim profiles to obtain sensitive high-value data.
North Korea Uses Cryptojacking Malware to Fund Nuclear Weapons Program
Bluenoroff, part of the Lazarus Group (DPRK) has shifted its focus from banks to cryptocurrency exchanges in order to fund cover operations including its nuclear weapons and missiles programs[14]. Recent techniques include the exploitation of ClickFix technique in spear phishing.
Download and read the report by following this link.
[1] Darktrace proprietary research
[2] https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
[3] https://www.darktrace.com/blog/how-organizations-are-addressing-cloud-investigation-and-response
[4] https://www.darktrace.com/resources/report-investigation-and-response-in-the-cloud
[5] https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91
[6] https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91
[7] https://www.darktrace.com/resources/annual-threat-report-2024
[8] https://www.cyber.gov.au/sites/default/files/2024-07/apt40-advisory-prc-mss-tradecraft-in-action.pdf
[9] https://www.channelnewsasia.com/singapore/cybersecurity-csa-cyberattacks-it-operational-technology-unc3886-josephine-teo-5264121
[10] https://www.cnn.com/2023/07/06/tech/japan-port-ransomware-attack
[11] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
[12] https://www.darktrace.com/blog/untangling-the-web-darktraces-investigation-of-scattered-spiders-evolving-tactics
[13] https://westoahu.hawaii.edu/cyber/global-weekly-exec-summary/silver-fox-apt-attack-taiwan/
[14] https://apt.securelist.com/apt/bluenoroff
