How different are APAC cyberthreats compared to those from other parts of the world? What does this uniqueness mean to organizations operating in the region?

We gathered key insights on the region’s threat landscape from Chase Li, Co-Founder, ThreatBook, as well as the differing approaches to cyber-attacks and cybersecurity from market to market within the region.

How different are APAC cyberthreats compared to those from other parts of the world? What does this uniqueness mean to organizations?

Li: There are multiple ways APAC-originated threats differ from those emanating from elsewhere. First is patience over speed. Advanced persistent threat (APT) groups from Asia typically operate on a different timeline to Western cybercriminals.

Whereas Western ransomware actors want quick monetization, Asian state-connected groups overwhelmingly dwell inside networks for months — and sometimes years — before executing their attacks. The objective is espionage, IP theft, and strategic intelligence gathering — not extortion.

This trend reflects a nuanced difference between this region and others: in the US for instance, almost half of all attacks involve ransomware; yet in Asia, only about one-quarter of all attacks are ransomware-related. In almost all instances, state-sponsored threats are part of an elaborate program, not an opportunistic attack.

A further point of difference is how Asian APT groups target tech supply chains. Their focus tends to be on regional telecoms vendors, managed service providers, and government contractors who act as pathways into primary targets. Such attacks are patient, indirect, and harder to detect than direct attacks.

In addition, the tactics, techniques and procedures (TTPs) used in Asia are built to evade Western detection logic. Most threat intelligence platforms available today are predominantly built on Western telemetry, and this has since led to structural blind spots.

Moreover, local groups specifically engineer their tradecraft to evade the detection models most enterprise tools rely on — using living-off-the-land techniques, legitimate tooling, and custom implants with no static signatures, among others.

A further point worth noting is how APAC cybercrime gangs are more rampant than their peers from elsewhere. One-third of all global attacks now occur within the region. Beyond nation-state actors, Asia has a thriving ecosystem of financially-motivated criminal groups targeting enterprises and ordinary citizens alike.

Silver Fox — a gang ThreatBook has tracked and named — is a prime example: a sophisticated threat group running large-scale fraud campaigns against businesses across Southeast Asia, deploying trojan software to compromise financial systems and harvest credentials from unsuspecting victims.

The implication for all organizations is clear: if your threat intelligence doesn’t have eyes on APAC-originated threats, you have significant blind spots.

What are some recent developments in the Dark Web that cyber-defenders should be concerned about?

Li: The initial access broker (IAB) market has professionalized — IABs specialize in gaining unauthorized access to target networks, and sell this access to other cybercriminals.

Corporate virtual private network (VPN) credentials, remote desktop protocol (RDP) endpoints, and single sign-on (SSO) tokens are typically auctioned before victim organizations know they have been breached.

There is now a liquid secondary market with pricing tiers, customer reviews, and escrow services. Some 71% of IAB listings today offer privileged access to compromised victims — enabling not just a foothold within target organizations, but full elevated permissions.

On top of this, infostealers have become the IAB market’s supply chain. Tools like LummaC2 and Vidar harvest credentials and multi-factor authentication (MFA) material from a single infected endpoint — on average, they harvest 87 stolen credentials per compromised device. Some 1.8 billion credentials were stolen via infostealers in the first half of 2025 alone.

The exposure window has shortened dramatically as well. Credentials harvested by infostealers are listed for sale within hours of theft. Organizations have a 24–72 hour window between credentials appearing on dark web markets and active exploitation. Post-breach detection systems are structurally too slow to cope with this timeline.

Meanwhile, Telegram has replaced dark web forums as the primary coordination platform for cybercriminal activity. As of March 2026, it is the most-used communication tool among threat actors. Unlike Tor-based forums that facilitate anonymous discussions on the dark web, Telegram channels can be recreated instantly, with subscriber bases redirected through forwarding links.

At the same time, nefarious Data-as-a-Service business models are emerging. Beyond one-time data dumps, some criminal groups now offer subscription access to continuously updated stolen enterprise data — with live intelligence feeds from compromised environments.

Impersonation can be deployed in real-time. The 2024 Hong Kong deepfake CFO case — where a finance employee transferred US$25M following a live video call with synthetic versions of known colleagues — demonstrated this capability is now operational, and not theoretical. Identity verification must move to out-of-band channels, and behavioral context that AI cannot replicate. Periodic callbacks, established code words, and second-channel confirmation must now be baseline controls for all high-value transactions.

Notably, the attack surface has shifted inward as well. Traditionally, social engineering attacks targeted network perimeters; today, by contrast, deepfake impersonations exploit relationships within organizations. The human layer is now the primary attack surface.

Why are previous detection and response solutions and strategies no longer effective? How should CISOs and their teams approach cybersecurity for today and the future?

Li: Most organizations haven’t yet defined what “effective” looks like. The right starting point is to set concrete operational goals — such as a dwell time, mean time to detect (MTTD), mean time to investigate (MTTI), and a mean time to respond (MTTR) — and work towards these. Without targets, tool selection and process design are guesswork.

However, the biggest hindrance to traditional detection and response is noise. Large numbers of false positives don’t just waste our time — they erode trust in the tooling, slow down decisions, and create conditions where real threats get lost. Noise reduction, accuracy improvement, and AI-driven investigation triage are thus the baseline requirement for any program that can keep pace with modern adversaries.

The traditional network perimeter no longer exists — yet the tooling still assumes it does. Cloud, remote work, third-party access, and supply chain exposure have dissolved the boundaries that most legacy architectures were designed to defend. Increasingly, adversaries aren’t breaking through walls — they’re walking in with keys.

Stolen credentials, compromised identities, and legitimate access paths are now the dominant initial vector. The detection model must account for this.

This new threat paradigm has made accuracy a vastly underrated metric. False positive rates are rarely the first thing evaluated in vendor selection — but they should be. Inaccurate intelligence feeds degrade every decision downstream: across analyst triage, automated responses, and escalation logic.

CISOs and their teams should therefore assume they have been breached, and are in a constant, compromised state. Preventing every intrusion is not a realistic goal. Security operations must be built on the assumption that adversaries will get in — and optimized for detecting and responding to attacks with precision.

They should set explicit targets and evaluate their tooling against them; while treating their false positive rates as a first-order operational metric that is also demanded of security vendors as well. CISOs and their teams must also ensure threat intelligence is embedded at every enforcement point, and not just piped into their security information and event management (SIEM) solution.

Ultimately, they must evaluate honestly whether their current tooling has genuine coverage of the threat actors most likely to target their sector and geography — and seek security solutions that make sizeable accuracy improvements, rather than assuming these can be made solely by additional headcount.