Group-IB warned that supply chain cyber-attacks are reshaping the threat landscape across the Asia-Pacific region, as criminals and state-aligned groups use trusted vendors, software components and service providers as entry points into broader networks.
The company’s High Tech Crime Trends Report 2026 describes the shift from single-target intrusions to what it calls a connected ecosystem of compromised access, trust relationships, and leaked data. This assessment links phishing, ransomware, data theft, and insider fraud as stages that can appear within a single chain of activity.
“Today’s cyber threats are not isolated events,” said Group-IB CEO Dmitry Volkov. “They are links in the supply chain attack ecosystem, where a single breach can affect thousands of downstream victims. Phishing, ransomware, data breaches, and insider exploitation are all stages in the same campaign, based on abusing trust and amplifying the impact of a cyber threat.”
Group-IB reported that during 2025, 263 business visits from the Asia-Pacific region were listed for sale on dark web forums and marketplaces. Such access is typically used by intrusion specialists, such as initial access brokers, and can then be exploited by other attackers for espionage, extortion, fraud, or disruption.
Supply chain attacks rely on the same digital interdependence that underpins modern business operations. Organizations regularly connect suppliers, cloud services, outsourced IT providers, developer platforms, and software libraries to their production environments. This creates a pathway that can circumvent security measures focused on a single company’s perimeter.
Leakage and access
The report also highlights that data breaches are a key factor increasing risk. Exposed credentials, source code, API keys, and internal communications provide deep insight into your business processes, supplier relationships, and technology stack. When combined with mediated access, that information can support identity theft, targeted intrusion, and fraud combined with legitimate use.
One area of concern is the distribution of open source software. In open source software distribution, widely used libraries can potentially spread malicious code at scale. According to the report, package repositories including npm and PyPI are being targeted by credential theft and automated malware campaigns. An attacker could compromise a maintainer account and introduce malicious updates to the developer pipeline.
The browser environment also characterizes the supply chain pattern. This report describes the rise in malicious browser extensions that allow criminals to take over developer accounts and manipulate official marketplaces. From there, malicious add-ons can collect your credentials, hijack your session, and obtain financial information from within your browser.
Phishing and OAuth
Group-IB said phishing is increasingly designed around identity workflows and high-trust integration, rather than simple credential capture. The report points to AI-powered phishing campaigns targeting OAuth flows and other single sign-on mechanisms. These techniques can bypass multi-factor authentication, where users approve malicious prompts or tokens are stolen after login.
According to the report’s findings, financial services, government, military, and telecommunications will be the most targeted sectors for phishing attacks in the Asia-Pacific region in 2025.
Ransomware activity in the region continues to have supply chain characteristics, with various expert roles working in sequence. Group-IB describes an “industrialized” ransomware supply chain that involves early access brokers, data brokers, and ransomware operators. According to the report, the sectors most targeted by ransomware groups in Asia Pacific in 2025 were manufacturing, financial services, and real estate.
AI effect
The report claims that artificial intelligence is reducing the cost and time required to run such campaigns. Link AI tools for faster creation of phishing kits, more convincing impersonations, and more scalable leverage of open source software, authentication processes, and browser environments.
“AI didn’t create supply chain attacks; it made them cheaper, faster, and harder to detect,” Volkov added. “Unchecked trust in software and services has now become a strategic responsibility.”
In addition to campaigns related to Shai Huld, the report names a variety of actors involved in supply chain-focused activities, including Lazarus, Scattered Spider, HAFNIUM, DragonForce, and 888. These groups said they demonstrate how criminal organizations and state-aligned operators are targeting similar platforms and integration layers.
Group-IB said its analysis was based on surveillance of underground forums, leaked sites and criminal markets, as well as research and information collected through digital crime prevention centers in 11 countries. The company is headquartered in Singapore and operates regional centers across multiple regions.
Alongside threat analysis, Group-IB also mentioned operational work with law enforcement agencies. In 2025, we supported 52 national and international organizations across six operations around the world. In the Asia-Pacific region, the company announced that it assisted the Royal Thai Police and Singapore Police in the arrest of a Singaporean cyber criminal known as ALTDOS linked to data breaches and cyber extortion targeting healthcare, finance, e-commerce and logistics.
The company also reported dismantling a cybercriminal network that compromised more than 216,000 victims and led to 32 arrests in the Asia-Pacific region.
This report’s focus on upstream breaches reflects a broader trend in cyber risk management where organizations are evaluating not only their own exposure to risk, but also the resiliency of their vendor and technology supply chains. In practice, this has led to an increased focus on software provenance, identity security, third-party access controls, and monitoring of developer tools and browser-based risks.
Group-IB said the 2026 High Tech Crime Trends report includes case studies and threat actor profiling, with further analysis of how supply chain practices have evolved in 2025 and how this may impact the region’s cyber risk landscape in 2026.
