Critical
High
Medium
Low
Executive Summary
The Asia-Pacific cyber threat landscape in March 2026 is marked by escalating APT activity, critical zero-day exploitation, and the convergence of state-sponsored and criminal cyber operations. North Korean groups Lazarus and Kimsuky have merged operational capabilities to combine social engineering with zero-day exploitation, while Chinese APT groups continue espionage campaigns across Southeast Asian government networks. Critical vulnerabilities including CVE-2026-20131 (Cisco FMC, CVSS 10.0) and CVE-2026-20963 (SharePoint RCE) are being actively exploited. Meta disabled over 150,000 accounts linked to Southeast Asian scam centers in a coordinated multinational operation.
Active Threats
7 campaigns
Interlock Ransomware Campaign
CRITICAL
ransomware
Active ransomware campaign exploiting CVE-2026-20131 (Cisco FMC, CVSS 10.0) via insecure Java deserialization. Amazon Threat Intelligence issued advisory. Targeting enterprise networks across Asia-Pacific.
Lazarus-Kimsuky Joint Operations
CRITICAL
apt
North Korean APT groups Lazarus and Kimsuky have merged capabilities, combining social engineering with zero-day exploitation to steal intelligence and cryptocurrency. Represents a major shift in coordinated state-sponsored operations.
Earth Kurma Espionage Campaign
HIGH
espionage
Chinese-linked APT campaign targeting government and telecommunications sectors across Southeast Asia. Confirmed victims in Philippines, Vietnam, Thailand and Malaysia. Cyberespionage motivation.
SideWinder Asia-Pacific Campaign
HIGH
espionage
Dubbed the 'most severe threat in Asia-Pacific' by researchers. Targeting governments, military forces, and diplomatic agencies using spear-phishing and sophisticated multi-stage attack platforms.
Langflow RCE Mass Exploitation
CRITICAL
other
CVE-2026-33017 (CVSS 9.3) actively exploited within 20 hours of disclosure. Missing authentication and code injection in Langflow AI framework enables remote code execution on AI/ML infrastructure.
Southeast Asia Scam Network Operations
HIGH
phishing
Meta disabled 150,000+ accounts linked to Southeast Asian scam centers. Coordinated action with authorities from Thailand, US, UK, Japan, Singapore, Philippines, Australia, and others.
SharePoint RCE Exploitation
HIGH
other
CVE-2026-20963 actively exploited and added to CISA KEV catalog on March 18. Microsoft SharePoint RCE vulnerability targeting enterprise environments across Asia-Pacific.
APT Tracker
| Group | Attribution | Recent Activity | TTPs |
|---|---|---|---|
|
Lazarus Group
HIDDEN COBRA, Zinc, APT38
|
North Korea | Merged operational capabilities with Kimsuky for coordinated zero-day exploitation and social engineering attacks targeting cryptocurrency exchanges … | Spear-phishing Zero-day exploitation AI-enhanced social engineering Supply chain compromise |
|
Kimsuky
Velvet Chollima, Thallium, APT43
|
North Korea | Working jointly with Lazarus Group in a systematic approach combining social engineering with zero-day exploitation for intelligence theft and crypto… | Credential phishing Zero-day exploitation AI-generated content Collaboration with Lazarus |
|
Earth Kurma
Unknown
|
China | Active cyberespionage campaign targeting government and telecommunications sectors in Southeast Asia. Confirmed victims in Philippines, Vietnam, Thai… | Custom backdoors Rootkits Data exfiltration Kernel-level persistence |
|
SideWinder
Rattlesnake, T-APT-04
|
India | Described as the 'most severe APT threat in Asia-Pacific.' Targeting government, military, and diplomatic agencies across the region with sophisticat… | Spear-phishing Multi-stage payloads Exploit documents Server-side polymorphism |
|
Mustang Panda
Bronze President, RedDelta, BASIN
|
China | Continued espionage operations targeting ASEAN government networks using PlugX variants and DLL sideloading. Focus on foreign affairs and defense min… | DLL sideloading PlugX RAT Spear-phishing Living off the land |
|
APT41
Winnti, Barium, Double Dragon
|
China | Supply chain attacks targeting technology and semiconductor companies across Asia-Pacific. Dual-purpose operations combining espionage with financial… | Supply chain compromise Zero-day exploitation Rootkits Code signing abuse |
Vulnerability Alerts
CVE-2026-20131
CRITICAL
Cisco Secure Firewall Management Center (FMC)
Insecure deserialization of user-supplied Java byte stream. CVSS 10.0. Exploited by Interlock ransomware campaign. Amazon Threat Intelligence advisory issued.
CVE-2026-33017
CRITICAL
Langflow AI Framework
Missing authentication combined with code injection (CVSS 9.3). Exploitation began within 20 hours of public disclosure. Targets AI/ML infrastructure deployments.
CVE-2026-20963
CRITICAL
Microsoft SharePoint Server
Remote code execution vulnerability actively exploited. Added to CISA KEV catalog on March 18, 2026. Widespread enterprise exposure.
CVE-2026-32746
CRITICAL
GNU InetUtils telnetd
Unauthenticated remote code execution with elevated privileges (CVSS 9.8). Critical risk to ICS/OT systems still running telnet services.
CVE-2026-20079
HIGH
Cisco Secure Firewall Management Center
Additional critical vulnerability in Cisco FMC alongside CVE-2026-20131. Combined exploitation increases risk to network infrastructure.
Atlassian March 2026 Bulletin
HIGH
Atlassian Confluence/Jira (multiple products)
Security bulletin released March 17, 2026 addressing multiple vulnerabilities across Atlassian products. Widely deployed in APAC enterprise environments.
Country Cyber Posture
| Country | Threat Level | Assessment | Recent Incidents |
|---|---|---|---|
| China | HIGH | Major source of APT activity. Earth Kurma, Mustang Panda, and APT41 conducting espionage and supply chain attacks across the region. |
Earth Kurma SE Asia espionage
APT41 semiconductor targeting
|
| Japan | HIGH | Targeted by Lazarus cryptocurrency theft, Interlock ransomware via Cisco FMC exploit, and supply chain compromises in manufacturing. |
Interlock ransomware campaign
Langflow RCE exploitation
|
| South_Korea | HIGH | Primary target of merged Lazarus-Kimsuky operations combining zero-day exploitation with social engineering for intelligence and crypto theft. |
Lazarus-Kimsuky joint attacks
Cryptocurrency exchange targeting
|
| North_Korea | CRITICAL | Source of escalating cyber operations. Lazarus and Kimsuky collaboration represents new level of coordinated state-sponsored attacks. |
Joint Lazarus-Kimsuky operations
AI-enhanced phishing campaigns
|
| Taiwan | HIGH | Semiconductor industry heavily targeted by Chinese APTs. APT41 and state-sponsored actors seeking IP theft and supply chain access. |
APT41 semiconductor espionage
Technology sector infiltration
|
| Philippines | HIGH | Government and telecom sectors targeted by Earth Kurma and SideWinder. Meta scam network takedown involved Philippine authorities. |
Earth Kurma government targeting
150K scam accounts disabled
|
| Vietnam | HIGH | Government networks targeted by Earth Kurma and Mustang Panda espionage campaigns. Telecom sector under sustained attack. |
Earth Kurma espionage campaign
Mustang Panda PlugX infections
|
| Indonesia | MEDIUM | Scam network operations and ransomware threats. Participated in Meta coordinated takedown of 150,000 scam-linked accounts. |
Scam network takedown coordination
Ransomware targeting financial sector
|
| Singapore | MEDIUM | Financial sector targeted by Lazarus Group. Advanced defenses but high-value target for state-sponsored actors. |
Lazarus cryptocurrency targeting
Interlock ransomware attempts
|
| Thailand | MEDIUM | Earth Kurma targeting government. Major hub for scam network coordination — participated in Meta takedown operation. |
Earth Kurma government targeting
Scam center coordinated takedown
|
| Malaysia | MEDIUM | Earth Kurma espionage targeting government and telecom. Bursa Malaysia stockbroker cyber incidents contained in March. |
Earth Kurma espionage
Stockbroker cybersecurity incidents
|
| Myanmar | HIGH | Major hub for scam compound operations. SideWinder targeting military. Transnational criminal cyber infrastructure expanding. |
SideWinder military targeting
Scam compound cyber operations
|
| Cambodia | MEDIUM | Significant scam compound operations despite government crackdown. 150,000 Meta accounts disabled linked to SE Asian scam centers. |
Scam compound operations
Meta coordinated account removal
|
| Australia | MEDIUM | Targeted by Interlock ransomware and Langflow exploitation. Five Eyes member maintaining advanced cyber defense posture. |
Interlock ransomware campaign
SharePoint RCE exploitation
|
| India | MEDIUM | SideWinder origin point. Growing attack surface from Digital India expansion. Targeted by Chinese APTs for defense intelligence. |
Expanding UPI attack surface
Defense sector cyber espionage
|
Sector Threat Matrix
Government
CRITICAL
Most targeted sector in APAC. Earth Kurma, SideWinder, and Mustang Panda conducting sustained espionage against government networks across Southeast Asia. Intelligence collection on foreign affairs, defense, and diplomatic communications.
- Earth Kurma espionage
- SideWinder multi-stage attacks
- Mustang Panda PlugX campaigns
Finance & Banking
HIGH
Lazarus Group cryptocurrency theft operations escalating with AI-enhanced social engineering. Malaysian stockbroker incidents. Interlock ransomware targeting financial infrastructure.
- Lazarus crypto theft
- Interlock ransomware
- Banking credential phishing
Technology & Semiconductors
HIGH
Most targeted industry in APAC according to threat intelligence. APT41 supply chain attacks. Taiwan semiconductor sector under sustained espionage. Langflow AI framework exploitation.
- APT41 supply chain attacks
- Semiconductor IP theft
- Langflow CVE-2026-33017
Telecommunications
HIGH
Earth Kurma confirmed targeting telecom sectors in Philippines, Vietnam, Thailand, Malaysia. Network infrastructure provides strategic surveillance access.
- Earth Kurma telecom targeting
- Network equipment exploitation
- Cisco FMC CVE-2026-20131
Defense & Military
HIGH
Persistent targeting by multiple APT groups seeking classified information. SideWinder and Mustang Panda active against military targets across the region.
- SideWinder military targeting
- Mustang Panda defense espionage
- Kimsuky intelligence collection
Healthcare
MEDIUM
Ransomware groups increasingly targeting healthcare across ASEAN with double extortion. Limited cybersecurity resources in many countries.
- Ransomware double extortion
- Patient data theft
- Legacy system exploitation
Critical Infrastructure (ICS/OT)
HIGH
GNU telnetd vulnerability (CVE-2026-32746) exposes ICS/OT systems. Energy and utilities sectors face reconnaissance from state-sponsored actors.
- Telnetd RCE (CVE-2026-32746)
- ICS reconnaissance
- SCADA targeting
Cyber News Feed
Last 7 days
- Thai influencer sentenced for online gambling promotion
- Coupang nears full user recovery after data breach
- India’s promising new counter-terrorism strategy
- ‘Dark web’ fraud sites cracked, hundreds of suspects, says Europol
- Regime reports of ‘demoralized’ resistance dismissed as ‘propaganda’
- IN PICTURES: Court detains 65 in Phnom Penh cyber-scam bust
- 9 foreigners nabbed in Phnom Penh cyber-scam raid
- MCMC warns iPhone users to update iOS now following ‘Darksword’ exploit discovery
- Agri chief sues Zaldy Co, ‘ex-Marines’ lawyer for cyber libel
- Kota Kinabalu police warn of vehicle scam tactics as online fraud losses hit RM11.12m
- Malaysia’s pharmaceutical vulnerability exposed by conflict
- Researchers find iPhone spyware that could compromise millions of devices
- Researchers uncover iPhone spyware capable of penetrating millions of devices
- Stryker cyberattack delays surgeries for some patients, Bloomberg News reports
- ‘Online fraud a blight on society’
Incident Log
Last 30 days
No incidents logged yet. Incidents are populated automatically from CTI briefs or can be added via Django Admin.