Resilience and Reach: Cyber Threats Across APAC in The Phish Bowl

In the October episode of The Phish Bowl podcast, my cohost Mike Kosak and I cover trends in the Asia-Pacific region. We’re getting our passports stamped while traveling around the globe and providing a threat overview in rotating regional reports. Check it out for a deeper dive into the topics we covered in the podcast.

In this episode, we share an update on the infostealer landscape and some recent activity from China. For our special guest, we have a fascinating conversation with Katherine Manstead, Executive Director for Cyber Intelligence at Cyber CX, to talk about the cyber threat environment.

 

Ransomware and infostealers everywhere

A key threat to private and public sector entities in APAC is the widespread use of malware. Malware was involved in 83% of breaches in APAC last year, up from 58% from the year prior.

A persistent ransomware threat is prevalent in the region with ransomware used in over half of regional breaches. Ransomware heavily targeted various sectors like Malaysia's manufacturing industry and Taiwan’s financial sector. Australia was the most affected country with the greatest number of victims listed on ransomware data leak sites (DLS’s), according to our latest APAC regional report.

Infostealer malware remained prevalent, with Lumma accounting for the most observed malware in the region, followed by Atomic stealer in the top ten malware strains targeting the region. In this episode, we shared an update on what the infostealer threat landscape looks like following the Lumma takedown in May. As part of the threat intelligence team for LastPass, we closely monitor credential logs being sold on the dark web, oftentimes stolen by infostealers, and the general stealer threat landscape. Lumma has bounced back after some initial disruption, and there’s been a steady resurgence. Despite the decline in new infections, previously stolen Lumma logs continue to be resold on dark web marketplaces.

Other infostealer families have since moved in to try to fill the gap. For a while, Acreed became the leading strain for credential theft logs on Russian Market in particular, momentarily surpassing other established infostealers for the activity we’re monitoring. Rhadamanthys is also competing for market share, rising in popularity. Recently, Rhadamanthys took up almost half of the stolen credentials that we were monitoring.

This follows a historical pattern where new malware quickly emerges to fill the vacuum left by disrupted operations. Looking forward, the cycle of infostealer development and disruption will likely continue, and the infostealer threat will remain pervasive.

Chinese state-sponsored espionage

Recent increased reporting on Chinese-backed cyberattacks, specifically around espionage, emphasize the continued threat both regionally and globally. Over 20 agencies from several countries recently signed onto an advisory warning about Chinese state-sponsored actors targeting networks globally, including the telecommunications sector, transportation, government, military, and infrastructure. This is one of the most broadly endorsed advisories we’ve seen. According to the advisory, Chinese hackers are using vulnerabilities in routers and weak credentials to gain initial access and collecting credentials to move laterally once they’re inside networks. These tactics are commonly used by Chinese-backed threat actors.

This warning comes on the heels of the Salt Typhoon/Volt Typhoon telecommunications breach revelations as part of an ongoing effort by Beijing to collect as much information as possible, track targets, and conduct espionage. China is primarily focused on establishing long-term access in these systems. The US government has previously called out Chinese government hackers for prepositioning themselves so that they’re able to disrupt services or communications in the event of an active conflict. A big part of this is also intellectual property (IP) theft. Mandiant recently released a report highlighting espionage and IP theft as part of a larger Chinese campaign attempting to steal information related to the trade conflict between the US and China. Beijing’s cyber operations, especially around IP theft, typically correlate to their Five-Year Plans. These documents outline the sectors and types of business that Beijing considers a priority and therefore may be targeted. For instance, energy, telecoms, and technology are included in the latest 14^th Five-Year Plan. This gives intelligence analysts a leg up on the sort of things they should be monitoring, and which industries should especially be concerned and have their cyber shields up as potential targets. Notably, China recently convened to determine the country’s next development targets in its 15^th Five-Year Plan, covering 2026-2030.

Talking about how the private sector can be affected by espionage, Australian Security Intelligence Organisation (ASIO) and Australian Institute of Criminology published a report that puts a dollar figure on economic cost of espionage, including state-sponsored IP theft and response costs. The report found that espionage costs the country about $8 billion ($12.5 billion AUD) per year. That’s just one country, so if we extrapolate that on a global scale, we can infer the massive cost that these cyberattacks can have.

A regional executive perspective: the cyber threat landscape is deteriorating

We were fortunate to have Katherine Manstead from Cyber CX join us and provide her perspective on regional trends and look forward to 2026. As Katherine put it, “The cyber threat landscape is deteriorating…It’s worse today than it was yesterday, and it will be worse tomorrow.” This trend is expected to continue over 2026. We took a closer look at what’s driving this deteriorating environment, from disruptions in the cybercriminal ecosystem to emboldened nation-state activities.

• Firstly, law enforcement takedowns and uncertainty amongst ransomware groups have driven turbulence and volatility in the cybercrime world.
• The rise of ideologically motivated hacktivists has also been a concerning evolution. Katherine noted she has seen hundreds of incidents impacting hundreds of organizations in Australia and New Zealand, sometimes targeting critical infrastructure or SMBs. While this activity generally falls short of being disruptive, the reputational impacts of cyber incidents can be acute for organizations.
• The commodification of cybercrime is enabling lower barriers to entry for malicious activities and enabling hackers to collaborate and improve their area of expertise. AI makes this even more effective, with cybercrime becoming easier and cheaper.
• State-backed sabotage is now normalized in international relations. There are now more authoritarian-leaning governments that are incorporating malicious cyber activities into their toolkits, like disruption, espionage, and tracking dissidents. Foreign governments are fundamentally undeterred, and countries like Russia, China, North Korea, and Iran are becoming more risk tolerant and reckless in how they use malicious cyber activities.

Australian Signals Directorate released their Annual Cyber Threat Report

Despite these challenges across the threat landscape, Katherine remains optimistic about some of the key takeaways from the recently published Australian Signals Directorate’s Annual Cyber Threat report. The forward leaning public-private sector engagement that the Australian government is doing is already having a positive impact. More organizations and individuals are reporting cybercrime and incidents to ASD. According to the report, on average, a cybercrime incident is reported to ASD every 6 minutes. Conversely, ASD is doing more proactive outreach for critical infrastructure and across the private sector to give those companies a heads up about malicious cyber activity on their networks.

Another takeaway from the ASD report is the rise of compromised accounts as a common tactic used by cybercriminals and nation-state actors alike to enable attacks. About 30% of incidents started with compromised accounts. Katherine points out this is part of an underlying trend where phishing, social engineering are declining as the primary initial access vectors and being supplanted by the rise of compromised credentials.

What should businesses be doing to protect themselves from ransomware attacks and data breaches?

Given the high number of ransomware attacks and data breaches in the region, Katherine shared some tips on how businesses can protect themselves against ransomware threats. From conducting research for our regional report, we found that APAC victims listed on ransomware data leak sites (DLSs) were primarily small and medium sized businesses (SMBs), indicating attackers’ focus on smaller enterprises that have historically weaker security infrastructure and lower cybersecurity budgets compared to larger, more well-resourced enterprises. Ransomware attacks are no longer just a big business issue – they’re an everyone problem.

• Protecting your supply chain, like IT providers and contractors, is key. Oftentimes SMBs are the starting point for data theft extortion and ransomware attacks. Hackers can gain access to third-party vendors and then pivot up or downstream.
• You can’t protect what you’re not monitoring. There continue to be gaps globally, and especially in Australia in the SMB market.
• Finally, Katherine called out the need for a collaborative, wholistic approach to defending against these threats. As she put it, “We’re only as safe as the broader ecosystem.” Looking across the region, some countries that were less digitally mature are increasingly being targeted by cyber extortion groups. As certain countries become more resilient, cybercrime doesn’t go away, it just shifts. More digitally mature partners across the region should play a supportive role to make cyberspace safer for all.

Listen to the full episode  

Catch the full episode and additional resources for more cyber threat insights from the LastPass Threat Intelligence, Mitigations, and Escalations (TIME) Team.

• Listen to the full Episode 3 of The Phish Bowl wherever you get your podcasts:  
  • YouTube 
  • Spotify 
  • Apple 
• Subscribe for monthly threat intel deep dives. 
• Access LastPass's Regional Report for detailed analysis of recent Asia-Pacific trends and activity. 
• Check out the LastPass Labs blog for more insights. 

We’ll be back next month to talk about threat activity and trends in Europe, along with a corresponding regional report!