New data from Cyfirma threat landscape report disclosed that Malaysia’s cyber threat landscape is undergoing a structural shift, driven by rapid digital expansion and rising geopolitical relevance. This comes as the country’s growing digital infrastructure across energy, telecommunications and transport has made it an increasingly attractive target for hackers seeking disruption and intelligence. This convergence of economic growth and digital exposure is widening the attack surface at a pace that outstrips defensive maturity in several sectors.
“Open-source reporting and regional threat assessments indicate continued interest from China-linked espionage clusters focused on political intelligence collection, supply-chain surveillance, and technology acquisition, particularly within semiconductor and electronics sectors,” Cyfirma wrote in its ‘Malaysia Threat Landscape Report’. “Russian-aligned actors appear more opportunistic, primarily leveraging global vulnerability exploitation and credential-driven intrusion activity rather than Malaysia specific campaigns.”
Threat motivations observed in recent months reflect a dual dynamic: strategic espionage objectives alongside revenue-driven extortion operations. Intelligence collection targeting defence procurement, maritime policy positioning, economic negotiations, and foreign investment activity intersects with ransomware campaigns seeking rapid financial return. Malaysia’s semiconductor and advanced electronics ecosystem remains a particularly attractive target within this context.
The report revealed that Malaysia continues to experience steady ransomware exposure over the past three months, with activity largely driven by a small number of active ransomware groups. January 2026 recorded the highest volume of victim listings during the monitoring period, followed by moderate activity in December 2025 and a slight decline in February 2026.
“Malaysia continues to experience steady ransomware exposure over the past three months, with activity largely driven by a small number of active ransomware groups,” it added. January 2026 recorded the highest volume of victim listings during the monitoring period, followed by moderate activity in December 2025 and a slight decline in February 2026. Sector analysis suggests that professional services, materials, transportation & logistics, and finance were among the most affected industries during the reporting window. The distribution of victims across multiple industries, reinforces that ransomware actors are leveraging broad exploitation and access-broker models rather than highly tailored Malaysia specific operations.”
Overall, it noted that ransomware activity targeting Malaysia during the past three months reflects opportunistic, financially motivated intrusion patterns consistent with broader regional trends, with no single group demonstrating prolonged dominance.
“Regional threat reporting identifies China-linked nation-state actors such as APT41 and Mustang Panda as persistent espionage risks across Southeast Asia, with activity aligned to government, telecommunications, and advanced manufacturing sectors,” Cyfirma reported. “Their operations typically support long-term intelligence collection and supply-chain surveillance objectives. In parallel, North Korea-linked Lazarus Group and financially motivated cybercriminal groups such as FIN7 present additional risk through credential compromise, financial targeting, and collaboration within ransomware ecosystems, placing economically significant Malaysian sectors within potential scope.”
Cyfirma noted that several state-aligned and financially motivated threat groups are actively operating across Southeast Asia, posing varying degrees of risk to Malaysia. The China-linked Mustang Panda conducted espionage campaigns in the region using updated COOLCLIENT backdoor variants delivered through DLL sideloading, enabling persistent access, credential harvesting, and command-and-control communication. Its targeting of government and telecommunications entities reflects long-term intelligence-gathering objectives.
APT41 combines state-sponsored espionage with cybercriminal activity, including ransomware and supply chain attacks. The group typically exploits publicly known vulnerabilities in internet-facing systems to gain access, then moves laterally to harvest credentials and exfiltrate data. Its activity across Asia Pacific suggests exposure for Malaysian sectors such as government, telecom, technology, and manufacturing.
The North Korea-linked Lazarus Group focuses primarily on financial gain, targeting banks, cryptocurrency platforms, and defense-related organizations. Its operations rely on spear-phishing, custom malware, and credential theft to establish persistence before executing data theft or fund diversion, placing Malaysia’s financial and digital asset ecosystem within its potential scope.
FIN7, a financially motivated group, targets payment systems and corporate networks through phishing and weaponized documents. It uses legitimate administrative tools to escalate privileges and move laterally within networks, often leading to data theft or ransomware deployment. While not specifically focused on Malaysia, its track record in the financial, retail, and hospitality sectors presents an opportunistic threat to similar industries in the country.
Operationally, actors rely heavily on social engineering, exploitation of internet-facing services, and third-party supply chain compromise to establish access. Ransomware affiliates leverage credential marketplaces and access brokers, while episodic hacktivist and DDoS activity emerges in response to geopolitical developments. Collectively, these factors position Malaysia as a strategically significant and consistently targeted cyber environment within the Asia Pacific region.
Cyfirma pointed out that Malaysia’s strategic positioning also makes its a key driver of increased targeting, noting that its proximity to the Strait of Malacca places the country at the center of global trade flows and intensifying geopolitical competition. Threat actors, including nation-state groups, are leveraging cyber operations as an extension of statecraft to influence regional dynamics, monitor trade flows and gather intelligence tied to security and economic interests.
This dynamic extends into the growing convergence of geopolitical interests and supply chain risk. Malaysia’s expanding role in semiconductor manufacturing and global production networks has raised its strategic value, while simultaneously increasing its exposure to cyber espionage targeting intellectual property and competitive advantage. As manufacturing footprints continue to shift across Asia, these tightly coupled supply chains are emerging as prime targets for intelligence gathering and disruption campaigns.
The report highlights a diverse and increasingly sophisticated threat actor ecosystem targeting Malaysia. Cyfirma identifies the presence of advanced persistent threat groups such as Fancy Bear, Leviathan and Gamaredon alongside financially motivated actors like TA505 and MISSION2025. This mix signals a dual-threat environment where espionage campaigns coexist with financially driven attacks, complicating detection and response strategies for defenders.
From a technical standpoint, web applications have emerged as the most frequently targeted attack surface in Malaysia. This reflects the country’s accelerated push toward digital services and customer-facing platforms, which often introduce vulnerabilities through rapid deployment cycles. While web applications dominate, attackers are also probing operating systems and cloud infrastructure, indicating a gradual shift toward deeper, backend exploitation.
Sectoral targeting patterns reinforce the economic logic behind these campaigns. IT services, financial services and industrial conglomerates are among the most frequently targeted industries, largely due to their high digital dependency and concentration of sensitive data. The breadth of affected sectors, spanning government to commercial enterprises, underscores how cyber risk in Malaysia is no longer confined to critical infrastructure but extends across the entire economic fabric.
Cyfirma’s findings also point to the increasing use of cyber operations to shape political and social outcomes. Threat actors are not only targeting infrastructure and enterprises but are also attempting to influence public discourse and democratic processes. This reflects a broader evolution in cyber threats, where information operations and digital interference are becoming integral components of national security risk.
The report found that phishing remains the dominant driver of digital fraud in Malaysia, accounting for more than two-thirds of reported cases. By July 2025, it made up 66% of all fraud incidents reported to the Ministry of Digital, with MyCERT data showing this figure rising to 75% by the third quarter. The scale of activity is reflected in the surge of web-based attacks, with 19.62 million incidents recorded in the first half of 2024 alone, the highest in Southeast Asia. The financial impact is also mounting, with online scam losses reaching RM1.58 billion in 2024 and already hitting RM1.12 billion in the first half of 2025.
At the same time, hacktivism in Malaysia is becoming more structured, targeted, and politically driven. Groups are increasingly focusing on government infrastructure, shifting from basic website defacements to coordinated data leaks and threats of disruption. A notable trend is the potential evolution from ideological campaigns to financially motivated attacks, with some groups signaling a shift toward ransomware-style extortion. This shift was evident in early 2024, when the R00tK1T ISC campaign targeted government systems and national databases, resulting in unauthorized access and multiple high-profile data breaches.
Social engineering remains the primary entry point for cybercrime in Malaysia, accounting for roughly 70% to 77% of fraud cases, but the threat is rapidly evolving toward AI-driven deception. Attackers are using large language models to craft highly convincing, localized messages in Malay and “Manglish,” while tactics such as QR code phishing are expanding credential theft in public spaces. Recent incidents highlight the scale and sophistication of these campaigns, from AI-generated deepfake video fraud targeting banks to an 82.8% surge in authority impersonation scams and widespread smishing linked to government aid programs.
At the same time, Malaysia is experiencing a high-frequency DDoS threat environment, with over 120,000 attacks recorded in a single period and increasingly complex, multi-vector techniques designed to evade defenses. These attacks are growing in impact, ranging from major disruptions to airport systems tied to ransom demands, to high-bandwidth assaults exceeding 350 Gbps, and targeted campaigns that have caused significant financial losses for businesses through combined service outages and ransomware activity.
Malaysia’s cybersecurity priorities are increasingly centered on strengthening the resilience of critical infrastructure, particularly across government networks, transport systems, energy utilities, and telecommunications, which face sustained exposure to ransomware, DDoS, and espionage-driven attacks. This requires continuous penetration testing, vulnerability assessments, and the adoption of network segmentation, redundancy, and rapid failover capabilities to limit disruption from large-scale incidents.
At the same time, mitigating ransomware and financially motivated cybercrime demands stricter enforcement of multi-factor authentication across financial, government, and industrial environments, alongside proactive patching of vulnerabilities in VPNs, web applications, and remote access systems. Organizations are also being pushed to improve incident response readiness and maintain secure, offline backups, especially in high-risk sectors such as semiconductor manufacturing, logistics, healthcare, and finance.
Sector-specific risks are becoming more pronounced as Malaysia’s role in global supply chains expands. Semiconductor and electronics firms face heightened exposure to espionage targeting intellectual property, while financial institutions must contend with credential theft, fake banking platforms, and cryptocurrency-related attacks. Government and maritime agencies are also increasingly at risk, particularly as cyber activity aligns with geopolitical tensions and regional policy developments.
Beyond infrastructure and sectoral risks, organizations are being urged to prepare for a surge in social engineering, hacktivist campaigns, and DDoS attacks. This includes anticipating phishing operations targeting public officials and enterprises, monitoring underground markets for compromised access, and improving public awareness of smishing, investment scams, and AI-driven deception. Finally, sustained monitoring of advanced threat actors remains critical, with particular attention to China-linked groups such as APT41 and Mustang Panda, financially motivated actors like FIN7 and ransomware operators, and North Korea-linked activity from Lazarus Group, especially where financial systems and digital assets are involved.
Last week, Cyfirma identified that Singapore’s cyber threat landscape is being reshaped by a convergence of state-backed espionage, financially motivated cybercrime, and increasingly organized ransomware operations. Itss role as a regional financial and technology hub has made it a high-value target for various APT (advanced persistent threat) groups, which are actively targeting telecommunications, financial institutions, semiconductor firms, and government-linked entities. These hackers deploy sophisticated tactics, including zero-day exploitation, credential harvesting, and stealth persistence techniques to enable long-term intelligence gathering and strategic access.
