Group-IB has warned that supply chain cyber attacks are reshaping the threat landscape across Asia-Pacific, as criminals and state-aligned groups use trusted vendors, software components and service providers as entry points into wider networks.
The company’s High-Tech Crime Trends Report 2026 describes a shift from single-target intrusions to what it calls a connected ecosystem of compromised access, trust relationships and leaked data. The assessment links phishing, ransomware, data theft and insider abuse as stages that can appear within a single chain of activity.
“Today’s cyber threats aren’t isolated events,” said Dmitry Volkov, CEO, Group-IB. “They’re links in a supply chain attack ecosystem, where one compromise can reach thousands of downstream victims. Phishing, ransomware, data breaches, and insider abuse are all phases of the same campaign, built on exploiting trust and extending the cyber threat footprint.”
Group-IB reported 263 instances of corporate access from Asia-Pacific being offered for sale on dark web forums and marketplaces during 2025. Such access is typically used by intrusion specialists, including initial access brokers, and can later be leveraged by other actors for espionage, extortion, fraud or disruption.
Supply chain attacks rely on the same digital interdependence that underpins modern corporate operations. Organisations routinely connect suppliers, cloud services, outsourced IT providers, developer platforms and software libraries into production environments. This creates pathways that can bypass security measures focused on the perimeter of a single firm.
Leaks and access
The report also highlights data leaks as a key amplifier of risk. Exposed credentials, source code, API keys and internal communications can provide detailed insight into business processes, supplier relationships and technology stacks. When combined with brokered access, that information can support impersonation, targeted intrusion and fraud activity that blends in with legitimate use.
One area of concern is open-source software distribution, where widely used libraries can spread malicious code at scale. According to the report, package repositories including npm and PyPI have become targets for credential theft and automated malware campaigns. Attackers can compromise maintainer accounts and introduce malicious updates into developer pipelines.
Browser environments also feature in the supply chain pattern. The report describes a rise in malicious browser extensions, with criminals hijacking developer accounts or manipulating official marketplaces. From there, malicious add-ons can harvest credentials, take over sessions and capture financial information from within the browser.
Phishing and OAuth
Group-IB said phishing is increasingly designed around identity workflows and high-trust integrations rather than simple credential capture. The report points to AI-assisted phishing campaigns that target OAuth flows and other single sign-on mechanisms. These techniques can bypass multi-factor authentication where users approve malicious prompts or where tokens are stolen after login.
Financial services, government and military organisations, and telecommunications were the most targeted industries for phishing attacks in Asia-Pacific during 2025, according to the report’s findings.
Ransomware activity in the region continues to feature supply chain characteristics, with different specialist roles working in sequence. Group-IB describes an “industrialised” ransomware supply chain involving initial access brokers, data brokers and ransomware operators. Manufacturing, financial services and real estate were the sectors most targeted by ransomware groups in Asia-Pacific in 2025, it said.
AI effect
The report argues that artificial intelligence is lowering the cost and time required to run these campaigns. It links AI tooling to faster creation of phishing kits, more convincing impersonation and more scalable exploitation of open-source software, authentication processes and browser environments.
“AI did not create supply chain attacks, it has made them cheaper, faster, and harder to detect,” Mr Volkov added. “Unchecked trust in software and services is now a strategic liability.”
The report names a range of actors associated with supply-chain-focused activity, including Lazarus, Scattered Spider, HAFNIUM, DragonForce and 888, as well as campaigns linked to Shai-Hulud. It said these groups illustrate how criminal organisations and state-aligned operators are targeting similar platforms and integration layers.
Group-IB said its analysis drew on monitoring of underground forums, leak sites and criminal marketplaces, alongside investigations and intelligence gathered through its Digital Crime Resistance Centers in 11 countries. The company is headquartered in Singapore and operates regional centres across several geographies.
Alongside threat analysis, Group-IB pointed to operational work with law enforcement. In 2025, it supported 52 local and international agencies across six operations globally. In Asia-Pacific, it said it assisted the Royal Thai Police and the Singapore Police Force in the arrest of a Singaporean cybercriminal known as ALTDOS, linked to data leaks and cyber extortion targeting healthcare, finance, eCommerce and logistics.
The company also reported dismantling a cybercriminal network that compromised more than 216,000 victims and led to 32 arrests in Asia-Pacific.
The report’s focus on upstream compromise reflects a broader trend in cyber risk management, where organisations assess not only their own exposure but also the resilience of vendors and technology supply chains. In practice, this has increased attention on software provenance, identity security, third-party access controls, and monitoring of developer tooling and browser-based risk.
Group-IB said the High-Tech Crime Trends Report 2026 includes case studies and profiling of threat actors, with further analysis of how supply chain methods evolved during 2025 and how they are likely to influence the region’s cyber risk picture in 2026.
