LastPass APAC Regional Report 2025

Keypoints

• Annual cybersecurity reports typically begin with a regional or global snapshot that summarizes the threat environment, most targeted countries and sectors, and the most common attack methods, helping readers quickly understand the overall risk picture.
• They usually include a threat landscape section that explains the main drivers of attacker activity, such as cybercrime, espionage, geopolitical tensions, economic pressures, and the use of stolen credentials or vulnerabilities for initial access.
• A malware section generally identifies the top families observed during the reporting period, often separating ransomware, stealers, downloaders, and backdoors, and highlighting how their popularity or distribution changed over time.
• An actor-focused section usually profiles the most active threat groups, including their aliases, motivations, typical targets, and common tactics such as spear-phishing, credential theft, or compromised network devices.
• Most reports also include notable incidents that illustrate the broader trends, showing how threat actors translate their capabilities into real-world compromises against governments, businesses, and critical sectors.
• Many annual reports end with a deep dive on a specific campaign or sector, giving detailed insight into attack chains, technical methods, victim impact, and defensive lessons learned.
• In this report, APAC accounted for the largest number of incidents globally in 2024 at 34%, a 13% increase, underscoring the region’s central role in the worldwide threat landscape.
• Manufacturing was the most targeted industry in APAC, followed by finance and insurance at 16% and transportation at 11%, showing continued pressure on operationally important sectors.
• Japan was the most targeted country in the region, while the Philippines, Indonesia, South Korea, and Thailand each represented 5% of cases, indicating broad geographic spread across APAC.
• Stolen credentials were reported by 55% of breach victims in APAC, and nearly one in four incidents involved stolen data or credentials, reinforcing credential theft as a primary access vector.
• Australia remained a major ransomware target and stayed in the top 10 countries impacted by gang-reported victims, reflecting persistent pressure on Australian organizations.
• The region’s cyber threat score of 6.4 and observed activity from actors linked to China, North Korea, Russia, Brazil, Mexico, and Vietnam show that APAC is exposed to diverse and transnational threat sources.
• Akira emerged as the top ransomware family in Q1 2025, with a spike to 241 posted victims at the end of May, and Asia accounted for about 11% of global ransomware activity.
• LUMMAC, also known as Lumma, was one of the top stealers in APAC, but its infrastructure takedown in May 2025 is expected to reduce infections and shift market share toward Vidar, Stealc, Acreed, and others.
• Observed malware in APAC included CABBEACON, LUMMAC, HOPLITE, NUMOZYLOD, LIGHTPIPE, and various backdoors, showing a mix of recon, credential theft, and delivery tools.
• TEMP.Hex, Salt Typhoon, Bitter, and APT36 were highlighted as major threat actors, illustrating the continuing mix of Chinese, North Korean, Indian-backed, and Pakistani espionage activity in the region.
• Salt Typhoon’s compromise of Cisco network devices across five telecom networks is a significant finding, demonstrating the focus on telecom infrastructure and long-term access.
• Key incidents such as the CoGUI phishing kit campaign in Japan, the Fog ransomware attack on an Asia-based financial institution, and Billbug’s Southeast Asia intrusion campaign reflect the diversity of techniques and targets.
• Fake Update campaigns and the Australian superannuation credential-stuffing wave show that attackers are increasingly combining social engineering, OAuth/token abuse, session hijacking, and API or database exploitation.
• Recurring themes across the report include credential theft, phishing, ransomware, espionage, critical infrastructure targeting, and the weaponization of legitimate tools, all of which indicate a more mature and adaptable threat environment.
• The report’s defensive guidance emphasizes patching applications and operating systems, using password managers, enabling MFA, and limiting privileges, reflecting the importance of basic hygiene against sophisticated but often credential-driven attacks.