APT Threat Landscape in APAC 2025: Industrialization of Intrusions

With geopolitical tensions continuing to escalate across the APAC region, APT activities in the region are intensifying in both volume and sophistication. In 2025, TeamT5 tracked more than 510 APT operations affecting 67 countries globally, up steadily from 2024. Of these, 173 attacks targeted Taiwan, far exceeding activity levels seen in other regional targets.

Over the years, we observe Taiwan remains the most consistently and heavily targeted environment for cyber operations, with China responsible for the majority of observed activity. Taiwan’s role in geopolitical tensions and values in global technology supply chain makes it uniquely vulnerable for adversaries who seek intelligence or long-term access to achieve political and military objectives. The scale, diversity, and persistence of these campaigns position Taiwan not only as a frontline target, but also as an early-warning bellwether for the direction of China-nexus intrusion tradecraft. Campaigns observed in Taiwan frequently showcase early adoption of new tooling and evolving TTPs; therefore, Taiwan is more than just a target—it functions as a proving ground where China-nexus APTs test and refine their tactics before scaling them to other environments.

As defenders continue to harden endpoints with capabilities like EDR, threat actors are adapting by shifting operations to layers with comparatively limited telemetry and weaker detection coverage. That shift is reflected in our 2025 findings: we tracked 27 critical vulnerabilities, most of which impacted edge devices such as firewalls, routers, and VPN appliances. Moreover, China-nexus actors have paired exploitation with custom backdoors tailored to specific device families. These backdoors are often designed to persist even after the underlying vulnerability is patched or the device is rebooted. This transforms one-time perimeter access into long-term access across victim networks and significantly raises the difficulty of detection and complete eradication. In addition, Internet of Things (IoT) devices are increasingly being abused by threat actors for a range of malicious objectives, particularly as low-noise infrastructure that blends into normal network traffic. For example, we observed actors chaining compromised IoT devices into operational relay box (ORB) networks to stage and route attacks, effectively obscuring the origin of malicious activity. In other cases, actors have abused Network Attached Storage (NAS) systems as reverse SSH tunnel relays, facilitating data exfiltration through an intermediary that often appears benign.

Supply chain attacks accelerated further in 2025, reinforcing what TeamT5 describes as “Fail-of-Trust Model”. In a supply chain attack, threat actors compromise software vendors, managed service providers, or cloud service providers to exploit inherited trust and pivot into their downstream customer environments. In Taiwan, TeamT5 observed multiple attacks in which Chinese actors (e.g., Huapi and SLIME86) first compromised upstream IT service providers, then leveraged that access to move laterally into government, military, and critical infrastructure networks. In other notable cases attributed to China-nexus SocialNetworkTeam and SLIME40 (aka Salt Typhoon), threat actors compromised national telecom networks and used that access for long-term traffic interception and surveillance, including DNS manipulation and ISP-level hijacking. These campaigns directly erode the foundational assumptions of the digital ecosystem: that “trusted” suppliers are secure. By weaponizing trusted relationships as attack paths, supply chain operations turn implicit trust into a liability, hence the “Fail-of-Trust Model.” Consistent with this shift, we observed a clear uptick in 2025 attacks aimed at the IT sector. Threat actors are increasingly treating IT providers as strategic infrastructure, using them as launchpads to reach downstream targets more efficiently and at far greater scale.

Malware deployment tradecraft also evolved in 2025. Across the 300+ malicious samples we tracked, we saw a clear rise in customized, disposable “one-time” malware. Much of it consisted of lightweight loaders and downloaders which are quick to build, easy to tailor to a specific intrusion chain, and inherently more capable of evading signature-based detection. In parallel, we increasingly observed multi-tool intrusion stacks, where actors deploy more than one malware family and/or a mix of malware and legitimate hacking tools within the same operation. This reduces single points of failure: if one component is detected or blocked, others can maintain access, pivot laterally, or re-establish command-and-control. For defenders, the result is a broader, more fragmented footprint that slows triage and makes complete eradication harder.

The observed increase in volume and sophistication of APT operations occurs in parallel with increasing signs of a maturing APT ecosystem in China. Over the years, China has been cultivating its offensive cyber capabilities through a “whole-of-nation” model: In this model, the state retains strategic direction (e.g., prioritizing intelligence requirements and target sets) while execution capacity is expanded through a market of contractors, brokers, and specialist vendors. Public attributions and industry reporting over the last few years increasingly describe a threat landscape where the boundary between “state” and “private sector” is operationally blurred, producing an industrial-scale pipeline for intrusions. The Chinese APT ecosystem blends state direction with “hacking-as-a-service” dynamics: capability is packaged, priced, and delivered in units that can be purchased, tasked, or repurposed. The 2024 I-Soon leak has shown how a private Chinese company conducted intrusions and monetized access and how such kind of contractor capacity can be integrated into state-aligned operations.

In 2025, more evidence surfaced—via indictments, sanctions packages, and leaked materials—that Chinese private-sector vendors are not merely tooling suppliers but can play operational roles across intrusion activity. Taken together, these disclosures point to an ecosystem that is becoming more modular and specialized as it scales. That industrialization is most visible in the shift from a traditional “one APT group runs the full kill chain” assumption to a service-layered model. Instead of one team doing everything end-to-end, different providers can contribute capabilities at distinct stages. Examples map cleanly onto this cyber supply chain: At the front end are large-scale reconnaissance providers conducting internet-wide scanning and target profiling; Midstream are developers producing exploits, modular malware components, and tailored one-time payloads, optimized for specific environments; At the back end are infrastructure operators who specialize in command-and-control, proxy layers, and operational relay box (ORB) networks. This division of labor enables faster iteration, higher operational tempo, and greater resiliency.

For governments, enterprises, and critical sectors worldwide, the lesson is clear: indicator-driven defense can’t keep up with an industrialized intrusion ecosystem that can quickly change tools, servers, and routes when exposed. Defenders therefore have to move upstream to proactive, hypothesis-driven threat hunting that prioritizes durable behaviors over short-lived signatures. This approach shifts the objective from “blocking known bad” to finding active tradecraft early, before the adversary completes collection and exfiltration.

But hunting alone is not enough, because this is an ecosystem problem. Effective defense also requires deep regional intelligence that explains how the ecosystem is organized. That context turns scattered telemetry into actionable understanding, enabling defenders to distinguish who is responsible for reconnaissance, initial access, payload delivery, and infrastructure enablement. With those roles mapped, defenders can better anticipate likely next moves in the kill chain and apply disruption at the points of greatest leverage.

TeamT5 believes meaningful impact depends on international collaboration grounded in shared adversary insight. In other words, defenders must compete with an industrial system by responding as a coordinated system. TeamT5 is committed to doing our part: contributing high-quality cyber threat intelligence, supporting joint response efforts, and strengthening the partnerships that make collective defense work.

TeamT5 is an APAC-focused threat intelligence expert. Leveraging Taiwan’s unique geopolitical vantage point, multilingual capabilities, and over two decades of research experience, we specialize in APT and ransomware threats across the Asia-Pacific region. We deliver highly localized, action-oriented threat intelligence and defense solutions for government, financial, and technology sectors.

We believe that effective cybersecurity begins with continuous tracking and deep understanding of threats. With research at our core, TeamT5 transforms complex and rapidly evolving attack behaviors into actionable intelligence, enabling organizations to anticipate risks and shift from reactive response to proactive defense—reducing cyber risk.

As a practitioner of intelligence-driven cyber defense, TeamT5 continuously monitors emerging threats, precisely analyzes attack patterns, and acts with agility to minimize risk exposure. We also value trust and collaboration, actively sharing research insights at world-class cybersecurity conferences and international forums. By working closely with the global security community, as well as our customers and partners, we help advance the practical application of threat intelligence and strengthen cyber resilience.