With geopolitical tensions continuing to escalate across the APAC region, APT activities in the region are intensifying in both volume and sophistication. In 2025, TeamT5 tracked more than 510 APT operations affecting 67 countries globally, up steadily from 2024. Of these, 173 attacks targeted Taiwan, far exceeding activity levels seen in other regional targets.

Over the years, we observe Taiwan remains the most consistently and heavily targeted environment for cyber operations, with China responsible for the majority of observed activity. Taiwan’s role in geopolitical tensions and values in global technology supply chain makes it uniquely vulnerable for adversaries who seek intelligence or long-term access to achieve political and military objectives. The scale, diversity, and persistence of these campaigns position Taiwan not only as a frontline target, but also as an early-warning bellwether for the direction of China-nexus intrusion tradecraft. Campaigns observed in Taiwan frequently showcase early adoption of new tooling and evolving TTPs; therefore, Taiwan is more than just a target—it functions as a proving ground where China-nexus APTs test and refine their tactics before scaling them to other environments.

As defenders continue to harden endpoints with capabilities like EDR, threat actors are adapting by shifting operations to layers with comparatively limited telemetry and weaker detection coverage. That shift is reflected in our 2025 findings: we tracked 27 critical vulnerabilities, most of which impacted edge devices such as firewalls, routers, and VPN appliances. Moreover, China-nexus actors have paired exploitation with custom backdoors tailored to specific device families. These backdoors are often designed to persist even after the underlying vulnerability is patched or the device is rebooted. This transforms one-time perimeter access into long-term access across victim networks and significantly raises the difficulty of detection and complete eradication. In addition, Internet of Things (IoT) devices are increasingly being abused by threat actors for a range of malicious objectives, particularly as low-noise infrastructure that blends into normal network traffic. For example, we observed actors chaining compromised IoT devices into operational relay box (ORB) networks to stage and route attacks, effectively obscuring the origin of malicious activity. In other cases, actors have abused Network Attached Storage (NAS) systems as reverse SSH tunnel relays, facilitating data exfiltration through an intermediary that often appears benign.

Supply chain attacks accelerated further in 2025, reinforcing what TeamT5 describes as “Fail-of-Trust Model”. In a supply chain attack, threat actors compromise software vendors, managed service providers, or cloud service providers to exploit inherited trust and pivot into their downstream customer environments. In Taiwan, TeamT5 observed multiple attacks in which Chinese actors (e.g., Huapi and SLIME86) first compromised upstream IT service providers, then leveraged that access to move laterally into government, military, and critical infrastructure networks. In other notable cases attributed to China-nexus SocialNetworkTeam and SLIME40 (aka Salt Typhoon), threat actors compromised national telecom networks and used that access for long-term traffic interception and surveillance, including DNS manipulation and ISP-level hijacking. These campaigns directly erode the foundational assumptions of the digital ecosystem: that “trusted” suppliers are secure. By weaponizing trusted relationships as attack paths, supply chain operations turn implicit trust into a liability, hence the “Fail-of-Trust Model.” Consistent with this shift, we observed a clear uptick in 2025 attacks aimed at the IT sector. Threat actors are increasingly treating IT providers as strategic infrastructure, using them as launchpads to reach downstream targets more efficiently and at far greater scale.

Malware deployment tradecraft also evolved in 2025. Across the 300+ malicious samples we tracked, we saw a clear rise in customized, disposable “one-time” malware. Much of it consisted of lightweight loaders and downloaders which are quick to build, easy to tailor to a specific intrusion chain, and inherently more capable of evading signature-based detection. In parallel, we increasingly observed multi-tool intrusion stacks, where actors deploy more than one malware family and/or a mix of malware and legitimate hacking tools within the same operation. This reduces single points of failure: if one component is detected or blocked, others can maintain access, pivot laterally, or re-establish command-and-control. For defenders, the result is a broader, more fragmented footprint that slows triage and makes complete eradication harder.

The observed increase in volume and sophistication of APT operations occurs in parallel with increasing signs of a maturing APT ecosystem in China. Over the years, China has been cultivating its offensive cyber capabilities through a “whole-of-nation” model: In this model, the state retains strategic direction (e.g., prioritizing intelligence requirements and target sets) while execution capacity is expanded through a market of contractors, brokers, and specialist vendors. Public attributions and industry reporting over the last few years increasingly describe a threat landscape where the boundary between “state” and “private sector” is operationally blurred, producing an industrial-scale pipeline for intrusions. The Chinese APT ecosystem blends state direction with “hacking-as-a-service” dynamics: capability is packaged, priced, and delivered in units that can be purchased, tasked, or repurposed. The 2024 I-Soon leak has shown how a private Chinese company conducted intrusions and monetized access and how such kind of contractor capacity can be integrated into state-aligned operations.

In 2025, more evidence surfaced—via indictments, sanctions packages, and leaked materials—that Chinese private-sector vendors are not merely tooling suppliers but can play operational roles across intrusion activity. Taken together, these disclosures point to an ecosystem that is becoming more modular and specialized as it scales. That industrialization is most visible in the shift from a traditional “one APT group runs the full kill chain” assumption to a service-layered model. Instead of one team doing everything end-to-end, different providers can contribute capabilities at distinct stages. Examples map cleanly onto this cyber supply chain: At the front end are large-scale reconnaissance providers conducting internet-wide scanning and target profiling; Midstream are developers producing exploits, modular malware components, and tailored one-time payloads, optimized for specific environments; At the back end are infrastructure operators who specialize in command-and-control, proxy layers, and operational relay box (ORB) networks. This division of labor enables faster iteration, higher operational tempo, and greater resiliency.

For governments, enterprises, and critical sectors worldwide, the lesson is clear: indicator-driven defense can’t keep up with an industrialized intrusion ecosystem that can quickly change tools, servers, and routes when exposed. Defenders therefore have to move upstream to proactive, hypothesis-driven threat hunting that prioritizes durable behaviors over short-lived signatures. This approach shifts the objective from “blocking known bad” to finding active tradecraft early, before the adversary completes collection and exfiltration.

But hunting alone is not enough, because this is an ecosystem problem. Effective defense also requires deep regional intelligence that explains how the ecosystem is organized. That context turns scattered telemetry into actionable understanding, enabling defenders to distinguish who is responsible for reconnaissance, initial access, payload delivery, and infrastructure enablement. With those roles mapped, defenders can better anticipate likely next moves in the kill chain and apply disruption at the points of greatest leverage.

TeamT5 believes meaningful impact depends on international collaboration grounded in shared adversary insight. In other words, defenders must compete with an industrial system by responding as a coordinated system. TeamT5 is committed to doing our part: contributing high-quality cyber threat intelligence, supporting joint response efforts, and strengthening the partnerships that make collective defense work.

TeamT5 杜浦數位安全是深耕亞太地區的威脅情資專家，憑藉台灣獨特的地緣優勢、語言能力與超過二十年的研究累積，專注於亞太區域的 APT 與勒索威脅研究，為政府、金融與科技產業提供最在地化、可執行的威脅情資洞察與防護解決方案。

我們相信，真正有效的資安防禦，來自對威脅的持續追蹤與深度理解。TeamT5 以研究為核心，將複雜且快速演化的攻擊行為，轉化為具行動力的情資判斷，協助企業組織在攻擊發生前預判風險，從被動應變走向主動防禦，降低資安風險。

作為情資驅動資安防禦的實踐者，TeamT5 持續追蹤未知威脅、精準解析攻擊脈絡，並以敏捷行動縮短風險暴露時間。同時，我們重視信任與協作，持續於世界級資安會議與國際場域分享研究發現，與全球資安社群一同推動威脅情資的實務應用與防禦進化；並與客戶及夥伴建立長期合作關係，共同強化整體防禦韌性。