CrowdStrike warns of a shift toward malware-free intrusions in APAC

According to CrowdStrike's 2025 report, cybercriminals in APJ are shifting to malware-free attacks, relying on identity theft and everyday software tools to quietly infiltrate systems.

Cyber threats in Asia Pacific and Japan (APJ) are becoming more structured and deliberate, according to 2025 APJ eCrime Landscape Report. The report describes a new kind of attacker called the "enterprising adversary”, whereby these groups operate like professional organizations, running attacks with the same discipline and precision found in the corporate world. They plan ahead, scale their operations efficiently, and focus on impact over noise.

Instead of relying only on malware, many are turning to stealthier methods that blend into daily business activity. Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, said this trend marks a major shift in how attackers work.

"Threat actors have figured out that trying to bring malware into the modern enterprise is kind of like trying to walk into an airport with a water bottle — you're probably going to get stopped by security," Meyers said.

"Rather than bringing in the 'water bottle,' they've had to find a way to avoid detection. One of the ways they've done that is by not bringing in malware at all."

He explained that attackers often use identity-based access and "living-off-the-land" techniques, where tools like PowerShell or Python are used to move within a system without triggering alarms. "We found that in 81% of the intrusions with hands-on-keyboard activity observed by our OverWatch threat-hunting team, no malware was used," he said. "These were purely hands-on-keyboard and identity-based attacks."

Ransomware still dominates

Between January 2024 and April 2025, CrowdStrike Intelligence recorded 763 ransomware and data-extortion victims in APJ. India, Australia, Japan, Taiwan, and Singapore were the hardest hit. While APJ makes up more than half of the world's population, victims in the region represented just 9% of global cases.

Five groups — OCULAR SPIDER, BITWISE SPIDER, BRAIN SPIDER, TRAVELING SPIDER, and PUNK SPIDER — led most attacks. CrowdStrike found that these groups tend to target opportunistically rather than focusing on specific nations. Interestingly, many avoided Chinese targets altogether. OCULAR SPIDER, for instance, bans affiliates from attacking China, North Korea, Cuba, and countries in the Commonwealth of Independent States.

Two ransomware-as-a-service groups, FunkLocker and KillSec, showed a stronger regional focus, with about a third of their victims based in APJ — mostly in India. FunkLocker's leader, known as Scorpion, has said the group picks targets based on revenue and weak defences, reinforcing how financial gain continues to drive cybercrime.

Manufacturing in the crosshairs

Manufacturing remains one of the most attractive sectors for ransomware groups. Meyers said these organizations face unique challenges because downtime directly translates into financial loss.

"Manufacturing is vulnerable because downtime from a ransomware intrusion can be measured directly in dollars and cents," he said. "At some point, the adversary realizes that if they can prolong the disruption long enough, it becomes cheaper for the organization to pay the ransom than to keep fighting through it."

He added that many factories rely on outdated systems, weak passwords, and shared accounts, making them easy targets. "These organizations should invest in modern security architecture, strong identity controls, and a vigilant threat-hunting team to monitor factory infrastructure and keep operations running smoothly," Meyers said.

Across APJ, manufacturing, technology, engineering, financial services, and professional services remain top targets — industries where even brief disruptions can cause serious financial damage.