In 2026, Asia confronts an intensifying AI-powered threat landscape driven by rapid technological adoption, geopolitical tensions, and sophisticated adversaries. The World Economic Forum's Global Cybersecurity Outlook 2026 identifies AI-related vulnerabilities as the fastest-growing cyber risk, with 87% of respondents highlighting their acceleration.
Supply chain disruptions and cyber-enabled fraud and phishing also rank among the top concerns for organisations across regions, including Asia's interconnected economies.
AI supercharges the attack surface
The rapid proliferation of AI-powered tools and agentic AI is fundamentally expanding the attack surface in Asia. "First, threat actors themselves are using AI tools to scale social engineering techniques," explains James Murphy, field CTO, Threat Intelligence, APJ, Trellix. "Meaning that previous signs, like an email with poor grammar or spelling, are no longer the obvious giveaway for a phishing email – AI is making it trivial for threat actors to automate at scale."
On the defensive side, Murphy notes parallels to the rise of SaaS and Shadow IT: "The same problem now occurs with AI apps and agents being adopted faster than organisations can gain visibility and control over them.
"AI browsers are a good example, because they can connect sensitive data points, like your emails or your login sessions – the organisation has no visibility over that connection," he continues.
He warns that threat actors can insert malicious instructions into websites and perform prompt injection by abusing the AI browser feature that summarises the website.
These dynamics are particularly acute in Asia, where digital transformation and AI adoption outpace governance in many economies.
Blocking supply chain breakouts
High-profile incidents such as SolarWinds (2020), NotPetya (2017), Log4j/Kaseya (2021), 3CX (2023), and XZ Utils (2024) demonstrate that a single compromised vendor can trigger widespread disruption.
Murphy emphasises the implicit trust in software and the need for behavioural monitoring: "The supply chain is tricky because of the implicit trust placed in the software, but we can still monitor behaviour within our local environment."
"A robust defence-in-depth strategy is essential for security teams to mitigate supply chain vulnerabilities and ensure cyber resilience." James Murphy
He advocates detecting anomalous activity, such as unusual endpoints, strange processes, or unauthorised data changes, and separating these from normal operations to spot subtle indicators like Command and Control activity. Intelligence from dark web forums can flag vendor compromises, enabling verification and isolation.
In 2026, supply chain risks remain a top barrier to cyber resilience, with 65% of large companies citing third-party and supply chain vulnerabilities as their greatest challenge. Visibility gaps and inheritance risk – the inability to assure third-party software integrity – compound these issues across Asia's interconnected digital ecosystems.
Nation-state & crime convergence
Nation-state actors in Asia are increasingly blurring lines between espionage, ransomware, and AI-driven financial attacks. By highlighting North Korea as an example, he posits that the lines are blurring between typical nation-state activity and criminal activity such as ransomware and crypto theft.
He posits that North Korean actors use cybercrime to generate revenue. He cites the example of the North Korean IT workers campaign, where operators are hired as remote workers, funnel that money back to the state, and then use the privileged access to commit further espionage. In the hiring process, they've used real-time AI deepfakes to trick recruiters and hiring managers."
North Korea's Lazarus Group was responsible for the US$1.5 billion theft of crypto from Bybit in 2025, the largest at the time. Supporting data from the Korea Economic Institute of America confirms the scale: the February 2025 Bybit heist by Lazarus accounted for the bulk of US$2 billion in cryptocurrency stolen by North Korean hackers in 2025, breaking prior records, while innovations in AI-powered cyber operations have enhanced their effectiveness.
The same analysis notes North Korean IT worker schemes and the use of cyber activity to fund weapons programmes, with illicit cyber operations estimated by the UN to support up to 40% of WMD research.
These converged tactics directly threaten Asia, targeting entities in South Korea, Taiwan, and beyond.
Hunting APTs proactively
Critical infrastructure and intellectual property rank as high-value targets for advanced persistent threats (APTs) in Asia. Murphy stresses intelligence-driven hunting: "Critical infrastructure and intellectual property are among the highest-value targets for APTs, so your intelligence to inform a proactive threat hunt should reflect their methods and account for their motivations.
"For APTs, the motivation is to infiltrate critical infrastructure quietly, for as long as possible, and steal information, such as intellectual property, undetected. Due to the subtle nature of their activity – using living off the land tools as much as possible – it can be difficult to distinguish legitimate from malicious activity," he elaborates.
"The intelligence narrows the search, so your team isn't drowning in false positives from legitimate admin activity. If the hunt finds the adversary activity, pre-built response playbooks can help contain it quickly." James Murphy
This approach counters the region's prevalent stealthy operations.
Countering AI-enhanced deception
A surge in AI-enhanced phishing, QR-code attacks, and malicious browser extensions demands evolved detection that preserves business velocity. Murphy underscores threat intelligence's role: "Threat intelligence is becoming more important and relevant than ever. If we look at the North Korean IT workers campaign example, they cleverly use AI to craft convincing email conversations that go back and forth for weeks, sometimes longer, to appear legitimate and gain the trust of targeted victims.
He notes that in this instance, there's no obvious red flag, like a phishing URL or a malicious attachment, that would trigger an automatic alert. He adds that threat intelligence provides the right information, such as a known North Korean email address, to help teams stop the attack.
"When threat intelligence is utilised properly, it enables teams to make better decisions, accelerating business velocity rather than hindering it," he concluded.
Building predictive security
Shifting from reactive to predictive security requires integrated platforms, cross-functional processes, and partnerships.
Murphy explains: "Technology is often highlighted as the primary way to scale up a threat intelligence function that supports an organisation's security programme. It is certainly a large part of the solution – you need technology to place the intelligence in the right areas: tightly integrated into your security tooling for timely access and relevance."
Challenges arise in non-technical areas. Murphy points out that many organisations run into issues in the non-technical aspects. Cross-functional processes mean threat intelligence needs to be embedded in broader aspects of cyber, such as vulnerability management, the SOC, and even beyond the cyber team altogether, to support executive risk decisions. "Often, a lot of intelligence is published, but none of the relevant teams read it, or it is written for the wrong audiences," he observes.
"External partnerships, such as vendor feeds, ISACs, and government alerts, also help provide a balanced reporting perspective. It's then very important to have an established threat intelligence programme to manage all of this – too much data can quickly become overwhelming and neutralise any advantage it could have provided." James Murphy
In Asia's 2026 landscape, these strategies – informed by rising AI risks and the convergence of nation-states – are essential for resilience.
