Malaysia Cybersecurity Threat Report 2025: Key Findings & Strategic Insights
The Malaysia cybersecurity threat report 2025 reveals a significant escalation in sophisticated cyberattacks targeting businesses across all sectors. From ransomware groups to state-sponsored APT activity, Malaysian organisations face an increasingly complex threat landscape.
Malaysia Cybersecurity Threat Report 2025: Scale of Malaysia’s Threat Landscape
Each year, Simply Data’s award-winning Security Operations Centre (SOC), ISO/IEC 27001 certified, CREST accredited, and CSM Collaboration Partner recognised, processes billions of security events — forming the evidence base for the Malaysia cybersecurity threat report 2025 — on behalf of organisations across Malaysia, Indonesia, and Singapore. The Malaysia Threat Report 2025, covering the full calendar year from 1 January to 31 December 2025, represents the most comprehensive view yet of the threats targeting Malaysian organisations.
The data in the Malaysia cybersecurity threat report 2025, drawn from a customer base spanning Finance & Insurance, Government Agencies, Education, Logistics, Large Conglomerates, Property Developers, Energy, Manufacturing, Datacentre Providers, and Media & Entertainment, paints an alarming but actionable picture: threat actors are becoming more systematic, more patient, and increasingly focused on identity-layer exploitation.
What makes the Malaysia cybersecurity threat report 2025 distinctive is that it is built on real SOC telemetry, not surveys or estimates. Every number represents an actual log line, a real alert, a genuine attacker behaviour observed inside a Malaysian organisation’s environment.
Incidents Month by Month
Of the 12,379,396 alerts triggered across all monitored SIEM environments, Simply Data’s analysts escalated 3,945 confirmed security incidents, roughly 329 per month, as documented in the Malaysia cybersecurity threat report 2025. However, the monthly distribution is far from uniform, and the trend line tells a critical story.
The Malaysia cybersecurity threat report 2025’s most alarming data point is September 2025, which saw 602 escalated incidents, the highest single month across the entire year and more than three times the June low. The Q4 2025 period (September through December) accounted for a disproportionate share of all annual incidents, suggesting that threat actors are ramping up operations in the second half of the year, possibly aligned with major product and fiscal cycle milestones.
September 2025 alone saw 602 escalated incidents, the highest monthly count of the year, signalling a sharp escalation in adversarial tempo heading into Q4.
Where Are Attacks Originating?
Understanding which log sources generate the most incidents is critical for SOC prioritisation. The Malaysia cybersecurity threat report 2025 reveals that Microsoft 365 (O365) is the dominant attack surface, generating nearly a third of all escalated incidents.
The Malaysia cybersecurity threat report 2025 confirms the dominance of O365 logs (32.16%), as the MITRE ATT&CK mappings also show: Microsoft 365 environments are the primary initial access battleground for Malaysian organisations. Operating System logs (30.33%) follow closely, indicating significant endpoint-level activity, while Network logs (14.91%) round out the top three.
Top 10 Incidents by Name
The most frequently observed incident types reveal a consistent pattern: attackers are leveraging credential-based techniques before attempting to escalate privileges or exfiltrate data:
| Incident Type | % of Total |
|---|---|
| Potential Password Spraying of Microsoft 365 User Accounts | 6.53% |
| Microsoft 365 Portal Logins from Impossible Travel Locations | 6.20% |
| Successful O365 Login from Blacklisted IP | 4.74% |
| Sensitive Directory Service Object Changed | 2.78% |
| SMB (Windows File Sharing) Activity to the Internet | 2.43% |
| Account Configured with Never-Expiring Password | 1.90% |
| New User Created / Login Using Admin Privileges | 1.65% |
| Successful Root SSH Login | 1.41% |
| Privileged Account Brute Force | 1.17% |
| File Changes at Sensitive Directory (FIM) | 1.17% |
Top Targeted Industries
When we look at which industries faced the highest number of escalated incidents, three sectors stand apart in the Malaysia cybersecurity threat report 2025. These sectors face a combination of high data value, complex supply chain dependencies, and often under-resourced security teams, a combination that threat actors actively exploit.
Education ranks first in incident volume in the Malaysia cybersecurity threat report 2025, a pattern consistent with global trends. Universities and schools hold vast amounts of personally identifiable information (PII), research data, and financial records, all while operating open-access networks designed for collaboration rather than security. Logistics companies, managing time-sensitive supply chains, are similarly vulnerable; operational disruption via ransomware or data theft carries significant financial penalty. Large Conglomerates present a broad attack surface with subsidiaries of varying security maturity, making them attractive for lateral movement and supply chain attacks.
How Attackers Operate in Malaysia
Simply Data maps every escalated incident documented in the Malaysia cybersecurity threat report 2025 to the MITRE ATT&CK framework, providing a standardised view of adversary tactics and techniques. The 2025 results confirm that Malaysian threat actors are following a deliberate, structured kill chain that begins with credential theft and ends with data extraction.
Top 5 Tactics (TA)
| Tactic ID | Tactic Name | % of Incidents |
|---|---|---|
| TA0006 | Credential Access | 25.38% |
| TA0001 | Initial Access | 22.79% |
| TA0003 | Persistence | 11.53% |
| TA0010 | Exfiltration | 9.45% |
| TA0011 | Command and Control | 8.29% |
Top 5 Techniques (T)
| Technique ID | Technique Name | % of Incidents |
|---|---|---|
| T1078 | Valid Accounts | 18.71% |
| T1110 | Brute Force | 15.17% |
| T1098 | Account Manipulation | 8.54% |
| T1190 | Exploit Public-Facing Application | 5.77% |
| T1048 | Exfiltration Over Alternative Protocol | 3.90% |
The Malaysia cybersecurity threat report 2025 tells a clear story: attackers enter via valid credentials (T1078, 18.71%) or brute-force methods (T1110, 15.17%), then manipulate accounts to establish persistence and escalate privileges. Command-and-Control infrastructure is then used to orchestrate data exfiltration. This is a textbook Advanced Persistent Threat (APT) pattern, no longer reserved for nation-state actors, but now widely adopted by financially-motivated cybercriminal groups targeting Malaysian organisations.
Indicators of Compromise: The Numbers
Simply Data correlates every IOC — a methodology central to the Malaysia cybersecurity threat report 2025 — against an extensive threat intelligence ecosystem. Out of 428,681,768 unique IOC lookups, 33,213,117 were confirmed as malicious, a match rate of 7.75%. Critically, when a match was confirmed, it triggered an average of 18.027 separate threat intelligence feed hits, indicating that the malicious infrastructure being encountered is well-documented and actively tracked by the global threat intelligence community.
Top Threat Source Countries
The Malaysia cybersecurity threat report 2025 maps how Malaysia’s threat landscape is heavily influenced by infrastructure based in the following countries. Note that infrastructure location does not necessarily indicate attacker origin, as many threat actors deliberately route through cloud providers and VPNs in these jurisdictions.
The United States’ dominant share (50.93%) reflects the widespread use of major US-based cloud platforms such as AWS, Azure, Cloudflare, and similar providers, as attack infrastructure. This underscores the need for threat intelligence that goes beyond simple geo-blocking and focuses instead on behavioural indicators and reputation-based detection.
Top 3 Risks Identified
Identity and Credential Compromise
Password spraying, brute-force attempts, and impossible travel login events are the most common threats documented in the Malaysia cybersecurity threat report 2025. Credential Access is the most prevalent MITRE tactic (25.38%) and Valid Accounts (T1078) is the most frequently observed technique at 18.71%. Microsoft 365 environments are the primary entry point, making identity security the single most critical control gap in Malaysian organisations today.
Weak Access Controls and Privilege Management
The Malaysia cybersecurity threat report 2025 data reveals systemic weaknesses in identity governance: accounts configured with non-expiring passwords, newly created users being granted administrative privileges immediately, and unauthorised directory object modifications. Persistence tactics account for 11.53% of observed TTPs, while Account Manipulation (T1098) at 8.54% highlights the ease with which attackers escalate privileges once inside the environment.
Data Exfiltration Exposure
The Malaysia cybersecurity threat report 2025 identifies exfiltration as the fourth most prevalent tactic at 9.45%, with SMB traffic to external destinations and exfiltration over alternative protocols as key indicators. When viewed alongside Command-and-Control activity (8.29%), it is evident that successful intrusions frequently progress to active data extraction, particularly in Education and Logistics, where sensitive personal and operational data is held at scale.
What the 2025 Data Really Tells Us
The Malaysia cybersecurity threat report 2025 data uncovers three overarching themes when the full dataset is viewed holistically. These themes transcend any single incident or technique and describe the structural nature of Malaysia’s cybersecurity challenge in 2025.
1. Identity Infrastructure Is the Primary Battleground
According to the Malaysia cybersecurity threat report 2025, Microsoft 365 is consistently the first target. Adversaries predominantly rely on credential-based techniques such as password spraying, brute force, and anomalous login activity, to gain access. This risk is further amplified by extensive third-party and supply chain integrations with M365, where compromised external applications, OAuth permissions, or automation workflows can be leveraged to abuse trusted access paths. Identity compromise is no longer confined to direct user activity; it extends to every integrated tool and service.
2. Governance Gaps Enable Attack Progression
Once initial access is obtained — a recurring pattern in the Malaysia cybersecurity threat report 2025 — weaknesses in access controls, privilege management, and identity governance frequently allow attackers to progress through multiple stages of the kill chain. Indicators such as excessive privileges, non-expiring passwords, rapid elevation of newly created accounts, and risky directory changes point to configuration and enforcement gaps, not a lack of detection capability. Organisations are often detecting the right events; they are simply not enforcing the right preventative controls to stop attackers from exploiting the window of opportunity.
3. High-Value Targets Drive Concentrated Risk
The Malaysia cybersecurity threat report 2025 shows observed threat activity is highly concentrated around a limited number of attack techniques that directly enable access to sensitive systems and data. Credential Access, Valid Accounts, Persistence, and Exfiltration consistently appear together, indicating that attackers are prioritising efficiency and impact. Education and Logistics are disproportionately affected due to the nature of the data they manage, including personal information and critical operational data, combined with typically constrained security budgets.
Attackers are selectively targeting environments where successful compromise is more likely to result in meaningful data access or operational leverage. This is precision cybercrime, not opportunism.
Reflecting on Our 2024 Predictions
How well did last year’s predictions hold up? The Malaysia cybersecurity threat report 2025 allows us to measure accuracy — and the majority proved correct.
| 2024 Prediction | Outcome |
|---|---|
| Rise of Supply Chain Compromise | ✓ Yes |
| Password Compromise and Social Engineering | ✓ Yes |
| Ransomware and Security Practices | ~ Partial |
Supply chain compromises were fully validated in the Malaysia cybersecurity threat report 2025, with third-party vendor risk materialising across multiple sectors. Password compromise and social engineering also played out as predicted, amplified by generative AI-powered phishing. Ransomware was partially realised: RaaS and EDR killer tools confirmed the threat, but progress on People, Processes, and Technology balance remained uneven across organisations.
Starlight Intelligence:
Ransomware & Threat Actor Data
Pages 10 and 11 of the Malaysia cybersecurity threat report 2025 were made possible through the exclusive contribution of Starlight Intelligence, a premier Malaysian cybersecurity firm and NACSA-licensed service provider, recognised as a Malaysia Digital Status company for its innovation in Artificial Intelligence. Starlight leverages its proprietary Starlight Neural Networks (SNN) to generate high-fidelity threat intelligence and assess risks with precision.
Founded in 2019 and BSI-certified to ISO 27001:2022, Starlight Intelligence bridges the gap between high-end protection and budgetary constraints, delivering locally-developed, cost-effective cybersecurity solutions that directly serve the Malaysian market. Their meticulous research and data generosity have significantly elevated the quality of this report’s threat actor and ransomware analysis.
This report was meticulously prepared with Starlight Intelligence’s ransomware and threat actor data, giving Malaysian organisations an unprecedented window into exactly who is targeting them and how.
Malaysia Ransomware Statistics (Starlight Data)
The Malaysia cybersecurity threat report 2025 confirms ransomware activity targeting Malaysia has escalated sharply. Starlight’s data reveals a more than doubling of incidents from 2023 to 2025, a trend that demands immediate attention from every sector.
Top 10 Ransomware Threat Actors in Malaysia
Starlight Intelligence tracks the most active ransomware groups operating against Malaysian targets. LockBit continues to dominate, while newer actors like Qilin and Akira are rapidly gaining ground.
| Threat Actor | Incidents |
|---|---|
| LockBit 3.0 | 17 |
| Qilin | 13 |
| Direwolf | 9 |
| Ransomhub | 6 |
| Obscura | 5 |
| Threat Actor | Incidents |
|---|---|
| Hunter | 4 |
| Babuk2 | 4 |
| TheGentlemen | 4 |
| Akira | 3 |
| Lv | 2 |
Key Threat Actor Profiles
| Threat Actor | Affiliations / Origins | Strategic Focus & Tactics |
|---|---|---|
| LockBit (3.0/5.0) | Global RaaS / Eastern Europe | Uses “invisible mode” and API harvesting; targets manufacturing sector |
| Qilin (Agenda) | Russia-linked RaaS | Uses Rust language for speed; primary threat to aviation and healthcare |
| Direwolf | SE Asia (Human-operated) | Specialised in double-extortion against tech and legal sectors |
| INDOHAXSEC | Indonesia-based Hacktivist | Ideologically motivated; targets government for data leaks |
| Akira | Global RaaS | Focuses on Windows and ESXi; highly prolific in late 2025 |
2026 Outlook: AI as a Double-Edged Sword
Starlight Intelligence’s forward-looking analysis warns that AI is no longer a future concept. It is a functional weapon already deployed by adversaries and defenders alike in the 2026 threat landscape.
- High-value Business Email Compromise (BEC) now uses AI-generated voice and video to impersonate CEOs
- NLP used to craft “Manglish” (Malaysian English) localised phishing lures that bypass traditional filters
- Strains like LAMEHUG and PROMPTFLUX use LLM interactions to re-generate source code on execution, making them invisible to signature-based EDR
- AI agents now handle the “volume problem”, triaging thousands of alerts to identify true positives in milliseconds
- Shifting from detection to anticipation by identifying pattern anomalies before a breach occurs
High-Risk Sectors for 2026 (Starlight Forecast)
Healthcare
Primary target due to critical nature of patient records and zero downtime tolerance
Manufacturing & Energy
Increasing risk from IT-OT convergence; corporate breaches can trigger physical production halts
Critical Infrastructure
Targeted by state-sponsored actors to sow economic chaos and disrupt essential public services
Thank You, Starlight Intelligence
Simply Data extends its deepest gratitude to the entire team at Starlight Intelligence for their exceptional contribution of Malaysia-specific ransomware statistics, threat actor profiles, and forward-looking intelligence to this report. Your commitment to building a safer Malaysian cyberspace through open collaboration and knowledge-sharing is an inspiration to the entire regional security community.
Starlight Intelligence’s proprietary Neural Network-driven analysis has given Malaysian organisations a level of adversary insight that is rare, actionable, and genuinely life-saving for businesses navigating the 2025–2026 threat landscape.
Flawtrack:
External Exposure & Dark Web Observations
Pages 12 and 13 of the Malaysia cybersecurity threat report 2025 are powered exclusively by data from Flawtrack’s Intelligence Platform, covering 2025 statistics on external exposure and dark web activity targeting Malaysian organisations. Flawtrack’s Attack Surface Management (ASM) and Dark Web Monitoring capabilities provide a critical outside-in view of Malaysia’s digital exposure, intelligence that internal SOC telemetry alone cannot capture.
To complement the Malaysia cybersecurity threat report 2025 internal SOC findings, we collaborated with Flawtrack to analyse external exposure and dark web intelligence trends observed across Malaysian organisations. The result is one of the most complete pictures of Malaysian cyber exposure ever published.
Overall Exposure Statistics: Malaysia 2025
Sector Breakdown: Exposed Domains and Credentials
The Malaysia cybersecurity threat report 2025 shows the Commercial sector leads in absolute credential volume, but Government’s exposure per domain is particularly alarming given the sensitivity of data held within those environments.
| Sector | Domains Affected | Total Credentials | Unique Users | % of Total |
|---|---|---|---|---|
| Commercial | 21,451 | 2,249,263 | 973,998 | 38.9% |
| Government | 3,980 | 1,619,708 | 712,996 | 28.0% |
| Education | 5,404 | 1,013,829 | 317,859 | 17.5% |
| Other | 13,753 | 893,812 | 403,549 | 15.5% |
Compromised Endpoint Breakdown by Sector
| Sector | Endpoints | Credentials | Unique Users |
|---|---|---|---|
| Commercial | 499,265 | 1,909,848 | 158,913 |
| Government | 460,825 | 1,832,196 | 159,825 |
| Education | 189,339 | 918,724 | 72,024 |
| Other | 182,867 | 702,948 | 58,135 |
Compromised Device Operating System Distribution
The Malaysia cybersecurity threat report 2025 shows Windows 10 dominates the compromised device landscape at 71.3%, a significant concern given Microsoft’s end-of-support timeline. Windows 11 devices yield the highest average credentials per device at 250, suggesting that even newer systems are heavily compromised once stealer malware takes hold.
| Operating System | Devices | Credentials | % of Devices | Avg Creds/Device |
|---|---|---|---|---|
| Windows 10 | 54,994 | 8,307,511 | 71.3% | 151 |
| Windows 11 | 17,185 | 4,297,128 | 22.3% | 250 |
| Other | 3,103 | 557,506 | 4.0% | 180 |
| Windows 7 | 1,787 | 143,644 | 2.3% | 80 |
| Windows Server | 17 | 5,673 | <0.1% | 334 |
Dark Web Marketplace Activity: Key Findings
The Malaysia cybersecurity threat report 2025 reveals Malaysian credentials are actively traded on underground marketplaces and forums, with fresh dumps appearing daily from large-scale infostealer campaigns.
Government and banking credentials command premium prices in dark web listings, reflecting high-value access to sensitive systems and financial infrastructure.
Combo lists containing Malaysian email addresses are frequently updated and redistributed across hacker forums, amplifying the reach of each breach.
Stealer logs from Malaysian endpoints, containing saved passwords, session cookies, and autofill data, bundled and sold in bulk packages, enabling low-skill attackers to execute large-scale account takeover campaigns.
As highlighted in the Malaysia cybersecurity threat report 2025, credential reuse across services significantly amplifies the impact of each individual breach. A single leaked password can unlock email, cloud storage, HR systems, and financial platforms simultaneously.
Thank You, Flawtrack
Simply Data sincerely thanks the Flawtrack team for their outstanding contribution of Attack Surface Management and Dark Web Monitoring intelligence to this report. The external exposure data covering 44,593 Malaysian domains and 5.77 million compromised credentials represents a level of visibility that is uniquely valuable, and that no internal monitoring capability alone could provide.
Flawtrack’s dedication to tracking Malaysia’s external threat surface and dark web exposure in real-time is a critical service to the nation’s cybersecurity ecosystem. We are proud to have Flawtrack as a data partner and look forward to continuing this collaboration in protecting Malaysian organisations from outside-in threats.
Prediction & Recommendations
for 2026
Building on the Malaysia cybersecurity threat report 2025 data and intelligence from Simply Data’s SOC, Starlight Intelligence, and Flawtrack, three primary threat categories are forecast to define the 2026 Malaysian cyber landscape.
- AI agent and AI-driven workflow adoption will introduce new attack vectors not fully addressed by traditional application security controls
- Prompt injection attacks are expected to increase, enabling attackers to manipulate agent behaviour to extract API keys, credentials, system prompts, or internal logic
- Agent-to-agent phishing, where malicious agents impersonate trusted agents or inject malicious instructions into multi-agent workflows, which is likely to emerge as a viable technique in automated business processes
Implement strict input validation and output filtering for AI agents. Enforce least-privilege access for APIs and secrets, and isolate agent execution environments. Secrets should never be embedded directly in prompts or agent memory. Continuous monitoring of agent behaviour, strong authentication between agents, and human-in-the-loop controls for high-risk actions are critical to reducing the blast radius of successful prompt manipulation.
- Supply chain risk will remain significant and persistent in 2026 as organisations continue to rely on interconnected SaaS platforms, cloud services, and third-party integrations
- Compromises affecting vendors, software dependencies, or trusted external services are expected to continue enabling indirect access to enterprise environments, including identity systems such as Microsoft 365
Strengthen third-party risk management by integrating threat intelligence feeds, attack surface managem
What Malaysian Organisations Must Do Now
Based on the Malaysia cybersecurity threat report 2025, Simply Data recommends four immediate priorities for Malaysian organisations.
Implement Phishing-Resistant MFA Across All M365 Accounts
Password spraying and credential theft are the leading attack vectors. Hardware tokens or FIDO2 keys should be mandatory for all privileged accounts and progressively rolled out to all users. Conditional Access policies must enforce MFA from every location, including trusted networks.
Deploy Identity Threat Detection & Response (ITDR)
Traditional EDR is insufficient when the primary attack surface is the identity layer. ITDR solutions provide continuous monitoring of identity behaviours, detecting anomalous logins, privilege escalations, and directory object changes before they progress to full compromise.
Conduct a Privilege Access Review Now
The Malaysia cybersecurity threat report 2025 identifies accounts with non-expiring passwords, excessive admin rights, and immediate elevation of new accounts as persistent findings. A structured Privileged Access Management (PAM) programme with regular review cycles is essential to closing the governance gaps attackers rely on.
Review and Restrict Third-Party OAuth Permissions in M365
Compromised external applications and OAuth tokens represent a growing supply chain attack vector. Organisations should audit all connected applications, revoke unnecessary permissions, and implement Microsoft Defender for Cloud Apps to monitor OAuth abuse in real time.
Adopt IoT-Specific Network Segmentation Controls
IoT-related threats are forecast to increase in 2026, a key finding of the Malaysia cybersecurity threat report 2025. Organisations should segment IoT device traffic from core business systems using dedicated VLANs, enforce continuous traffic inspection, and maintain an up-to-date device inventory. Poorly secured IoT devices remain low-effort entry points for network-based attacks.
Monitor Dark Web Exposure Continuously
Given the volume of Malaysian credentials documented in the Malaysia cybersecurity threat report 2025 trading on underground markets, dark web monitoring should be a standard component of any organisation’s threat intelligence programme. Early detection of leaked credentials enables proactive password resets and account lockdowns before adversaries can exploit them.
Engage a 24/7 Managed SOC with Malaysian Threat Context
The volume of alerts in the Malaysia cybersecurity threat report 2025 (12.4 million in 2025) is beyond the capacity of most internal security teams to triage effectively. A managed SOC with deep understanding of the Malaysian threat landscape, enriched threat intelligence, and 24/7 operational capability is the most effective way to reduce attacker dwell time and incident escalation rate.
The Malaysia cybersecurity threat report 2025 represents a unique three-way collaboration between Simply Data, Starlight Intelligence, and Flawtrack, combining internal SOC telemetry, ransomware & threat actor intelligence, and external attack surface visibility into one unified view of Malaysia’s cyber threat landscape. We are immensely grateful to both partners for making this the most comprehensive Malaysia threat report ever published.
×
Want the Full Picture?
Access the complete 40-page 2025 Malaysia Cybersecurity Threat Report — packed with incident breakdowns, threat actor profiles, sector-specific risk data, and actionable defence recommendations for Malaysian businesses.
Download Starting!
Thank you. If your download doesn’t start automatically, click below.
⬇ Download Report (PDF)Complete the form to download
Fill in your details below. Your report will download automatically after submission. To protect your business from the threats highlighted in this report, consider engaging a local cybersecurity company in Malaysia with proven SOC and VAPT capabilities. To protect your business from the threats highlighted in this report, consider engaging a local cybersecurity company in Malaysia with proven SOC and VAPT capabilities.
What were the key findings in the 2025 Malaysia Cybersecurity Threat Report?
The report revealed increasing ransomware targeting Malaysian SMEs and government agencies, rising phishing and social engineering attacks, and a significant skills gap in Malaysian cybersecurity teams.
Which sectors face the highest cyber threat levels in Malaysia?
Financial services, healthcare, government, and critical infrastructure face the most severe threats according to the report. SMEs across retail and manufacturing are also increasingly targeted.
How should Malaysian businesses respond to the threat landscape identified in this report?
Implement zero-trust security models, invest in SOC capabilities, conduct regular security awareness training, maintain updated backup systems, and establish incident response plans aligned with Malaysian regulatory requirements.
