Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

APAC Intelligence Insights Report, March 2026
← Research Hub

APAC Intelligence Insights Report, March 2026

Monthly intelligence on ransomware, hacktivisim, infostealers and financial fraud curated by Group-IB’s Threat Intelligence team from across the Asia-Pacific region.

Group-IB’s March 2026 Intelligence Insights provide a deep dive into four critical pillars: ransomware, hacktivism, compromised accounts and financial fraud.

Unlike aggregated open-source reports, this intelligence is drawn directly from Group-IB’s proprietary telemetry, dark web monitoring and infostealer tracking.

Key Findings & APAC Cybersecurity Trends in March 2026

Ransomware More Than Doubles Across APACRansomware More Than Doubles Across APAC

120 incidents were recorded in March 2026 - a 107% rise from February 2026. Australia and Thailand jointly topped the target list, followed by India, Malaysia, Taiwan and Japan. Manufacturing had the most damage; while energy, government and healthcare recorded incidents, which signals deliberate pressure on critical infrastructure.

Adversary of the Month: The GentlemenAdversary of the Month: The Gentlemen

The dominant ransomware force in APAC for March 2026, executing more than three times the output of any other single group. Active since May 2025 and led by a former Qilin affiliate, the group is reportedly developing Linux and ESXi variants with AI assistance; and primarily target technology companies, insurance firms and financial services organisations.

Government and Military Become the Dominant Hacktivist TargetGovernment and Military Become the Dominant Hacktivist Target

Despite overall DDos volumes falling 85.8% compared to February 2026, government and military institutions absorbed 50% of all activity. RipperSec was the most active while other groups showed fragmented activity. India and South Korea together accounted for approximately 80% of regional DDoS activity; with Hider_Nex specifically targeting South Korean government websites, and Everest ransomware striking Hyundai Elevator on 6 March 2026.

India Bears 43% of All Infostealer Damage as Vidar Tightens Its GripIndia Bears 43% of All Infostealer Damage as Vidar Tightens Its Grip

While the number of compromised accounts fell, concentration intensified with Vidar driving nearly 60% of all incidents - up from 48.6% in January 2026. India, Indonesia, the Philippines and Vietnam were the hardest hit countries, with South-East Asia accounting for approximately 70% of all regional infostealer activity.

Bank Card Fraud Doubles as Telegram Becomes Near-Exclusive Criminal MarketplaceBank Card Fraud Doubles as Telegram Becomes Near-Exclusive Criminal Marketplace

India and Japan contributed approximately 45% of call cases. Telegram accounts and bots have reduced traditional cybercrime forums to just 1.3% of distribution and activity.

Frequently asked questions

What are the top ransomware threats in APAC in March 2026?

arrow_drop_down

The Gentlemen is the most active and dangerous group, executing 36 attacks in March 2026 – the single highest output of any ransomware group in the region. Qilin remains significant with 12 incidents, followed by Gunra and Payload Ransom with 8 incidents each. Australia and Thailand are jointly the most targeted countries, and manufacturing is the hardest hit sector.

Which countries in Asia-Pacific are most targeted by cybercriminals?

arrow_drop_down

Targeting varies by threat type. For ransomware: Australia and Thailand lead jointly with 18 incidents each; followed by India, Malaysia and Taiwan. For DDoS and hacktivism, India and South Korea together represent approximately 80% of all regional activity. For infostealer-driven account compromise, India accounts for 43% of the regional total. For bank card fraud, India and Japan are the primary targets, contributing nearly half of all cases between them.

How is the Vidar infostealer affecting the region?

arrow_drop_down

Vidar is the dominant malware family in APAC, responsible for nearly 60% of all compromised accounts in March 2026 — up from 48.6% in January 2026. It primarily targets saved passwords, session tokens, and browser cookies, allowing threat actors to access accounts and bypass multi-factor authentication. India, Indonesia and the Philippines are the most heavily affected countries.

Why is the shift to Telegram significant for financial fraud?

arrow_drop_down

Telegram and TG bots together now account for over 93% of all stolen bank card distribution tracked by Group-IB in March 2026. The move to Telegram allows criminals to automate card sales via bots, reach buyers at scale, and reduce their exposure to law enforcement takedowns. Dark web forum monitoring now covers less than 7% of distribution activity, making Telegram channel intelligence the primary detection surface for stolen financial data.

Who are The Gentlemen and why are they the Adversary of the Month?

arrow_drop_down

The Gentlemen is a financially motivated ransomware group active since May 2025, with approximately 15 members. Unlike traditional Ransomware-as-a-Service operations, the group distributes tools directly via Tox messenger without an affiliate panel. In March 2026 alone, the group executed 36 attacks across nine APAC countries. Group-IB has published a full TTP overview “Hasta la vista, Hastalamuerte” providing detailed analysis of the group’s tactics, techniques and procedures.

Who Should Read This Report

This free report is an essential 15-minute read for APAC Security and Risk Professionals:

Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Heads of Security.Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Heads of Security.

Fraud, Risk and Compliance Leaders.Fraud, Risk and Compliance Leaders.

Government and Law Enforcement Professionals.Government and Law Enforcement Professionals.

Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.

Board Level and Executive Decision Makers.Board Level and Executive Decision Makers.

 

If you are responsible for protecting digital assets, customers or national infrastructure in APAC, this report is for you.

Relevant reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:

Inside Europe’s Manufacturing Cyber Threat Landscape
New
Trend Report
Inside Europe’s Manufacturing Cyber Threat Landscape
Why the biggest risks to industrial operations begin outside the factory
Learn more
Intelligence Insights Report, March 2026
New
Trend Report
Intelligence Insights Report, March 2026
Explore the most notable cybersecurity events in the region and the best practices
Learn more
Intelligence Insights Report, February 2026
New
Trend Report
Intelligence Insights Report, February 2026
Explore the most notable cybersecurity events in the region and the best practices
Learn more
High-Tech Crime Trends Report 2026
New
Trend Report
High-Tech Crime Trends Report 2026
The High-Tech Crime Trends Report 2026 reveals how this shift has industrialized cybercrime, exposed the...
Learn more