Singapore’s cybersecurity posture was tested in 2025 when advanced persistent threat group UNC3886 launched a targeted campaign against the country’s four major telecommunications operators. Although authorities confirmed that no sensitive data was exfiltrated, the campaign demonstrated how sophisticated actors can exploit vulnerabilities and maintain persistent access.
Against this backdrop, ESET’s H2 2025 Threat Report shows that heading into 2026, enterprise risk is less about zero-days and more about scalable initial access tactics.
HTML /Phishing.Agent alone accounted for 31.86% of all detected threats locally, reinforcing that phishing and credential abuse remain the primary pathways into corporate environments.
Key Findings from ESET H2 2025 Threat Report
Based on local data, three defining trends are set to shape Singapore’s cybersecurity landscape in 2026:
- Phishing at scale is increasing the likelihood of successful breaches: Phishing remains the leading cause of corporate breaches in Singapore, accounting for nearly one-third of detected threats in H2 2025. Most successful breaches begin with socially engineered emails and malicious links.
Rapid domain churn, including 159,010 detections tied to the phishing domain usrpubtrk[.]com, signals automated infrastructure at work. - Compromised logins are disrupting business operations: Infostealers such as Formbook (23.45%), MSIL/Spy.Agent (16.31%) and AgentTesla (13.51%) were among the most prevalent malware detections locally. In addition, SnakeStealer has maintained visibility in regional telemetry.
The malware captures keystrokes and stored credentials, enabling attackers to gain unauthorised access to corporate systems. Once compromised, these credentials can be reused for fraud, account takeover, and lateral movement. As MFA, banking and enterprise SaaS platforms are increasingly accessed via mobile devices, amplifying operational and financial risk. - Ransomware remains opportunistic but costly: While ransomware activity in Singapore remained fragmented, 64 publicly reported ransomware incidents were linked to Singapore in 2025, with the top 3 actors being Qilin, Lynx and Dire Wolf. Dire Wolf is particularly notable for its strong focus on Asian markets and growing global visibility.
Targeting patterns mirrored global trends, with construction, manufacturing and IT/technology sectors most affected. This reflects opportunistic exploitation following initial access, particularly where supply-chain dependencies and downtime risks are high.
“When we look at ESET’s H2 2025 threat data alongside real-world incidents like the UNC3886 campaign in Singapore, it’s evident that phishing, credential abuse and automated attack infrastructure are central to current risk patterns,” said Parvinder Walia, President of the Asia Pacific Region, ESET.
“With cyber resilience now firmly embedded in Singapore’s national agenda, 2026 will be defined not just by response capabilities, but by how effectively business leaders build operational resilience.”
For 2026, ESET recommends that Singapore enterprises prioritise:
- Stronger delivery layer defences: Advanced email protection, attachment sandboxing and real-time URL inspection before credentials are captured or malware is delivered.
- Treating identity as the primary control plane: Mandatory MFA and conditional access across corporate and mobile environments to limit infostealer-driven compromise.
- Investments in automation to counter automation: Behavioural analytics and XDR-level visibility to contain threats early and reduce dwell time before persistence is established.
