The Philippines Cyber Threat Landscape

Emerging risks, Adversary Activity, Strategic Risk Assessment and National Security Implications

— — — — — — — Table of Contents — — — — — — — —

I. Introduction

1. Excutive Summary

2. Geopolitical Context & Threat Drivers

3 . Threat Actor Landscape (APTs)

4. Primary Attack Vectors & TTPs

5. Major Incident Timeline

6. Targeted Sectors & Dark Web Activity

7. Ransomware & Criminal Threat Groups

8. Regulatory & Policy Framework

9. Structural Vulnerabilities

10. Strategic Recommendations

— — — — — — — INTRODUCTION — — — — — — —

As the Philippines accelerates its digital transformation, cyberspace has become a critical domain underpinning government services, financial systems, telecommunications, healthcare, education and national infrastructure.

The Philippines stands at a critical crossroads in its digital evolution, a nation rapidly embracing connectivity, e-governance and digital finance while simultaneously confronting one of the most aggressive and complex cyber threat environments in the Asia-Pacific region. Driven by escalating geopolitical tension in the South China Sea, the country has become a target target for state-sponsored Advanced Persistent Threats (APT) groups, predominantly linked to China, whose operations span strategic espionage, pre-positioning of disruptive malware, and influence campaigns designed to erode public trust in government institutions. Alongside these nation-state threats, an industrialized cybercriminal ecosystem powered by the use of artificial intelligence and deepfake technology, is exploiting the country's mobile-first population, rapid cloud technology adoptation, and systematic security gaps to conduct phishing, ransomware, and large-scale data theft at unprecedented scale and velocity.

In an era where cyber incidents can distrupt economies, undermine public trust, and threaten national security, understanding the threat landscape is no longer optional, it is essential.

This reports presents a comprehensive intelligence assessment of the Philippines Cyber Threat Landscape from 2022 throught mid 2026, combining data from leading threat intelligence firms, disclosures from government agencies, incident reports, and open-source intelligence. This report examines the full scope and scale of adversal activity, from quiet, long-dwell intrusions of Chinese APT groups targeting military and government network infrastructures, to the financially motivated ransomware campaigns that have exposed tens of millions of Filipino citizens' personal data. Aside from listing threats, this report identifies the structural vulnerabilities and governance gaps that continue to enable threat actors, and offer actionable strategic recommendations for government agencies, private sector organizations and national policymakers seeking to build a more resilient digital Philippines.

01 Executive Summary

The Threat Has Become Industrialized

The Philippines has entered a critical point in its cybersecurity posture, one where rapid digital adoptation, escalating geopolitical tension in the South China Sea, and systematic governance gaps have converged to create one of the most complex threat environments in Southeast Asia.

The Philippines cyber threat landscape is defined by three different concurrent and compounding phenomena: sustained state-sponsored espionage operations primarily linked to China; an industrialized cybercrime ecosystem deploying AI-accelerated phishing, ransomware, and social engineering at remarkable scale; and and persistent structural vulnerabilities accross government, healthcare, and critical infrastructure sectors that continue to expose sensitive data.

According to Viettel Security, in Q3 2025 alone cyberattacks surged 49%, exposing over 52 million credentials in a single quarter. Phishing incidents jumped 423% between 2024 and 2025. The National Intelligence Coordinating Agency (NICA) uncovered 234 data breaches accross high-level government agencies in 2025, a figure that underscores the depth of penetration already achieved by threat actors. The Philippines DICT (Department of Information and Communications Technology) reported deterring more than 60 APT groups during 2024 alone, with more than half attributed to Chinese-link actors.

Critical Assessment

The Philippines ranks among the msot actively targeted nations in Asia-Pacific region. Its combination of geopolitical importance (South China Sea dispute, US base access under EDCA), mobile-first digital infrastructure, and immature cybersecurity governance makes it a high-value, lower-resistance target for both state actors and cybercriminals.

02 Geopolitical Context & Threat Drivers

Where Geopolitics Meets Cyberspace

The South China Sea dispute has become a primary geopolitical engine driving state-sponsored cyber operations against the Philippines, transforming maritime tensions into a persistent digital conflict.

The South China Sea link

Chinese state-sponsored APT groups conducted cyber-espionage, persistent surveillance, and pre-positioning of disruptive malware against Philippine government entities and military telecommunications direcly correlated with maritime confrontations in the West Philippine Sea. Cyber operations serves Beijing's objectives of intelligence collection, disruption capability staging, and influence operations aimed at instigating societal discontent.

In early 2025, Philippine law enforcement arrested multiple Chinese nationals accused of mapping critical infrastructure including military bases with US access under the Enhanced Defense Cooperation Agreement (EDCA). This physical intelligence-gathering was accompanied by concurrent cyber operations, illustrating the fusion of traditional and cyber espionage.

US Alliance Attack Surface

The Philippines' deepening security relationship with the United States including expanded EDCA military access, joint patrols, and intelligence sharing elevates its value as a cyber target. Compromising Philippines networks potentially provides adversaries insight into US-Philippines joint operation, force posture, and contingency planning.

Hacktivist Convergence

As tensions mounted over the South China Sea, domestic threat actors launched campaigns including #OpChina, targeting Chinese-related entities. Meanwhile, Chinese APT groups reportedly attempted to recruit local Philippine threat actors, who declined cooperation. A novel dynamic where geopolitical tensions created an attempted domestic proxy recruitment pipeline.

"The goal of this activity is to discredit the government and create chaos via cyberspace, as the Philippine population relies heavily on digital media channels and is active on social media networks"

• Shawn Loveland, COO, Resecurity

03 Threat Actor Landscape

Advanced Persistent Threats Targeting the Philippines

Over 60 APT groups were identified targeting Philippine Government and private sector entities in 2024, with Chinese-linked actors accounting for the majority. The following are the most significant confirmed threat actors.

1. Mustand Panda — China Primary Targets: Government, Diplomatic entities, NGOs, Telcos Key TTPs / Malware: LOTUSLITE, Toneshell, PlugX, COOLCLIENT; DDL sideloading, spear-phising, USB worms
2. Lotus Panda — China Primary Targets: Government, Manufacturing, Telcom, Media Key TTPs / Malware: Else (Trensil) backdoor; command execution, file manipulation
3. APT 41 / Brass Typhoon — China Primary Targets: Military entities, Government, Energy Key TTPs / Malware: Custom backdoors; dual espionage/criminal operations; supply chain compromise
4. Earth Kurma — China Primary Targets: Government, Telecommunications Key TTPs / Malware: Prolonged undetected access; persistent implants targeting Southeast Asian telcos
5. HoneyMyte/SideWinder — China Primary Targets: Government, Diplomatic entities Key TTPs/Malware: Toneshell malware; political/strategic intelligence exfiltration
6. Volt Typhoon — China Primary Targets: Critical Infrastructure, Telcos, Transportation Key TTPs/Malware: Strategic positioning within target networks
7. Salt Typhoon — China Primary Targets: Telcos, Network Infrastructure,IT service providers Key TTPs/Malware: Living-off-the-land technique, Stealthy persistence
8. APT32/OceanLotus — Vietnam Primary Targets: Government, Media, Manufacturing, and Maritime Sectors Key TTPs/Malware: Sophisticated Spear-Phishing Campaign
9. EggStreme Actor — China _Primary Targe_t: Military-Industrial Complex Key TTPs/Malware: Eggstreme multi-stage malware (Apr 2024-Jun 2025); Reconnaisance, Lateral Movement, Keylogging, Data Theft Operations
10. Lazarus Group — North Korea_ Primary Target_: Financial Institutions, crypto Key TTPs/Malware: Financially motivated; Supply Chain Attacks; Cryptocurrency Theft Operations

Intelligence Note — EggStreme Campaign

A nover multi-stage malware framework dubbed "EggStreme" was discovered by BitDefender in late 2025 during an investigation into a Philippine Military company. The campaign spanned over 14 months (April 2024 to June 2025), enabling persistent backdoor access, lateral movement, keystroke logging, and data exfiltration. Hallmarks of advanced state-sponsored operations aligned with Chinese strategic interest in the South China Sea.

04 Primary Attack Vectors & TTPs

How Adversaries Penetrate Philippine Networks

Common Attack Vectors:

1. Phishing / Smishing Phishing remains the most prevalent cyber threat affecting Philippine organizations and citizens due to widespread use of online banking, e-government services and cloud-based productivity platforms.
2. Social Engineering Remains highly effective because attackers often leverage local language, current events, government announcements, and trusted brands to increase credibility.
3. Ransomware Ransomware incidents continue to impact both public and private sectors, causing operatioal disruptions and financial losses.
4. Credential / Infostealer Malware Compromised credentials remain on of the leading causes of cloud account compromise and unauthorized access incidents.
5. DDoS Attacks DDos attacks are commonly observed during politically sensitive events, elections, and perdiods of geopolitical tension.
6. Supply Chain Compromise Government agencies and critical infrastructure operators increasingly depend on third-party providers, expanding the attack surface.
7. APT Spear — Phishing (DDL Sideloading) Recent espionage campaigns targeting Philippine military-related organizations have utilized DDL sideloading and memory-resident malware framework.
8. Vulnerability Exploitation (CVEs) Unpatched internet-facing systems remain one of the most common attack vectors observed accross public and private sector organizations.

AI — Accelerated Threat

The 423% surge in phishing alerts between 2024 and 2025 is directly attributed to AI-driven industrialization of attack campaigns. Cybercriminals are deploying large language models to generate highly personalized spear-phishing emails, while deepfake technology is being used for voice and video fraud targeting financial institutions and excutives.

Smishing (SMS Phishing) has emerged as the dominant delivery channel, exploiting the Philippines' mobile-first internet population. Polymorphic phishing links that dynamically change every few minutes are defeating traditional URL-filter defenses. Online casino themed phishing pages alone account for nearly half of all detected phishing incidents, with 57.7% of malicious pages using HTTPS to appear legitimate.

Supply Chain Vulnerabilities

One hundred percent of surveyed Philippine Organizations reported adverse impact from third-party breaches in 2025, a catastrophic figure that reveals systematic over-dependence on unsecured external vendors. Work-from-home policies have amplified this risk, as employees access corporate portals via personal devices susceptible to infostealers, which harvest creadentials subsequently sold on dark web markets.

DDoS Landscape

The Philippines recorded 10,480 DDoS with peak bandwith reaching 588.12 Gbps and average duration of 96 minutes. Attacks of sufficient scale to disable government portals, financial services, and critical online services. Hacktivist groups and state-adjacent actors have used DDoS as a tool for both political signaling and as a distraction during concurrent intrusion operations.

05 Major Incident Timeline

Key Cyber Incidents: 2016–2026

February 2016 : Comelec "ComeLEAK" — 55 Million Voters Exposed Hackers defaced Commision on Elections website and exfiltrated the complete databse of 55 million registered Filipino voters, at the time the largest government data breach globally. Data appeared on a Russian-hosted site weeks later. No criminal convictions have been secured to date.

April 2023: Multi-Agency Breach — PNP, NBI, BIR, SAF Records leaked Over one million records from Philippine National Police, National Bureau of Investigation, Bureau of Internal Revenue, and PNP Special Action Force were leaked in a coordinated data breach targeting law enforcement databases.

August 2023: Mustang Panda Infiltrates Philippine Government Entity Chinese APT group Mustand Panda compromised a Philippine Government Entity, masking C2 traffic behind a spoofed Microsoft domain. The breached coincided with hightened tension in the South China Sea.

September 2023: PhilHealth Medusa Ransomware Attack — 42 Million Affected The Medusa Ransomware group disabled PhilHealth systems. After the agency refused a $300,000 ransom, 730 GB of data was publicly released.

October 2023: Philippine Statistics Authority & DOST Breached PSA reported a breach compromising civil registry and social welfare programme data. Days later, DOST's OneExpert portal was compromised. A succession of breaches within weeks raised urgent questions about the integrity of government cybersecurity infrastructure.

Q1 2024: 325% Surge in Malicious Cyber Activity Cybersecurity firm Resecurity documented a 325% jump in malicious cyber activity targeting the Philippines in early 2024 versus the same period in 2023. Targets were 80% government and 20% educational institutions.

March 2024: ASEAN Summit — Stately Taurus Deploys Malware Packages Timed to coincide with ASEAN-Australia Special Summit, Chinese APT Stately Taurus deployed two malware packages targeting entities in the Philippines, Myanmar, Japan, and Singapore.

June 2025:EggStreme Malware Campaign Against Philippine Defense Company A Chinese-linked APT conducted a 14-month persistent access operation against the Philippine military-industrial compan, deploying the novel EggStreme multi-stage framework for reconnaisance, lateral movement, and data theft. Bitdefender's disclosure in late 2025 revealed the campaign's full scope.

2025: NICA Reports 234 Breaches Accross High-Level Government Agencies NICA Deputy Director General disclosed 234 data breaches at "high-level" unnamed government agencies during a senate hearing. Separately, 79 Chinese-linked cyber activities were confirmed against agencies including AMLC, BIR, BFAR, DICT, DOJ and NTC spanning financial intelligence, foreign affairs, and ICT regulatory bodies.

Q3 2025: Cyberattacks Surge 49% — 52+ Credentials Compromised Viettel Cyber Security documented 76 data breach incidents in July-September 2025 alone, 49% increase over the prior quarter. Over 52 million credentials were exposed, with 4.3 million accounts compromised (a 73% increase quarter-over-quarter). AI and deepfake tools accelerated attack sophistication.

January 2026: Philippine Army Classification Data Allegedly Exposed An unknown actor claimed exposure of Philippine Army classified data. The authenticity of the claim remained under investigation, but it illustrated continued targeting of military infrastructure by threat actors aligned with Chinese strategic interest.

06 Targeted Sectors & Dark Web Activity

Who Is Being Targeted

Dark Web Threat Distribution by Sector Public Administration_ — 20.5% Education — 14.8% Finance & Insurance — 10.1% Healthcare — 9.4% Telecommunications — 8.7% E-Commerce/Retail — 7.2%_ Public Administration, Education, and Finance together account for nearly 45% of all dark web threats targeting Philippine organizations. The dominance of government targets reflects both the geopolitical driver of state-sponsored espionage and the structural weakness of public sector IT systems, which frequently run legacy infrastructure without adequate patch management.

Dark Web Ecosystem

Philippine entities face a bifurcated dark web threat: 78.3% of dark activity targets domestic organization exclusively, indicating that this is not simply collateral targeting from global campaigns but deliberate, Philippines-focused operation. The dominant dark web activities are data/database sales (55.8% of listings) and data sharing(40.8%), with 80% threats involving leaked databases and 14% offering initial access to compromised networks, directly enabling follow-on intrusions.

Phishing Targeting by Sector

E-Commerce platforms bear the heaviest phishing burden, accounting to 43.2% of phishing attacks, a reflection of the Philippines' rapidly growing digital payment ecosystem and high social media engagement. Online casino site themed branded phishing pages alone represents nearly half of all active phishing incidents, exploiting the country's significant online gambling activity. Financial services and healthcare platforms follows as secondary targets.

Supply Chain Risk Note 100% of surveyed Philippine organizations reported negative impact from third-party breaches in 2025. This systematic supply chain vulnerability is compounded by rapid cloud adoption without adequate security controls, creating cascading exposure accross interconnected industries.

07 Ransomware & Criminal Threat Groups

The Ransomware Ecosystem

Ransomware targeting the Philippines has evolved from opportunistic data encyption to sophisticated double-extortion operations targeting operational infrastructure — financial systems, data centers, and critical utilities.

Active Ransomware Groups

Medusa —_ 16.1% share of Philippines ransomware incidents. Qilin — 9.7% share. Relatively never group employing advanced double extortion. __LockBit 3.0–_6.5% share. LockBit affiliates continue operating against Philippines targets.

Notably, 68% of ransonware incidents targeting the Philippines originate from long tail of smaller, opportunistic groups. Reflecting the commodization of ransomware tooling through Ransomware-as-a-Service platforms. The dominance of domestically-focused actors (88.2% of ransomware attacks target Philippine entities exclusively) suggests dedicated, tailored campaigns rather than indiscriminate global operations.

Evolving Ransomware Tactics

Philippine ransomware operations are extending beyond data theft to target operational and service-enabling infrastructue, including financial transaction systems, data center operations, and supporting utilities. This shift towards operational disruptions rather than pure data leverage, represents an escalation in potential harm to critical services.

"Modern ransomware groups don't just lock your files, they steal them first then threaten public release while simultaneously threatening operational disruption."

• Philippine Security Summit Analysis, 2026

08 Regulatory & Policy Framework

Governance Architecture

Core Legal Framework

The Philippines operates a distributed but integrated cybersecurity governance model anchored by two foundational laws: the Data Privacy Act of 2012 (RA 10173), enforced by the National Privacy Commission (NPC), which mandates 72-hour breach notification and appropriate security controls; and the Cybercrime Prevention Act of 2012 (RA 10175), which criminalizes unauthorized access, data interference, and cybersquatting.

National Cybersecurity Plan 2023–2028

The DICT's NCSP 2023–2028 serves as the strategic blueprint for national cyber defense. Its 2025 milestones emphasized capacity-building, threat detection, incident response capability, and public-private collaboration. Key 2024 DICT circulars introduced mandatory vulnerability disclosure, layered security requirements for government agencies, and Critical Information Infrastructure (CII) protection frameworks.

Recent Policy Developments

In January 2026, DICT formalized the Trusted Assessment Providers (DTAP) framework, accrediting entities to conduct Vulnerability Assessment and Penetration Testing (VAPT) and ISMS assessments for government agencies. The 2026 national budget included dedicated cybersecurity funding through DICT, the Cybercrime Investigation and Coordinating Center (CICC), and the NPC. The Konektadong Pinoy Act's implementing rules tightened requirements for zero-trust frameworks, vulnerability testing, and third-party compliance.

Critical Policy Gap Despite legislative progress, a dedicated, comprehensive Cybersecurity Act remains pending in the Philippine Congress. The Philippine Institute of Cyber Security Professionals (PICSPro) characterizes the current framework as "reactive and fragmented." The PhilHealth breach revealed that legal breach notification requirements (72 hours) are routinely violated without consequence, PhilHealth failed to notify over 42 million victims as legally required.

Key Institutions

DICT / NCERT Department of ICT leads national cybersecurity strategy. The National Computer Emergency Response Team handles incident response 24/7.

NPC National Privacy Commission enforces data protection laws, investigates breaches, and can impose sanctions on non-compliant entities.

CICC Cybercrime Investigation and Coordinating Center coordinates law enforcement responses to cybercrime across agencies.

NICA National Intelligence Coordinating Agency provides threat intelligence on foreign cyber operations targeting Philippine interests.

09 Structural Vulnerabilities

Legacy Government IT Infrastructure

A significant proportion of Philippine government agencies operate on legacy systems with known, unpatched vulnerabilities. Outdated software versions including aging web server stacks and unsupported operating systems are systematically identified in attack surface monitoring of Philippine government domains. Budget constraints, procurement bureaucracy, and a shortage of qualified government IT personnel perpetuate this exposure.

Mobile-First Attack Surface

The Philippines' mobile-first digital population, one of the world's highest social media engagement rates creates a uniquely expansive attack surface for phishing, smishing, and social engineering. The widespread use of personal devices for work (BYOD without MDM controls) means infostealer infections on home devices directly compromise enterprise credentials.

Cybersecurity Skills Shortage

The Philippines faces a severe shortage of certified cybersecurity professionals across both government and the private sector. Government agencies frequently lack dedicated security operations personnel, instead relying on general IT staff for security functions. This skills gap was explicitly acknowledged in DICT's push for the Trusted Assessment Providers framework and the Philippine Skills Framework's cybersecurity component.

Email Security Misconfigurations

Widespread absence or misconfiguration of SPF and DMARC email authentication records across Philippine organizations leaves them vulnerable to domain spoofing and email-based phishing, the primary initial access vector for both criminal and state-sponsored operations.

Rapid Unsecured Cloud Adoption

The acceleration of digital transformation across Philippine government and private sector has outpaced security maturity. Organizations are adopting cloud services without adequate identity and access management controls, misconfigured storage buckets, and insufficient logging creating exploitable blind spots that threat actors systematically identify and exploit.

Accountability Deficit

Despite multiple high-profile breaches including the 2016 ComelEak affecting 55 million voters, no significant criminal convictions have been secured against perpetrators. This impunity signals to attackers that the risk calculus for targeting the Philippines is favorable. The PhilHealth breach highlighted that even legally mandated breach notifications are not consistently enforced.

10 Strategic Recommendations

Recommendations for Defenders

For Government Agencies

• Enact a Standalone Cybersecurity Act Consolidate fragmented authorities under a unified legal framework with enforceable penalties, mandatory incident reporting timelines, and clear liability for breach notification failures.
• Accelerate Legacy System Modernization Establish a prioritized, funded roadmap for replacing end-of-life systems across government agencies, with particular urgency for agencies holding sensitive citizen data (PSA, PhilHealth, COMELEC).
• Deploy 24/7 Security Operations Centers Expand DICT's National Security Operations Center capacity and mandate all CII-designated agencies to operate or contract SOC capabilities with real-time threat monitoring.
• Adopt Zero-Trust Architecture Implement zero-trust network access across government ICT systems, with mandatory multi-factor authentication for all privileged accounts and external access portals.

For Private Sector Organizations

• Conduct Third-Party Supply Chain Risk Assessments Given that 100% of organizations experienced supply chain breaches, implement continuous vendor security monitoring, contractual security standards, and real-time supply chain visibility tools.
• Harden Email Authentication Deploy and enforce SPF, DKIM, and DMARC across all organizational domains. Enable anti-phishing controls including URL sandboxing and attachment detonation.
• Implement Mobile Device Management (MDM) Enforce separation of corporate and personal data on employee devices, with remote wipe capabilities and endpoint detection and response (EDR) on all devices accessing corporate systems.
• Build AI-Aware Threat Detection Deploy behavioral analytics and AI-driven anomaly detection to counter AI-accelerated phishing campaigns that bypass signature-based defenses. Train employees on deepfake and synthetic media threats.

National Strategic Priorites

• Build a National Cyber Threat Intelligence Sharing Platform Formalize public-private intelligence sharing with real-time IOC (indicators of compromise) distribution across critical sectors, modeled on CISA's ISACs but tailored to Philippine threat context.
• Invest in Domestic Cybersecurity Workforce Development Fund scholarship programs, government-sponsored certifications, and university cybersecurity programs to address the severe skills shortage, treating cybersecurity talent as critical national infrastructure.
• Establish Cyber Deterrence Doctrine Develop an articulated national cyber deterrence posture including attribution norms, diplomatic consequences for state-sponsored attacks, and legal frameworks for offensive cyber defense to raise costs for adversaries targeting Philippine networks.

Outlook: 2026 and Beyond The Philippine cyber threat landscape will continue to intensify as South China Sea geopolitical tensions persist, AI capabilities lower the barrier for sophisticated attacks, and the country's digital transformation expands the attack surface faster than defensive capabilities mature. Without systemic investment in cybersecurity governance, workforce, and technology matched by genuine enforcement of existing laws, the Philippines risks becoming permanently exposed to strategic exploitation by state and criminal actors.

Philippines Cyber Threat Landscape Report Intelligence Synthesis

Sources: DICT NICA NPC GMA News Inquirer.net ABS-CBN News BusinessMirror PhilSec Wionews South China Morning Post The Diplomat PCO CYFIRMA SOCRadar KnowBe4 Cyberint Check Point Kaspersky Bitdefender Viettel Cyber Security Unit42 Trend Micro Resecurity RSIS Dark Reading The Record