Cyber threats in the Philippines are shifting toward human-centric manipulation. Organized syndicates now use sophisticated social engineering, such as impersonating government officials and hijacking technical platforms like Axios, to bypass automated security and compromise enterprises.
Recent supply chain attacks on widely used development tools and severe network equipment vulnerabilities demand immediate patching. Additionally, Philippine enterprises are advised to maintain strict vigilance against persistent, state sponsored cyber espionage and data harvesting operations.
Philippine authorities are intensifying crackdowns on illegal gambling and regional scam hubs, while Meta has disabled 150,000 fraudulent accounts. Concurrently, enterprises face rising threats from APT41 espionage, sophisticated VPN phishing, and critical vulnerabilities in Microsoft and Veeam.
The Philippine government has shifted to monitoring Telegram, while the BSP proposes annual cyber self-assessments for banks. Regionally, the FBI is targeting industrialized scam hubs. Meanwhile, threat actors are weaponizing AI tools and malicious web apps to bypass enterprise defenses.
90 reports
The February update from Microsoft addresses fifty eight vulnerabilities including six critical zero day threats. While this release secures the Windows Shell and Microsoft Office Word from active exploits, some users report restart errors. Immediate installation is advised to protect systems.
Apple disclosed a critical zero-day memory corruption flaw in its dynamic linker service, affecting iPhones, iPads, and Macs. The vulnerability allows attackers to bypass security gatekeepers and execute malicious code at the core operating system level.
Google disclosed a high-severity "use after free" vulnerability in the Chrome CSS engine. The flaw allows remote code execution via malicious webpages. With active exploitation confirmed, immediate updates are required for all Chromium-based browsers.
The Google Threat Intelligence Group reported that state-sponsored hackers from Russia, China, Iran, and North Korea are weaponizing the Gemini AI model. These actors use AI to accelerate reconnaissance, automate phishing, and refine malware, significantly increasing the scale of cyberattacks.
Researchers identified "0APT," a cybercrime group using recycled data to falsely claim breaches for extortion. This "disruption without intrusion" tactic weaponizes public trust to cause reputational harm and drain resources, especially impactful for Philippine firms with limited security budgets.
North Korean threat actors are targeting the fintech industry using AI deepfakes and "ClickFix" tactics to deploy malware on Windows and macOS. By impersonating executives in video calls, they trick victims into executing malicious commands to steal cryptocurrency and sensitive identity data.
The China-linked threat actor UNC3886 targeted Singapore’s major telecommunications providers in a sophisticated espionage campaign. By exploiting zero-day vulnerabilities in edge devices, the group harvested network configurations, posing systemic supply-chain risks for the region.
The PNP-ACG and BPI formalized a partnership to combat sophisticated financial crimes through real-time fraud monitoring and intelligence sharing. Concurrently, the CICC warned of deepfake AI being used in romance scams to impersonate individuals and bypass traditional fraud detection methods.
Threat actors hijacked a trusted publisher account on the Open VSX Registry to weaponize four popular developer extensions with the Glassworm infostealer. Impacting 22,000 downloads, the malware targets AWS credentials and GitHub tokens to gain insider access to corporate environments.
OpenClaw, a viral AI assistant, has been flagged for a critical remote code execution vulnerability. Due to its high-level system permissions and lack of sandboxing, attackers can use indirect prompt injection to exfiltrate API keys and sensitive corporate data.
An attacker used AI to escalate from a single stolen credential to full AWS administrative control in just eight minutes. This "LLMjacking" incident highlights a shift to machine-speed threats, where attackers automate reconnaissance to hijack cloud resources and bypass traditional defenses.
The workflow automation platform n8n disclosed two critical RCE vulnerabilities. These flaws allow authenticated users to escape sandboxes and execute commands on the host server, risking credential theft and infrastructure-level control across connected services.
A critical sandbox escape vulnerability was disclosed in the vm2 NodeJS library, carrying a CVSS of 9.8. The flaw allows attackers to bypass restricted environments to execute commands, install malware, and steal credentials, impacting software supply chain security.
Russian state-sponsored group APT28 is exploiting a Microsoft Office vulnerability to target government and defense sectors. This "Operation Neusploit" uses compromised documents to bypass security checks, deploying malware for long-term intelligence gathering and data theft.
Chinese state-sponsored threat actors hijacked the Notepad++ update infrastructure to distribute "Chrysalis" malware. This supply chain attack targeted developers and system administrators, weaponizing trusted software updates to maintain persistent remote access for regional espionage.
China-linked threat actors are utilizing the PeckBirdy framework to conduct fileless espionage across Southeast Asia. By mimicking legitimate traffic, the campaign targets government and energy infrastructure, including Philippine institutions, to maintain undetected access.
Scammers are exploiting Amazon’s reputation to target job seekers with fraudulent offers. By mimicking official branding and moving conversations to encrypted messaging apps, threat actors trick victims into providing sensitive data or paying fake "training" fees under the guise of recruitment.
Researchers uncovered a new Telephone-Oriented Attack Delivery (TOAD) campaign that exploits Zoom’s infrastructure to bypass security filters. By abusing trusted domains to send legitimate-looking emails, attackers lure victims into fraudulent calls to bypass MFA and steal sensitive financial data.
Multiple ransomware groups, including Qilin and Tengu, have claimed attacks on several Philippine firms, such as PSBank and Lenotech. While LM Metro Hotel confirmed a 30GB data breach, other claims remain unverified by authorities, highlighting a surge in local targeting.
Authorities are warning of a text scam impersonating government agencies like the MMDA and LTO, claiming recipients have unpaid traffic violations. These messages use pressure tactics and malicious links to redirect victims to fake payment portals to steal banking credentials and personal data.
HoneyMyte has intensified espionage in South East Asia, targeting government networks via DLL side-loading. The group bypasses security to harvest credentials and monitor activity. With 1,400 past victims in the Philippines, their persistence poses a major risk to national critical infrastructure.
Cyber Risks to Monitor
A critical authentication bypass vulnerability in n8n, dubbed "Ni8mare," allows unauthenticated attackers to achieve full remote code execution. With a maximum CVSS score of 10.0, the flaw enables attackers to weaponize workflows, steal credentials, and compromise connected services.
Cisco released urgent patches for a maximum-severity zero-day vulnerability in its Secure Email Gateway. Actively exploited by China-linked threat actors, the CVSS 10.0 flaw allows unauthenticated root-level command execution, enabling full device takeover and persistent network access.
Cisco Talos reports that China-linked group UAT-8837 is exploiting a critical zero-day vulnerability in Sitecore CMS to breach North American critical infrastructure. The group uses insecure configurations to bypass controls, establish long-term persistence, and monitor operational plans.
Microsoft's January 2026 update addresses 114 vulnerabilities, including three zero-days, most notably a memory leak in Desktop Windows Manager. Despite critical fixes, the rollout has caused operational disruptions, including Outlook freezes and Windows 11 shutdown failures.
Threat actors are using malvertising and fake online converter tools to distribute malware via deceptive "CAPTCHA" prompts. By mimicking legitimate productivity services, these fraudulent sites trick users into executing malicious commands and expose sensitive corporate documents to data theft.
Malicious browser extension campaigns, including are targeting enterprise systems to steal credentials and session tokens. By masquerading as productivity tools, these extensions bypass traditional defenses to capture sensitive data and trigger social engineering attacks.
Researchers uncovered a vulnerability in Microsoft Copilot which allows threat actors to exfiltrate chat histories via a single malicious link. The flaw enables silent command execution within browser-based sessions to send sensitive data to external servers without further user interaction.
The Canadian and Philippine militaries completed a five-day cyber operations course to bolster the AFP’s ability to defend critical infrastructure. Focused on detection and legal alignment, the training strengthens bilateral defense ties and regional resilience against rising cyber threats.
The CICC lifted the ban on X’s Grok AI after xAI committed to removing deepfake and content manipulation features. The swift reversal followed similar restrictions in Malaysia and Indonesia, highlighting regional efforts to force AI developers to comply with local safety standards.
The DICT is launching “Oplan Bantay Padala,” a centralized portal for filing complaints against courier services. Expanding on the “Oplan Bantay Signal” framework, the system aims to enhance accountability, monitor delivery performance, and professionalize the logistics industry.
The "Kimwolf" campaign has compromised over two million Android streaming devices, primarily off-brand TV boxes, to build a global botnet. These infected devices facilitate DDoS attacks, credential stuffing, and bandwidth theft, often arriving pre-infected or compromised minutes after setup.
Two malicious Chrome extensions, "Prompt Poaching," were found harvesting ChatGPT and DeepSeek chat histories. Posing as productivity tools, they bypassed security—one even holding a "Featured" badge—to exfiltrate sensitive AI data and intellectual property.
Threat actors are abusing Google Cloud’s “Application Integration” tool to send phishing emails from a genuine Google address. By bypassing filters and using fake CAPTCHAs, the multi-stage attack tricks users into entering Microsoft 365 credentials on fraudulent login pages.
The ClickFix campaign "PHALT#BLYX" targets the hospitality sector using fake BSOD errors to trick users into executing malicious code. By following "fix" instructions, victims paste commands into the Windows Run box, installing the DCRAT trojan to grant attackers remote system control.
The PNP-ACG reported a decline in major cybercrime categories for 2025, including drops in online selling and investment scams. While officials credit awareness efforts, analysts note the data reflects only PNP-handled cases and not the nationwide prevalence across other agencies.
Taiwan’s NSB reported that Chinese-linked actors, including Mustang Panda and APT41, average 2.63M daily intrusion attempts targeting critical sectors. The focus on energy infrastructure highlights risks for the Philippines' power grid, given its partial ownership by a Chinese state firm.
