Loading...
Loading...
An independent aggregation of the Malaysian cyber threat landscape for 2026 — drawn from NACSA bulletins, MyCERT incident archives, Bank Negara RMiT disclosures, and nCrypt operational observation. Sector breakdowns, attack-pattern analysis, and actionable recommendations for Malaysian security and compliance teams.
Free to read online. PDF available on request — no paywall.
Malaysia's cyber threat environment in 2026 is defined by three converging forces: a measurable increase in the volume and sophistication of attacks targeting local organisations, a regulatory transition to active enforcement of the Cybersecurity Act 2024 and the amended Personal Data Protection Act, and a widening gap between the security maturity of large enterprises and the mid-market organisations that supply them.
Credential abuse — credential stuffing, phishing-driven credential harvest, and the exploitation of previously breached password databases — remains the dominant initial-access technique across all sectors. Multi-factor authentication adoption, while growing, is still insufficient across the broader Malaysian enterprise base. Ransomware activity targeting healthcare and manufacturing has intensified, and Business Email Compromise continues to generate disproportionate financial losses with low technical complexity. Supply-chain pivot attacks, in which a compromised third-party vendor is used as a stepping stone into a larger organisation, are growing in frequency and represent the most complex detection challenge.
The regulatory context is shifting decisively. The Cybersecurity Act 2024 is moving from guidance publication to active enforcement, with National Critical Information Infrastructure (NCII) operators expected to demonstrate compliance with mandatory security requirements. The 2024 PDPA amendments introduce tighter breach- notification obligations. Bank Negara's RMiT framework continues to drive security investment in the financial sector. Taken together, these create a compliance imperative that runs alongside — and reinforces — the operational security imperative.
This report aggregates publicly available data from NACSA, MyCERT, and Bank Negara, supplemented by nCrypt's operational observations. It is intended as a reference document for Malaysian CISOs, risk managers, board-level executives, and compliance officers planning their security programmes for the year ahead.
Based on aggregated NACSA, MyCERT, and Bank Negara public disclosures (2025–2026). Figures are presented as estimates and order-of-magnitude observations — not independently audited measurements.
Based on aggregated NACSA and MyCERT public bulletins, total reported incidents continued an upward trajectory through 2025, with web intrusions and phishing accounting for the largest volume categories.
Credential stuffing, phishing-harvested passwords, and reused credentials from earlier global leaks remain the leading initial access vector across Malaysian organisations.
Healthcare entities reported a three-fold increase in ransomware-related security events compared to the prior reporting period, driven largely by legacy system exposure and under-resourced IT teams.
MyCERT incident categorisation shows bank and e-wallet impersonation as the dominant phishing theme, with spoofed login portals hosted on compromised third-country infrastructure.
BEC continues to cause disproportionate financial losses relative to its technical sophistication, with SME finance teams and procurement units most frequently targeted.
Organisations without a managed detection capability report dwell times measured in days to weeks. Early-stage lateral movement is consistently underdetected in on-premise Active Directory environments.
Cyber preparedness surveys (publicly aggregated) indicate a significant gap between awareness of the obligation to respond and the existence of a tested, documented plan.
As organisations migrate workflows to cloud SaaS, attackers increasingly compromise smaller vendors with API access to larger targets, sidestepping perimeter controls entirely.
Manufacturing and utilities sectors reported an increasing number of OT/ICS-facing incidents, often involving remotely accessible SCADA interfaces exposed without adequate authentication.
The Cybersecurity Act 2024 (Act 854) places mandatory security obligations on National Critical Information Infrastructure (NCII) operators. Enforcement is transitioning from guidance to active audit cycles through 2026.
Five sectors account for the majority of reported incidents and regulatory scrutiny in Malaysia. Each presents a distinct threat profile, control gap, and regulatory implication.
Malaysian financial institutions remain the highest-value and most intensively targeted sector. Banks, insurance providers, and e-money licensees face a dual pressure: sophisticated external threat actors and the constant compliance overlay of Bank Negara RMiT. Phishing campaigns impersonating major retail banks produce tens of thousands of credential captures annually. Business Email Compromise against treasury and trade-finance operations continues to result in fraudulent payment instructions executed by staff who receive no real-time signal that the email domain was recently registered. Mobile banking malware variants adapted from global toolkits are increasingly observed against Malaysian consumer banking apps.
Credential phishing targeting retail and corporate banking portals
Absence of continuous external monitoring for spoofed domains and typosquats of official banking URLs
RMiT (Risk Management in Technology) mandates continuous monitoring of technology assets, including third-party and cloud-hosted systems. Phishing-domain takedown capability is increasingly expected as part of RMiT 11.x evidence packs.
The healthcare sector's threat exposure accelerated significantly through 2025. Ransomware groups, observing the sector's dependency on uninterrupted data access and historically low security investment, have increased targeting of hospital information systems, patient record databases, and laboratory management platforms. Many Malaysian private hospital groups operate on Windows-based HIS systems that are difficult to patch without service interruption, creating long-lived vulnerability windows. The combination of sensitive personal health data — a high-value commodity for identity fraud — and patient-safety dependency on system availability makes healthcare a compound-risk environment. Remote access solutions deployed hastily during prior pandemic responses remain exposed and under-managed.
Ransomware against hospital information systems and pathology lab data platforms
Delayed patching cycles on clinical systems and unmanaged remote-access exposure
PDPA 2010 (amended 2024) classifies health data as sensitive personal data requiring additional protections. A ransomware-driven data exfiltration event likely triggers breach-notification obligations under the amended Act. The Cybersecurity Act 2024 designates certain healthcare infrastructure as NCII.
Government agencies and government-linked companies (GLCs) present an attractive target profile due to the volume of citizen data they hold and the reputational disruption value of publicly visible incidents. Web application vulnerabilities — particularly in citizen-facing portals built on frameworks that have not been maintained — remain a primary entry point. Sensitive citizen data exposed through misconfigured databases and storage buckets has featured in multiple publicly disclosed incidents over the reporting period. Supply-chain risk is acute in the government sector: integrators and managed-service providers to agencies frequently have persistent access with broader-than-necessary privileges, and their own security postures are inconsistently audited. Social engineering against ministerial staff and political-appointed officers is a distinct and growing vector.
Web application exploitation of under-maintained citizen portals and database misconfigurations
Third-party integrator access governance and supply-chain security due diligence
NACSA-designated NCII entities within the government sector are now subject to the Cybersecurity Act 2024 mandatory security requirements, including incident reporting within prescribed timeframes and periodic security assessments.
Malaysian manufacturing — across electronics, palm oil processing, rubber, and automotive supply chains — faces a converging IT/OT threat landscape that most organisations in the sector are underprepared to manage. Legacy OT equipment designed for air-gapped operation has, in many facilities, been connected to corporate IT networks for operational efficiency without corresponding security controls being retrofitted. Ransomware actors that pivot from a compromised IT workstation to an OT network can interrupt production lines and cause losses disproportionate to the original access point. IP theft and industrial espionage, often attributed to third-party contractor devices, is a secondary but significant threat for manufacturers in competitive international supply chains.
Ransomware lateral movement from IT to OT networks disrupting production systems
Absence of IT/OT network segmentation and OT-visible security monitoring
Manufacturers designated as NCII (energy, water, transportation sub-sectors) have explicit obligations under the Cybersecurity Act 2024. Separately, customer and employee data held in ERP and HRMS systems falls under PDPA.
The rapid growth of Malaysian e-commerce — accelerated through localised platforms and social-commerce channels — has expanded the attack surface significantly. Payment card data harvesting via skimming scripts injected into checkout pages (Magecart-style attacks) remains prevalent, often going undetected for extended periods on platforms that do not routinely audit third-party JavaScript dependencies. Marketplace account takeovers, driven by credential stuffing from global breach databases, directly convert to fraudulent seller listings and customer funds theft. Delivery-notification phishing capitalises on the high volume of parcel tracking interactions Malaysian consumers now conduct, training them to click links in SMS and messaging-app messages. Loyalty programme credential abuse is a secondary vector unique to retail.
Payment skimming scripts and credential-stuffing-driven account takeovers
Third-party JavaScript inventory and sub-resource integrity enforcement on checkout flows
Retail and e-commerce businesses collecting payment card data remain subject to PCI DSS obligations. The PDPA 2010 (amended 2024) applies to all customer personal data. Merchants with loyalty programmes holding sensitive personal data have a notification obligation upon confirmed breach.
These five techniques collectively account for the majority of confirmed security incidents affecting Malaysian organisations in the reporting period.
Credential stuffing — the automated injection of username/password pairs harvested from unrelated global data breaches into Malaysian service login portals — represents the highest-volume initial-access technique observed across all sectors in the reporting period. The economics are compelling for attackers: breach databases containing hundreds of millions of credential pairs are freely circulated on cybercriminal forums, and the overhead of running automated login attempts against a target is negligible. Malaysian banking apps, government portals, and e-commerce platforms are systematically targeted. Organisations that have not deployed multi-factor authentication and credential-breach monitoring face a persistent, low-cost intrusion risk that does not require any exploit or zero-day.
Business Email Compromise (BEC) continues to generate disproportionate financial losses relative to its technical sophistication. Attackers compromise or convincingly impersonate a senior executive or trusted supplier's email account, then insert themselves into a payment or procurement workflow to redirect funds. In the Malaysian context, BEC has been observed targeting finance teams during supplier onboarding, trade-finance transactions, and inter-company fund transfers within corporate groups. Detection is difficult because the attack often exploits legitimate email infrastructure — either through a compromised account or a lookalike domain — rather than malware. The human element, combined with time pressure created by urgency framing in the emails, bypasses most technical controls.
Ransomware groups operating with human-operated, double-extortion models have identified Malaysian healthcare and manufacturing as high-yield targets. Initial access is typically obtained through phishing, exposed remote-desktop services, or unpatched VPN appliances. Attackers then conduct reconnaissance, harvest credentials, and move laterally before deploying ransomware across as many systems as possible. The double-extortion model — encrypting data while also exfiltrating it and threatening public release — significantly increases pressure on victims to pay. Malaysian healthcare facilities face the additional complexity that certain clinical systems cannot simply be shut down, creating recovery sequencing challenges. Manufacturing entities face production loss compounding alongside the recovery cost.
Supply-chain attacks pivot from a compromised third-party — an IT integrator, SaaS provider, or managed-service partner — into the primary target's environment using existing, trusted connectivity. This vector is growing rapidly in Malaysia as organisations adopt cloud-hosted applications that grant vendors persistent API access, and as IT outsourcing to smaller providers expands. A compromised MSP with remote-monitoring access to dozens of client environments presents a disproportionate blast radius. Regulated entities under RMiT are required to perform third-party risk assessments, but the depth of technical security evaluation applied to smaller vendors is inconsistent. The Cybersecurity Act 2024 further reinforces the obligation to assess supply-chain risk for NCII-designated entities.
Operational technology environments — SCADA systems, programmable logic controllers, building management systems, and industrial IoT devices — were historically isolated from internet-connected networks by design. That air-gap has eroded progressively as operational efficiency demands and remote-monitoring capabilities have been layered onto legacy OT infrastructure. Malaysian manufacturing, utilities, and port operations have all seen incidents related to internet-exposed OT interfaces, either through direct attacker discovery via industrial-protocol scanning tools, or through lateral movement from a compromised IT network into the OT segment. The consequences of OT compromise are fundamentally different from typical IT incidents: they can include physical damage, production line shutdown, or — in utilities — public safety implications.
Based on trajectory analysis of public disclosures, regulatory signalling, and operational patterns. Forward-looking statements reflect qualitative assessment, not statistical forecasts.
Generative AI tools lower the barrier for producing grammatically correct, contextually plausible phishing emails in Bahasa Malaysia and Malaysian English. Expect a marked increase in highly personalised spear-phishing content targeting senior executives, finance personnel, and technical staff in 2026, drawing on publicly available LinkedIn and corporate website information. Current email security gateways are calibrated for high-volume commodity phishing and will require tuning for low-volume, high-quality content.
As NACSA's enforcement mechanisms mature, NCII-designated entities will face increasing scrutiny through 2026. Organisations that have been slow to align security programmes with the Act's mandatory requirements will face a compressed timeline to demonstrate compliance. This will drive significant demand for independent security assessments, gap analyses, and remediation support — particularly from regulated entities in energy, water, transportation, and financial services.
Malaysian enterprise security teams will spend an increasing proportion of their attention on supply-chain and SaaS risk as cloud adoption deepens. Board-level pressure following high-profile supply-chain incidents globally will translate into requests for vendor risk rating programmes, continuous third-party monitoring, and contractual security obligations in IT outsourcing agreements. CISO-level functions — whether in-house or fractional — will be primary owners of this agenda.
Large enterprises in Malaysia have progressively improved their defences and incident-response maturity. Ransomware groups seeking lower resistance will increasingly target mid-market businesses — manufacturers, professional services firms, healthcare clinics, and logistics providers — that hold valuable data or have low disruption tolerance but have not invested proportionately in security operations. These organisations typically lack a 24/7 monitored endpoint detection capability, making dwell time before discovery longer.
The 2024 amendments to the Personal Data Protection Act introduce tighter obligations around breach notification and data-subject rights. As regulatory guidance matures and the first post-amendment enforcement actions are processed, organisations across all sectors will face increased pressure to maintain evidence of proactive security controls, timely breach detection, and documented notification procedures. Organisations that have treated PDPA compliance as a paper exercise will face meaningful operational risk if a breach occurs without documented controls and notification timelines.
Ten prioritised actions that address the highest-impact gaps identified across this report. Each item is actionable within a 12-month window without requiring a security transformation programme.
Implement MFA across all externally facing applications, VPN, and cloud administration portals — credential stuffing is the leading initial-access vector and MFA is its most effective countermeasure.
Conduct a credential-exposure sweep: check your organisation's email domains against known breach databases and rotate exposed passwords before attackers use them.
Enumerate and inventory every internet-facing asset, including shadow IT, forgotten subdomains, and contractor-provisioned infrastructure. You cannot defend what you have not discovered.
Patch internet-facing systems (VPN appliances, remote-desktop gateways, web applications) on a priority schedule: critical and high-severity CVEs within 48–72 hours of vendor release.
Segment OT and IT networks. If your manufacturing floor, building management system, or industrial equipment shares a broadcast domain with office workstations, you have an unacceptable lateral-movement risk.
Implement email authentication (SPF, DKIM, DMARC with a reject policy) on all owned domains — including dormant and subsidiary domains — to reduce both inbound BEC risk and the ability of attackers to spoof your brand.
Conduct a third-party access audit: identify every vendor with standing API, VPN, or remote-desktop access. Apply least-privilege, require MFA, and document a review cadence.
Test your incident response plan. A documented plan that has never been exercised is of limited value. Tabletop exercises against realistic ransomware and BEC scenarios should be conducted at least annually.
Review PDPA data-processing records and confirm a breach-notification workflow exists, including who approves notification, what the prescribed timeline is, and who the notification recipients are.
If your organisation qualifies as a National Critical Information Infrastructure (NCII) entity under the Cybersecurity Act 2024, engage with NACSA's licensing and assessment requirements proactively rather than waiting for a compliance notice.
This report was produced through systematic review of publicly available sources covering the period from early 2025 to the publication date in May 2026. Primary sources include NACSA (National Cyber Security Agency Malaysia) published incident bulletins and annual cybersecurity reports, MyCERT (CyberSecurity Malaysia) advisory publications and incident statistics, and Bank Negara Malaysia risk-management circulars, annual reports, and technology risk guidance documents.
Secondary sources include publicly disclosed court filings and regulatory enforcement notices, sector-specific surveys published by industry associations and research organisations, and open-source threat intelligence feeds covering Malaysian network ranges and domain infrastructure. Where incident details or statistics have appeared in mainstream Malaysian media and can be cross-referenced to an official source, those details have been incorporated.
nCrypt operational observations — drawn from security assessments, advisory engagements, and incident-response support conducted for Malaysian clients — have been used to calibrate qualitative judgements about sector-specific exposure and control gap prevalence. No client-confidential information is referenced or attributable in this report. All statistics are presented as aggregated estimates or order-of-magnitude phrasings rather than precise measurements.
Primary sources referenced: NACSA (nacsa.gov.my) published bulletins and annual reports · CyberSecurity Malaysia / MyCERT (mycert.org.my) advisories and incident statistics · Bank Negara Malaysia (bnm.gov.my) Risk Management in Technology (RMiT) policy document and annual financial stability reports · Personal Data Protection Commissioner Malaysia (pdp.gov.my) · Suruhanjaya Komunikasi dan Multimedia Malaysia (MCMC) (skmm.gov.my) · Cybersecurity Act 2024 (Act 854, gazetted 2024) official text.
Disclaimer: This report is provided for informational purposes only. nCrypt Malaysia has aggregated publicly available data and applied qualitative professional judgement to produce this analysis. No representation is made that the statistics presented are precise or independently audited. This report does not constitute legal, regulatory, or investment advice. Organisations should obtain independent professional advice on their specific obligations under Malaysian law and regulation. nCrypt Malaysia does not accept liability for decisions taken on the basis of this report without independent verification.
© 2026 nCrypt Malaysia. This report may be freely cited with attribution.
Common questions about this report, its data sources, and how to use it.
This report aggregates publicly available information from NACSA (National Cyber Security Agency Malaysia) incident bulletins, MyCERT (CyberSecurity Malaysia) advisory publications, Bank Negara Malaysia risk-management circulars and annual reports, and OSINT sources including court filings, regulatory enforcement notices, and published sector surveys. It also incorporates nCrypt's operational observations from security assessments and advisory engagements. No proprietary telemetry is claimed. All statistics are presented as estimates or order-of-magnitude observations, not as independently audited measurements.
The full HTML version of this report is freely available on this page without registration. An executive-formatted PDF version is available on request for organisations that wish to distribute it internally, present it in board packs, or use it as a compliance reference document. Request the PDF via the contact form linked on this page.
This edition covers the 2025–2026 reporting period. nCrypt intends to publish updated editions annually, aligned with the calendar year. If material incidents or regulatory changes occur that significantly alter the threat landscape, addendum bulletins will be published and linked from this page. Subscribe to nCrypt's security briefing via the contact form to receive update notifications.
Yes. This report is published for use by Malaysian security practitioners, executives, and compliance teams. You are welcome to cite or excerpt it, with attribution to nCrypt Malaysia and a link to this page. For regulatory submissions, we recommend cross-referencing the primary public sources (NACSA bulletins, MyCERT advisories, BNM circulars) cited in the methodology section, as those carry greater regulatory standing than third-party aggregations.
The Cybersecurity Act 2024 (Act 854) designates entities operating National Critical Information Infrastructure (NCII) in specified sectors — including energy, water, transportation, banking and finance, defence, government, healthcare, and information and communications — as subject to mandatory cybersecurity obligations. These include licensing of NCII operators, mandatory incident reporting to NACSA within prescribed timeframes, and compliance with security standards and codes of practice issued by NACSA. Organisations uncertain whether they qualify as NCII operators should seek legal and technical advice, as the consequences of operating without compliance are significant.
Submit the contact form on this page with the subject line 'Threat Briefing Subscription'. nCrypt distributes quarterly threat briefings and ad-hoc incident alerts to subscribed organisations, covering Malaysian-relevant threat intelligence, regulatory updates, and sector-specific advisories. Subscription is complimentary for organisations domiciled in Malaysia.
Continuous adversary tracking, dark-web monitoring, and IOC feeds relevant to your sector and brand.
Continuous discovery and monitoring of every internet-facing asset — find what attackers find, before they find it.
Fractional CISO leadership to own your security roadmap, regulatory obligations, and board reporting.
Request the PDF version of this report for board distribution, regulatory submissions, or internal security programme planning — and subscribe to nCrypt's quarterly threat briefing updates.
No paywall. No spam. A member of the nCrypt team will respond within one business day.