China-nexus cyber threats emerged as the most significant intelligence collection risk facing financial institutions in 2025, according to the CrowdStrike 2026 Financial Services Threat Landscape Report.
The report documented a year of stealthy access operations, exploitation of vulnerable edge devices, and interactive intrusions built around theft, extortion, and espionage.
By the first quarter of 2026, financial services ranked as the fourth most targeted sector globally, accounting for 12% of total observed activity.
A Sector Under Sustained Pressure
Financial institutions worldwide experienced 43% more hands-on-keyboard intrusions in 2025 than two years earlier.
These are attacks in which a human operator works interactively inside a compromised network rather than relying on automated tools, giving adversaries the flexibility to pivot between theft, extortion, and intelligence collection once access is established.
The sector’s appeal to attackers is natural, as financial organisations hold substantial assets and high-value data, including cryptocurrency holdings, business intelligence, and customers’ personally identifiable information (PII). The sector may also be perceived as more willing to pay a ransom, given the high availability requirements of financial operations.
CrowdStrike warns that AI could compound these pressures. AI-enabled social engineering may help adversaries craft more convincing lures, impersonate trusted users, generate realistic voice phishing attempts, and scale identity-based intrusions across trusted access paths.
At the same time, financial institutions’ own adoption of AI across customer support, fraud operations, and software development may expand the attack surface if those systems are not properly secured.
Five China-Nexus Groups, One Shared Playbook
State-sponsored activity remained persistent throughout the year, driven largely by intelligence collection requirements, and the report singles out China-nexus adversaries as the most significant such threat to financial services, particularly in South and Southeast Asia.
Image credit: CrowdStrike 2026 Financial Services Threat Landscape Report
Throughout 2025, these groups conducted sustained operations against the global financial sector using a consistent set of techniques: exploiting edge devices, conducting DLL search-order hijacking (a method of tricking legitimate software into loading malicious code), routing command and control traffic through compromised infrastructure, and targeting cloud environments.
The report details five named adversaries.
HOLLOW PANDA targeted financial institutions in South America and Southeast Asia by exploiting Check Point VPN appliances and deploying ShadowPad malware.
VAULT PANDA operated across multiple regions, deploying KEYPLUG malware via DLL search-order hijacking against financial institutions and supporting entities, including a Middle East fintech organisation.
GENESIS PANDA struck a Southeast Asia-based financial entity and a North American fintech firm, deploying VShell implants and FScan utilities on infrastructure linked to earlier China-nexus operations.
VERTIGO PANDA targeted organisations in the Philippines, spreading the InstituteX remote access trojan via infected USB devices.
The widest-reaching campaign came from MURKY PANDA, which deployed a Chinese operational relay box (ORB) network, a traffic relay system typically built from compromised devices and leased servers that obscures the origin and destination of malicious traffic. The group used it to access Microsoft 365 email accounts from more than 150 IP addresses across 36 countries, targeting 340 organisations in more than 30 sectors, with financial services among its most frequent targets.
These intrusions likely reflect China-nexus adversaries’ prioritisation of financial services entities as sources of intelligence on economic conditions, PII, and data that can support downstream espionage operations.
What Comes Next?
Among targeted intrusion threat actors, China-nexus adversaries will likely remain the greatest intelligence collection threat to the financial sector globally, the report concludes.
Their activity is driven by sustained interest in economic intelligence, PII, and data that supports downstream espionage, with financial entities in South and Southeast Asia, particularly in India and Taiwan, likely to remain priority targets.
