CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks

The technology sector has, for the past several years, been the most targeted industry among eCrime and state-sponsored adversaries whose motivations span financial gain, long-term intelligence collection, and industrial espionage.

Modern tech companies are building the world’s most valuable and targeted assets. Their cutting-edge innovations, now including AI, represent competitive advantage and heightened risk. Adversaries are taking aim, and defenders that understand them are best equipped to stop them. 

The CrowdStrike 2026 Technology Threat Landscape Report, based on intelligence from the CrowdStrike Counter Adversary Operations team, details the trends and events that defined the technology threat landscape from April 1, 2025 through March 31, 2026. Its analysis reveals which adversaries target tech entities, and the methods they use, so organizations can prepare to face an evolving threat landscape.;

Learn more: Download the CrowdStrike 2026 Technology Threat Landscape Report

Nation-State Adversaries Set Sights on Technology

Based on observed targeting patterns, more than 58% of state-sponsored targeted intrusions were attributed to China-nexus adversaries, which also posed the greatest intelligence collection threat to tech organizations. Adversaries including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA targeted the tech sector more than any other industry.

Their operations appear to be driven by interest in technology development, intellectual property, and information aligning with the Chinese Communist Party’s intelligence collection goals. According to CrowdStrike threat intelligence, China’s strategic imperative is to achieve technological self-sufficiency and competitive advantage in key emerging technologies, so AI capabilities are likely a high-value target for them. In addition to this data, China-nexus adversaries seek access to downstream customer environments that can enable supply chain compromise. 

Instances of China-nexus cyber activity against the tech sector:

• SUNRISE PANDA consistently targeted tech entities in East and Southeast Asia, particularly mail infrastructure that may provide access to government communications.
• MURKY PANDA conducted password-spraying attacks against more than 340 primarily U.S.-based organizations across sectors, with tech among the most affected. 
• WARP PANDA repeatedly targeted North American tech organizations, where they exploited vulnerabilities and maintained persistent access.

China-nexus adversaries aren’t the only nation-state actors infiltrating tech companies. CrowdStrike observed the Democratic People’s Republic of Korea (DPRK) adversaries including FAMOUS CHOLLIMA, LABYRINTH CHOLLIMA, and STARDUST CHOLLIMA also targeted the technology sector — historically a key target for DPRK insider threat activity due to remote, high-salary roles. 

FAMOUS CHOLLIMA accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector, meaning they were most active in manual operations over traditional malware. In their IT worker infiltration campaigns, they sought fraudulent employment at tech companies across North America, Europe, and Asia. Our findings indicate their primary motivation is financial gain; revenue from these attacks goes toward the regime.

DPRK-nexus adversaries also pursued supply chain compromise: STARDUST CHOLLIMA compromised the Axios npm package, downloaded 100 million times per week, in operations that likely exposed millions of downstream users and poisoned open-source supply chains. 

eCrime Adversaries Accelerate Extortion Operations

Tech entities are a key target for eCrime adversaries due to opportunities to disrupt operations and their vast stores of monetizable information. eCrime activity made up 65% of hands-on-keyboard operations targeting tech. Initial access brokers advertised access to 277 technology companies, a nearly 30% increase that indicates heightened demand for identity-driven access. 

Most big game hunting (BGH) activity targeted North America-based technology entities. BGH adversaries named 572 technology organizations on dedicated leak sites for extortion, far surpassing other sectors. In the same time frame, BGH adversaries named only 16 law enforcement and nine defense organizations. 

Instances of eCrime activity against the tech sector:

• Multiple eCrime threat actors used OpenClaw-related lures to distribute malware, exploiting the surge in AI adoption. A February 2026 campaign distributed a new macOS information stealer via fake OpenClaw skills.
• The Crimson Collective group claimed to access and steal data from the private code repositories of a software development company; they purportedly accessed 570GB of data across 28,000 projects.
• An unknown threat actor operating Glassworm malware compromised 350 GitHub repositories to inject malicious code.

The technology sector is one of the most, if not the most, persistently targeted industries in the global threat landscape. Tech organizations must be aware of threats to best prepare to face them. The CrowdStrike 2026 Technology Threat Landscape Report provides CrowdStrike’s observations of the themes and trends that defined this sector. Download the full report to understand how today’s adversaries are targeting tech and how to strengthen defenses. 

Additional Resources

• Learn more about CrowdStrike Counter Adversary Operations threat intelligence and threat hunting.
• Tune in to the Adversary Universe podcast, where CrowdStrike reveals the threat actors behind the latest cyberattacks. 
• Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.