China-linked hacking groups were behind more than 58 percent of all state-sponsored intrusions against the technology sector over the past year, according to the CrowdStrike 2026 Technology Threat Landscape Report published by the company's Counter Adversary Operations team. The figures cover activity from April 2025 through March 2026 and underline how heavily Beijing-aligned operators lean on tech firms for intellectual property and access to their customers.
CrowdStrike names five China-nexus groups (tracked as MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA) that hit technology targets more than any other industry. MURKY PANDA ran password-spraying attacks against more than 340 mostly U.S. organizations, SUNRISE PANDA went after mail systems in East and Southeast Asia that can expose government communications, and WARP PANDA repeatedly broke into North American tech firms and held long-term access. The analysts assess that China's interest in AI and other emerging technologies makes those capabilities a high-value target, and that access to tech vendors opens the door to supply chain compromise further down the line.
North Korea works its way inside
North Korean operators were also busy. CrowdStrike attributes 47 percent of all hands-on-keyboard state-sponsored activity against the tech sector to FAMOUS CHOLLIMA, the group behind the fake IT worker scheme in which North Koreans use stolen or invented identities to land remote engineering jobs and funnel salaries back to the regime. A related group, STARDUST CHOLLIMA, compromised the widely used Axios npm package, downloaded around 100 million times a week, poisoning open-source software that countless other projects depend on.
Criminal extortion keeps climbing
Financially motivated crime made up about 65 percent of hands-on attacks on the tech sector. Initial access brokers advertised entry into 277 technology companies, a near 30 percent jump, and extortion crews named 572 tech organizations on their leak sites, far more than any other industry. In one case the Crimson Collective group claimed to have stolen 570GB of data, spanning 28,000 projects, from a software development company, while an unidentified actor used the Glassworm malware to plant malicious code in 350 GitHub repositories.
What it means
The report points to a clear theme: attackers increasingly buy or steal legitimate access rather than breaking in, and they treat software supply chains as a force multiplier. Defenders in the sector should prioritize phishing-resistant multi-factor authentication, closer vetting of new hires and contractors against IT worker fraud, and tighter monitoring of npm, GitHub, and other dependency sources. The full findings are laid out in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.