1. The 2025 threat landscape
2025 marked a major turning point as the scale and nature of cyberattacks in Vietnam grew far more complex. Data from VNETWORK's 2026 Vietnam Cyberattack Report shows that attackers are increasingly abusing AI to automate the entire destructive process, from scanning targets and timing strikes to coordinating millions of bots simultaneously and shifting tactics in real time based on how defenses respond.
As data risk and financial losses climb at the same pace, cybersecurity is no longer just a technical department's concern. This is why regulators have continued tightening the legal framework through Decree 53/2022/ND CP and the new Cybersecurity Law, placing businesses in a position where upgrading their systems is now a direct compliance obligation, not an option.
Key figures: Vietnam cybersecurity in 2025
- 2,364,118 attack events blocked over the year, equivalent to 6,480 attacks per day
- 46% of attack events showed signs of AI use (1,092,441 events)
- 37.2% of total internet traffic was bot traffic, with nearly 864 billion bot requests
- Over 1.8 billion data records leaked; more than VND 6,000 billion in losses from online fraud
- Credential attacks led all attack methods: 685,912 events (25.1%)
- Web exploits ranked second: 543,247 events (19.9%)
- DDoS: 512,438 attacks, peaking at 1.89 Tbps (18.7%)
- Bot abuse: 425,384 events (15.6%)
- Phishing: 357,901 events (13.1%)
- Malware: 210,236 events, the lowest share but the heaviest impact (7.7%)
- Nearly 4.6 million malicious emails blocked, equivalent to 529 emails per hour
- 69% of malicious emails were phishing emails (3,198,742 events)
- 882,937 phishing emails and events showed signs of being AI generated
- Only 33.7% of businesses have fully deployed a defense in depth model
- Only 22.1% of businesses have centralized monitoring systems
- Only 8% of businesses conduct periodic internal access reviews
- Only 16.3% of businesses fully comply with personal data protection policy
- DDoS botnets are forecast to exceed 2 Tbps in 2026

2. Common cyberattack methods in 2025
To build an effective defense strategy, businesses cannot just look at overall attack volume; they need to break down each specific method. Below are the six most common attack types recorded in Vietnam, ranked by frequency.

2.1 Credential attacks
Credential attacks rank first in both volume and severity in Vietnam today, accounting for 25.1% of all events recorded by security systems. The trend follows a simple logic: breaching a firewall requires significant technical resources, while stealing an account does not. Once a set of credentials is exposed, automated systems can test it across dozens of platforms within minutes.
The most common tactic in this category is credential stuffing. Attackers use bots to test thousands of credentials leaked from prior data breaches against target systems. Because the credentials are genuine, this approach achieves a far higher success rate than traditional brute forcing. Worse, the system logs it as a legitimate session, so no anomaly alert is triggered.
After breaking in, attackers typically lie low and perform lateral movement, quietly escalating from a low privilege account to a higher one over weeks or months. This is why many organizations only discover an incident long after the damage has already been done.
Data from the Vietnam Enterprise Cybersecurity Landscape Report 2026 makes this gap clear: only 8% of businesses conduct periodic internal access reviews, and as many as 33.7% of organizations have yet to adopt role based access control (RBAC). The result is that a single compromised account can let damage spiral out of control almost instantly. In the digital era, digital identity has become every organization's new point of failure.
Closing this gap comes down to operational discipline built on three core actions: deploying MFA across all critical accounts, actively monitoring for abnormal login behavior, and continuously revoking excess access privileges. When a credential attack succeeds, how severe the damage becomes depends entirely on detection speed, not on the sophistication of the technique.
2.2 DDoS attacks
With 512,438 DDoS attacks recorded in 2025, accounting for 18.7% of total events and peaking at 1.89 Tbps, DDoS remains a top tier threat. However, the most concerning shift is not in scale but in how attackers are now using this method. Misunderstanding the role DDoS plays in the modern threat landscape is leading many organizations to invest their defenses in the wrong place.
DDoS no longer operates in isolation with the sole goal of taking a system offline. Over the past year, many campaigns have used DDoS as a smokescreen to paralyze infrastructure and pull a security team's full attention away. While responders are distracted, attackers exploit the opening to quietly target application level vulnerabilities in parallel. So a website going down is only the tip of the iceberg; the more dangerous script plays out quietly behind the scenes.


Multi vector attacks are also becoming more common as attackers combine several techniques at once rather than relying solely on traditional bandwidth flooding. Real data shows protocol attacks accounting for 32.4% of cases, volumetric attacks for 26.7%, attacks targeting web applications and APIs (application layer attacks) for 23.1%, and the remaining 17.8% as multi vector attacks combining all of the above. This coordination amplifies the damage and makes classification and response considerably harder for businesses.
Notably, 234,918 DDoS attacks showed signs of AI coordination. This technology lets attacker systems automatically track a target's defensive response and shift tactics in real time, for example switching immediately to an application layer attack the moment bandwidth based traffic is blocked by a security filter. This is also why traditional DDoS defenses built on static rules are increasingly losing ground against this new generation of attacks.
2.3 Email based attacks
VNETWORK's security systems blocked nearly 4.6 million malicious emails in 2025, equivalent to a constant pressure of 529 emails per hour and 12,704 emails per day. Malicious emails made up 29.7% of total email traffic, meaning roughly 3 out of every 10 emails reaching a business carried a potential threat. Email remains attackers' most effective channel because it exploits the human factor directly, something no technical patch alone can fix.
Breaking this down further, phishing emails dominated the category at 69%, or 3,198,742 events. These emails typically mimic banks, e commerce platforms, or colleagues to trick victims into handing over login credentials. The next most common categories were malware attachments at 18.2%, business email compromise (BEC) at 7.6%, and credential harvesting at 5.2%.
A notable variant that emerged this year is QR phishing (quishing), with 161,121 recorded cases. Attackers embed a malicious QR code directly in an email to lure users to fake pages on their mobile devices. This technique fully bypasses traditional URL based filters, especially since mobile users tend to be less vigilant.


The threat is amplified further by the rise of AI generated phishing. VNETWORK recorded close to 883,000 phishing emails created with AI, personalized with precise detail down to a target's name, title, and real work context, making even experienced employees susceptible to being fooled.
Separately, business email compromise (BEC) raises serious concern because of its direct financial impact. By impersonating a company's leadership or a strategic partner to push for an urgent wire transfer, attackers do not need to deploy any malware at all. A single convincing, well timed script is enough for one BEC incident to cause losses ranging from hundreds of millions to tens of billions of Vietnamese dong.
2.4 Bot abuse and web exploits
Bot abuse accounted for 425,384 recorded events, or 15.6% of all attacks. To assess the real severity, businesses need to distinguish between bot types, since not every bot on the internet has malicious intent. In practice, legitimate bots such as search engine crawlers make up only 10.4% of traffic. Malicious bots, on the other hand, account for 26.8% and are typically run by sophisticated botnets capable of controlling millions of devices across the internet, from infected computers to poorly secured IoT devices.
Within this malicious bot category, credential stuffing via bots accounts for the largest share at 33.9%, serving as a direct bridge into the credential attacks discussed earlier. Next come web scraping for pricing or user data theft at 22.7%, automated vulnerability scanning at 17.3%, layer 7 DDoS attacks at 15%, and automated spam at 11.1%.
Even more concerning, many botnets are now AI enhanced to perfectly mimic real user behavior. They know how to vary the timing between requests, move the mouse randomly, and continuously rotate user agents, neutralizing traditional detection barriers, including CAPTCHA.

At the same time, web exploits accounted for 19.9% of events, or 543,247 cases, concentrated heavily on fintech and e commerce platforms. Techniques such as SQL injection, XSS attacks, or exploitation of unpatched vulnerabilities are often the result of a software development process lacking regular security testing, letting vulnerabilities sit silently in the codebase until attackers find them.
Specifically in the Vietnamese market, SEO poisoning through malicious backlink injection is surging. Attackers exploit unmoderated registration forms or vulnerable plugins to take over a website's admin panel and then stuff illegal gambling and betting keywords into it. This is a direct hit on both brand reputation and Google search rankings, causing long term damage that can be even more severe than a typical technical breach.
2.5 Phishing attacks
With 357,901 events recorded in 2025, phishing accounted for 13.1% of all cyberattacks. This figure should be read alongside a core reality: phishing is no longer a standalone method but has become the entry point for most complex attack chains. Credential attacks, ransomware, and BEC fraud largely trace back to a single successful phishing link. Understanding phishing, then, means understanding the starting point of most serious security incidents today.
Phishing in 2025 has also long moved beyond the inbox. It now surrounds users on every front, from SMS (smishing) and QR codes (quishing) to social media, messaging apps, and fake pages impersonating legitimate cloud services like Google Drive or SharePoint. Attackers deliberately abuse the infrastructure of these trusted services to host fraudulent pages, exploiting the fact that filtering systems often let traffic from reputable domains pass through without close inspection.
The rise of AI generated phishing is completely changing the security game. VNETWORK recorded 882,937 phishing events showing signs of being AI assisted or fully AI generated. Beyond simply polishing content to be more convincing, AI lets attackers personalize scripts at mass scale. Each malicious message can be automatically tailored to the recipient's name, title, company, industry, and even mimic the writing style of the impersonated sender. A sophisticated campaign that once took weeks to craft can now be deployed at scale within hours.
Beyond technology, social engineering tactics within phishing campaigns are becoming highly refined. Attackers thoroughly research targets, from LinkedIn profiles to leaked internal announcements, to build highly credible scripts that reference the right project names, the right partners, or the right sensitive moment in a financial workflow.
The consequences of phishing do not stop at the initial data exposure. A fully compromised account can be used to spread phishing internally. When an email arrives from a familiar colleague's address, employees tend to drop their guard, letting the infection loop spread rapidly if the organization lacks comprehensive email behavior monitoring.
2.6 Malware
Systems recorded 210,236 malware events in 2025. In terms of process, malware typically only appears at a later stage, after a phishing attempt has succeeded, a credential attack has opened the door, and the attacker has had time to position deep inside the internal network. Its appearance deep within infrastructure explains why malware tends to cause the most severe and hardest to remediate damage for businesses.
In 2025, many dangerous ransomware campaigns began with malware loaders distributed via phishing emails. These tools lie dormant for weeks while mapping the network before triggering encryption or quietly building a permanent backdoor. By the time an organization discovers the incident, the real damage and recovery cost typically far exceed initial estimates.
Another worrying trend is the growing prevalence of polymorphic malware, which can rewrite its own signature after every execution. This renders traditional signature based antivirus systems effectively blind, since the new variant has never existed in any database. AI is now letting attackers generate new malware variants at a pace that completely outstrips the update cycles of conventional scanning software.
Alongside ransomware, the malware landscape this year also included trojans, spyware, backdoors, and notably infostealers. This category of credential stealing malware is especially dangerous in the remote work era, quietly harvesting login credentials, session cookies, and browser data, letting attackers gain access to a wide range of systems without ever having to crack an original password.
This is why the key to defending against malware lies in response speed, not just detection. Every day malware remains hidden inside a system is another day a business's potential losses compound. In practice, organizations equipped with EDR combined with behavior monitoring consistently catch anomalies far earlier than those relying solely on legacy antivirus software.
3. How well are Vietnamese businesses actually defending themselves?
A survey of more than 500 IT leaders and CISOs conducted as part of the Vietnam Enterprise Cybersecurity Landscape Report 2026 reveals a sobering reality. Looking only at individual figures, the defensive picture seems fairly solid: 81.1% of businesses have deployed a firewall, 60% have rolled out EDR, and 72.1% maintain regular employee training.
However, once you assess how well these pieces work together, the numbers tell a very different story. Only 33.7% of businesses have actually deployed a full defense in depth model across their entire system. Most of the rest are running disconnected, fragmented security pieces. The biggest gap today is not a lack of tools, but tools operating in isolation, inadvertently creating ideal openings for attackers to exploit.
3.1 The actual state of security deployment
Most organizations' natural instinct is to defend the perimeter first. That is why the perimeter layer receives the heaviest investment, with 81.1% of businesses owning a firewall and 44.7% running an IDS/IPS. However, pouring all resources into the "outer ring" is now outdated, as today's attackers increasingly favor AI and prefer using legitimate accounts to walk straight through the front door. While 52.1% of organizations have tightened MFA for remote access via VPN or RDP, 16.3% of businesses are still leaving this critical control wide open.
Internally, figures like 71.6% of businesses having implemented network segmentation or 61.6% applying AES 256 encryption sound encouraging. Yet these safeguards become meaningless if a system cannot detect an intruder in time, and this is precisely the fatal weak point for most businesses today.
3.2 The most dangerous gaps
The lack of integration means only 22.1% of businesses have centralized monitoring systems. In other words, nearly 8 out of 10 organizations are operating their networks completely reactively when it comes to what happens inside their own perimeter. When malware rides in on a stolen account and lies dormant for weeks, the absence of full visibility costs a business its golden window to stop an incident early.
Even more alarming, only 8% of businesses maintain periodic internal access reviews. Forgetting to deactivate old accounts belonging to former employees or staff who have switched departments inadvertently leaves a master key lying around for attackers. An attacker does not need to break down the door when the business has already left the key out for them.
Beyond technical gaps, legal risk is also mounting, with more than 83% of organizations yet to finalize a personal data protection policy aligned with the new Law No. 91/2025/QH15. The gap between regulation and practice remains wide, with 30.5% of businesses still stuck at the planning stage and 21.1% not having taken any action at all.
In the end, the biggest barrier preventing businesses from optimizing security effectiveness is not technology but the challenge of allocating operational resources, cited by 42.1% of respondents, paired with a shortage of deep expertise, cited by 38.4%. Even a heavily funded security system struggles to deliver its full protective value without a long term maintenance plan and a dedicated team monitoring it continuously.
4. Which industries were hit hardest by cyberattacks in 2025?
The impact of cyberattacks over the past year varied sharply across sectors. The data reveals a clear pattern: industries undergoing rapid digital transformation, running large scale online transaction systems, and storing large volumes of sensitive data tend to be the prime targets for cybercriminals.

Below is an overview of the sectors under the most pressure, along with the security risks specific to each industry's operating model:
- Financial services (22.4%): With large cash flows and invaluable customer data stores, online banking systems, e-wallets, and stock trading platforms remain top targets. Attackers often use DDoS storms to take down transaction gateways, paired with sophisticated phishing campaigns to hijack user accounts.
- E commerce (20.0%): This is the fiercest battlefield for malicious bots. Given the massive volume of transactions and product data, attackers deploy bots to scrape pricing data for unfair competitive advantage, brute force passwords to hijack accounts, or launch DDoS to choke the network during peak promotional windows.
- Media (16.1%): Content platforms and digital news outlets are defined by enormous traffic volumes and the need for uninterrupted uptime. This weakness makes the media sector especially vulnerable to large scale denial of service (DDoS) attacks.
- Manufacturing (14.7%): Manufacturing's governance systems and supply chains involve numerous small links and intermediary partners. Attackers often choose a bridging approach, bypassing large corporations directly and instead breaching smaller, weakly secured suppliers to work their way into the core network.
- Education (13.8%): Schools and educational institutions hold massive volumes of personal records for students, yet their security infrastructure tends to be thin. This makes the education sector an ideal target for account takeover scams or ransomware targeting proprietary research materials.
- Travel (11.2%): Because booking and hotel systems must publicly display pricing and availability, they become an attractive target for automated data scraping. Attackers and competitors alike use bots to harvest promotional offers, flight prices, and room availability for profit or to disrupt business operations.
5. AI is reshaping the game on both sides
Nearly 46% of all cyberattacks in Vietnam in 2025 involved AI, equivalent to more than 1.09 million recorded events. This figure is the clearest evidence yet that AI has become the cutting edge weapon rewriting the rules of engagement for both sides.
- On the offense: AI lets attackers automate the entire destructive lifecycle. Specifically, it now handles 27% of vulnerability scanning, coordinates 22% of botnet activity, generates 19% of phishing campaigns, contributes to 18% of tactical adjustments, and develops 14% of malware variants. This capability lets attackers easily bypass traditional antivirus defenses through the constant, automatic rewriting of malicious code structure.
- On the defense: AI WAF solutions and behavioral analysis technology are becoming a mandatory shield. Rather than waiting on outdated signature patterns, AI learns from real world data to build a baseline of normal behavior. Any deviation, such as an account accessing the system at 3 a.m. from an unfamiliar location to pull sensitive files, gets flagged immediately. AI also automatically filters alert noise at the SOC, performs deep context analysis on email, and triggers real time device quarantine for malicious activity.
With attackers needing less than 5 days to exploit a newly discovered vulnerability, human response times measured in minutes have become far too slow. Businesses can no longer rely on manual processes to counter automated attacks. That said, defensive AI is entirely powerless without an organization having comprehensive monitoring and access control infrastructure in place.

6. Cybersecurity trends to watch in 2026
The 2025 data is not just a record of what happened. It is also a signal of what's coming. The five trends below are drawn from an analysis of attack trajectories and the current technology landscape.
- Widespread AI weaponization: AI will autonomously run the entire attack lifecycle, from reconnaissance and intrusion to exploitation and maintaining access, fully automated and adapting in real time. That pace will far outstrip manual response unless defenses are automated to match.
- Identity based attacks escalating: Credential stuffing will increasingly leverage major data breaches to drive more intense attack waves. The Zero Trust model with continuous authentication will shift from an option to a mandatory standard, even for internal users.
- APIs and the supply chain as the new weak point: A single API misconfiguration can expose data for millions of users without ever breaching the main server, and a single point of entry into a SaaS provider or open source library can ripple out to thousands of organizations.
- DDoS attacks surpassing 2 Tbps: The expanding pool of unsecured IoT devices is driving DDoS intensity forecasts past this threshold, requiring DDoS defense infrastructure capable of absorbing and filtering traffic right at the edge before it ever reaches origin servers.
- Regulatory compliance becoming a strategic priority: The Cybersecurity Law No. 116/2025/QH15 and the Personal Data Protection Law No. 91/2025/QH15 place direct legal accountability on business leadership. Security is no longer just an IT department issue; it is now a board level risk governance matter.
7. Recommendations for businesses
The data confirms that the cybersecurity environment is shifting at a breakneck pace. Attacks are becoming more automated, larger in scale, and increasingly aimed directly at an organization's core infrastructure. Against this backdrop, businesses must shift their mindset, moving from a passive defensive posture that waits for an incident before reacting to a proactive security model that protects business continuity in the digital space.
The recommendations below are built on globally respected security standards, including NIST CSF, ISO/IEC 27001, and the CIS Critical Security Controls, with an emphasis on layered defense, rigorous risk governance, and continuous monitoring.
- Deploy layered security: Businesses need a multi layered security architecture to defend against complex attack methods. This model requires full alignment across network infrastructure, web applications, APIs, email systems, endpoints, and user behavior management, in order to surround and stop attackers at every stage of intrusion.
- Adopt the Zero Trust model: Zero Trust's core principle is to trust no one by default. Every access request, whether it originates from inside or outside the internal network, must be continuously authenticated. By combining multi factor authentication (MFA), network segmentation, and behavior monitoring, this model minimizes the risk from account takeover attack waves.
- Protect web and API: Web applications and API gateways are now top targets, requiring businesses to deploy dedicated solutions such as a WAF, an API gateway, and automated bot detection systems. Combining rate limiting policy with regular security testing helps organizations proactively patch latent vulnerabilities before they are exploited.
- Deploy 24/7 security monitoring: To minimize potential damage, businesses need to maintain continuous monitoring through a Security Operations Center (SOC) model to detect anomalies early and trigger rapid response. For organizations without a dedicated in house team or facing budget constraints, the optimal solution is to outsource SOC services to a reputable provider. This approach gives an organization a deep, around the clock security shield while relieving the operational burden on the internal IT team.
8. Conclusion
The current technology landscape confirms that cybersecurity is no longer just a technical department's concern; it is a strategic question that determines a business's survival. As attackers shift to fully automating their destructive processes with AI and striking with relentless frequency, the question facing leadership today is no longer whether a system will be breached, but how quickly the organization will detect it and how long it will take to restore operations.
To help businesses take control and break attack waves early, rather than exhausting themselves chasing the aftermath, VNETWORK delivers a comprehensive security ecosystem covering Web, App, API, and Email. Contact VNETWORK today for in depth consultation and to build a robust, defense architecture optimized for your organization's operating model.
FAQ — Frequently asked questions
1. How does Vietnam's 2025 cybersecurity landscape differ from previous years?
The biggest difference is that nearly 46% of attack events showed signs of AI use to automate the entire attack lifecycle, from target reconnaissance to botnet coordination and real time tactical shifts. The line between ordinary cybercrime and targeted advanced persistent threat (APT) campaigns is also blurring, with campaigns timed precisely to a business's most vulnerable moments.
2. Which cyberattack method was most common in Vietnam in 2025?
Credential attacks led with 25.1% of total incidents, reflecting attackers' preference for stealing accounts over breaching technical infrastructure. Web exploits, DDoS, bot abuse, phishing, and malware followed, with DDoS commonly used in combination with other methods as part of a multi layered campaign rather than operating alone.
3. Why are Vietnamese businesses still vulnerable despite investing in security?
The issue is not a lack of solutions but a lack of integration between defensive layers. Only 33.7% of businesses have fully deployed a layered security model, 22.1% have centralized monitoring, and 8% conduct periodic access reviews, severely limiting their ability to detect and respond to incidents.
4. What should businesses do to defend effectively against email attacks?
Businesses need multi layered email security combined with behavioral analysis to detect phishing and BEC, since traditional filtering is no longer sufficient against AI generated phishing and QR phishing. Alongside this, businesses should train employees to recognize fraudulent emails and add verification steps for important financial transactions.
5. Which cybersecurity trend deserves the most attention in 2026?
2026 will see full scale AI weaponization as attackers automate the entire attack lifecycle, identity and supply chain attacks continue to escalate, and botnets are forecast to surpass 2 Tbps. At the same time, new regulations are turning security compliance into a direct responsibility for business leadership.