Welcome to our weekly threat intelligence briefing for the week ending 26 April 2026. As a senior penetration tester, part of my daily routine involves analysing the rapidly shifting attack surface to understand how adversaries are operating in the wild. Over the last seven days, the Australian cyber threat landscape has seen an aggressive industrialisation of cybercrime. Adversary behaviour is increasingly pivoting away from traditional perimeter attacks, focusing instead on complex API integrations, unpatched IoT edge devices, cloud supply chains, and the hasty deployment of AI systems.

Worryingly, recent industry data highlights a severe resilience gap: while the majority of ANZ organisations believe they can detect an attack, over 70 per cent lack a tested incident response or business continuity plan. As recent events show, detection is now table stakes; resilience is the true differentiator.

Here is a deep dive into the current threats, prominent actors, and newly exploited vulnerabilities impacting Australian organisations this week.

Sector-Specific Threat Analysis

Government & Critical Infrastructure On 23 April 2026, the Australian Cyber Security Centre (ACSC) issued a joint Five Eyes advisory regarding China-nexus threat actors. These state-sponsored adversaries are leveraging covert networks of compromised edge devices and IoT infrastructure (such as the "Raptor Train" network) to disguise the origin of their attacks and bypass geo-blocking defences. Domestically, the insider threat was also highlighted when a NSW Government Treasury staffer was charged following a significant data breach.

FinTech In a landmark regulatory shift, cyber resilience in FinTech is now strictly enforced as a licence-to-operate condition. This week, the Federal Court ordered FIIG Securities to pay a $2.5 million civil penalty following a 2023 cyber incident that compromised client data. From an adversary simulation perspective, financial platforms remain prime targets for API logic flaws and credential stuffing.

Healthcare The healthcare sector remains in the crosshairs of aggressive ransomware syndicates. This week, the Bendigo & District Aboriginal Co-operative (BDAC) confirmed a cyber incident linked to the INC Ransom operation. Threat actors continue to exploit the critical nature of healthcare services to force rapid extortion payouts.

SaaS Providers & Developers The ACSC released a high-priority alert detailing the ongoing targeting of online code repositories. Threat actors are gaining access via phishing, social engineering, and compromised authentication tokens to execute supply-chain attacks. Once inside, adversaries run open-source tools to scan for cryptographic secrets, modify public packages, and migrate private repositories to the public domain.

eCommerce Supply chain vulnerabilities continue to plague the eCommerce sector. A confirmed third-party breach impacting Booking.com exposed Australian customer names, emails, and booking details, leading to highly targeted phishing campaigns against consumers.

Education/EdTech Large distributed educational networks are increasingly susceptible to unpatched infrastructure vulnerabilities. CISA recently added multiple Cisco Catalyst SD-WAN Manager flaws (including CVE-2026-20122 and CVE-2026-20128) to its Known Exploited Vulnerabilities (KEV) catalog on 20 April 2026. Educational institutions relying on these systems must prioritise patching to prevent unauthorised system access and arbitrary file overwriting.

IoT (Internet of Things) IoT devices remain a fragile perimeter. On 25 April 2026, CISA warned of active exploitation of D-Link DIR-823X series routers (CVE-2025-29635, CVSS 7.5) and Samsung MagicINFO 9 Servers (CVE-2024-7399, CVSS 8.8). Threat actors are leveraging these path traversal and command injection vulnerabilities to deploy Mirai botnet variants, such as "tuxnokill," incorporating Australian devices into massive denial-of-service swarms.

Exploited Vulnerabilities: Web Apps, APIs, Cloud & AI

Web Applications & APIs Missing authorisation in APIs is a critical attack vector we frequently exploit during penetration testing. On 25 April 2026, a critical vulnerability in the remote support software SimpleHelp (CVE-2024-57726, CVSS 9.9) was added to the KEV catalog. This flaw allows low-privileged technicians to create API keys with excessive permissions, escalating their access to server admin roles. It was accompanied by CVE-2024-57728, a "zip slip" path traversal flaw allowing arbitrary code execution.

Cloud Systems Identity is the new cloud perimeter. Threat actors are aggressively exploiting cloud misconfigurations and weak identity access management (IAM) policies. The active scanning of GitHub and GitLab environments for hardcoded AWS and Azure keys highlights the critical need for secrets management and robust cloud posture auditing.

AI Systems The integration of Artificial Intelligence is vastly expanding the attack surface. This week, the Australian Government confirmed it is working with Anthropic following the limited preview of its "Mythos AI" model. Designed for defensive cybersecurity, Mythos successfully uncovered "thousands" of major zero-day vulnerabilities across every major operating system and web browser. While AI will equip defenders with powerful code-auditing capabilities, autonomous AI agents are also expected to dramatically accelerate the pace of sophisticated cyberattacks. Furthermore, "Shadow AI"—the unauthorised use of AI tools by employees—is exposing organisations to massive data leakage and prompt injection risks.

Summary As adversaries automate their attack chains and aggressively target supply chain dependencies, organisations must shift from a purely defensive posture to proactive validation. Vulnerability management programmes must prioritise externally facing assets, properly authenticate internal APIs, and rigorously test cloud configurations.

Contact us for a quote for penetration testing service or adversary simulation.