This week’s reporting highlights a rapidly evolving cyber landscape where AI‑enabled malware, sophisticated social engineering, and critical infrastructure vulnerabilities are converging at scale. For Australian organisations—particularly in energy, telecommunications, financial services and software development—the threat picture continues to shift from isolated incidents to systemic, multi‑vector campaigns that exploit both people and technology. Maintaining resilience now depends on rapid patching, strict identity controls, and deep visibility across supply chains and development environments.

The Threats at the Gates

Attackers across the Asia‑Pacific and globally continued to deploy highly adaptive techniques. A major destructive campaign targeted energy infrastructure abroad, demonstrating how wiper malware can be used to disrupt essential services. In the region, blockchain engineers were targeted with AI‑generated PowerShell backdoors delivered through phishing channels, while corporate environments faced increased risk from SSO‑credential theft delivered through vishing operations.

Supply‑chain compromise remains a major concern, with malicious PyPI and npm packages delivering cryptominers and remote‑execution payloads. Compromised Visual Studio Code extensions were used to exfiltrate developer workspaces, highlighting the increasing value attackers place on build pipelines. Critical vulnerabilities—including authentication bypasses, remote‑execution flaws and unpatched infrastructure weaknesses—continue to be actively exploited across both IT and OT assets.

Australian transport systems were also in the spotlight after remote‑access exposures were identified in imported electric vehicles, reinforcing the need for proactive assurance of connected assets across fleets and public transport.

Key Categories

Critical Software Vulnerabilities and Exploits

This week presented a wave of high‑risk, actively exploited vulnerabilities across enterprise systems, cloud applications and industrial control equipment.

• Remote‑code‑execution flaws in collaboration and communications platforms were being weaponised in the wild.
• Authentication bypass weaknesses in firewall and SSO systems allowed attackers to generate persistent administrative access.
• A long‑standing flaw in legacy Linux tools resurfaced, enabling attackers to obtain root access on systems that had not disabled outdated services.
• Mail platforms suffered password‑reset and command‑execution weaknesses that attackers used to deploy web shells.
• AI and automation frameworks disclosed file‑read, SSRF and path‑traversal bugs, surfacing risks in increasingly common “agent”‑based workflows.
• Industrial systems from multiple major vendors reported privilege‑escalation, DoS and remote‑execution vulnerabilities, particularly affecting energy, water, and manufacturing assets.

Business implication:
Patch cycles must become faster and more predictable, especially for public‑facing systems and OT environments where exploitation can impact physical operations.

Malware Development and Deployment

Several evolving malware campaigns were identified, many of which incorporate AI‑driven development or multi‑stage intrusion chains.

• AI‑generated Linux malware frameworks emerged, capable of long‑term stealth in cloud environments.
• Developer ecosystems were targeted with malicious VS Code extensions that harvested credentials, cryptocurrency wallets and clipboard contents.
• Fake job‑related repositories were used to deliver backdoors through compromised project templates.
• Ransomware operators deployed new variants using vulnerable‑driver techniques to evade detection and encrypt data.
• Multi‑stage phishing campaigns bundled Defender‑disabling utilities with RATs and ransomware, taking advantage of cloud‑hosted payloads.
• Silent installation of remote‑management tools gave attackers persistent footholds inside corporate networks.

Business implication:
Developer and cloud environments are now high‑value attack surfaces. Organisations must harden build pipelines, restrict extension installation, and monitor for unauthorised remote tools.

State‑Sponsored Cyber Attacks on Critical Infrastructure

State‑aligned threat groups continued aggressive campaigns targeting critical sectors worldwide.

• Destructive wiper malware was deployed against energy infrastructure, reinforcing geopolitical risks to essential services.
• Zero‑day exploits in enterprise platforms were used by multiple nation‑state groups to infiltrate networks and establish persistent access.
• Telecommunications networks across Asia and Europe were compromised using advanced Linux implants designed to relay traffic and mask attacker origins.
• Malware families linked to state actors were updated with new delivery vectors, including Rust‑based loaders and targeted spear‑phishing campaigns.

Business implication:
Australian critical‑infrastructure operators should validate OT backup integrity, strengthen IT/OT segmentation, and ensure monitoring extends to edge devices and remote‑access systems.

Phishing, Social Engineering and Account Takeovers

Identity‑centred intrusions continued accelerating, with attackers blending old and new techniques.

• Vishing operations impersonated IT helpdesks to capture MFA codes and SSO credentials.
• Business email compromise attacks abused trusted cloud‑sharing links to bypass user suspicion.
• Credential‑harvesting campaigns impersonated legitimate notification services to persuade users to install remote‑access tools.
• Browser‑extension scams crashed users’ browsers to push remote‑access malware.
• Job‑themed phishing delivered trojanised archives that sideloaded malicious DLLs into legitimate executables.
• Ransomware operators used multi‑stage phishing chains that hid payloads in seemingly benign business documents.

Business implication:
Identity is now the primary attack surface. Organisations must adopt phishing‑resistant MFA, enforce email authentication standards, and tightly restrict browser extensions and OAuth permissions.

Emerging AI‑Driven Security Threats

AI continues to accelerate both the capability and speed of cyber attackers.

• Generative AI was used to create obfuscated PowerShell backdoors targeting blockchain developers.
• AI‑assembled malware frameworks demonstrated how attackers can automate complex tooling.
• Agent‑based web browsers were found vulnerable to prompt‑injection and isolation bypass risks.
• AI orchestration services had flaws enabling arbitrary file access and server‑side request forgery.
• Chatbot frameworks disclosed vulnerabilities that could expose internal files or metadata.
• Calendar‑integrated AI assistants were susceptible to prompt‑injection that could leak private event data.

Business implication:
Any organisation adopting AI tools must enforce strict permission boundaries, patch promptly, and monitor for unexpected AI‑driven processes.

Recommended Business Actions

1. Prioritise patching for actively exploited vulnerabilities, especially those affecting communications tools, cloud management systems and industrial assets.
2. Adopt phishing‑resistant MFA (such as FIDO2) and enforce conditional‑access controls across all SSO platforms.
3. Audit browser extensions and developer tools, removing any unvetted or unnecessary add‑ons.
4. Strengthen supply‑chain governance, including dependency scanning, SBOM maintenance, and CI/CD access control.
5. Segment and monitor OT networks, ensuring strict separation from IT systems and validating backup integrity.
6. Implement AI governance controls that limit agent scopes, enforce human‑in‑the‑loop safeguards and restrict model access to sensitive data.
7. Rehearse incident‑response scenarios, including destructive‑wiper recovery and cloud‑identity compromise.