Allan Grant and Jordan Kavallaris | SOC Analysts | 1 May 2026
Three themes defined April.
These stories kept feeding into each other, and into a string of supply chain compromises, a busy month for Australian ransomware victims, a significant guilty plea by a member of the Scattered Spider collective, and a late-month rush of domestic regulatory activity.
On 7 April, six US federal agencies, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Environmental Protection Agency, the Department of Energy, and US Cyber Command, published a joint advisory confirming that Iranian-affiliated hackers had been actively compromising internet-facing industrial control systems across US critical infrastructure since at least March. (CISA)
The targeted sectors (water and wastewater, energy, and government facilities) reflect a deliberate effort to cause operational disruption rather than just steal data. In a number of confirmed cases, attackers manipulated what operators could see on their control screens and interacted directly with device configuration files, causing real-world disruption and financial losses at victim organisations.
What makes this campaign notable is the fact that attackers used the vendor's own legitimate software, Rockwell's Studio 5000 Logix Designer, to connect directly to exposed devices with no requirement for custom malware or novel exploits. Compounding the problem is that thousands of industrial controllers that should never be reachable from the internet are directly accessible to anyone who knows where to look. Internet intelligence firm Censys identified 5,219 such devices exposed globally, with nearly 75% located in the US and many connected via basic cellular modems at water pumping stations and remote energy substations. (Censys)
The advisory landed on the same day President Trump issued stark public threats over the Strait of Hormuz, and with peace talks between the US and Iran having collapsed, the activity is likely to continue. (TechCrunch)
April confirmed that North Korea's cyber operations are deliberate, long-horizon, and well-resourced.
The most visible incident was a supply chain attack on Axios, a JavaScript library downloaded over 100 million times a week that sits inside roughly 80% of cloud and code environments. Attackers compromised a package maintainer's account and published two backdoored versions that silently installed malware across Windows, macOS, and Linux. The compromised versions were live for about three hours before being removed. (The Hacker News) Both Google and Microsoft attributed the attack to North Korean state-sponsored actors. This was compounded by over 1,700 further malicious packages planted across developer ecosystems during the same period, which was a coordinated assault with months of potential downstream consequences.
The crypto theft picture is starker still. A six-month infiltration of Drift Protocol, a decentralised cryptocurrency exchange, culminated in a theft of approximately $286 million on 1 April. Attackers posed as a legitimate quantitative trading firm for roughly six months: attending industry conferences in person, holding working sessions with the Drift team, depositing over $1 million of their own capital to appear credible, and then draining the protocol in under twelve minutes when they were ready. (CoinDesk) This was well planned operation that treated a financial institution as a long-term target.
A second major crypto theft also landed in April. The KelpDAO breach exploited a structural flaw in a cross-chain bridge and resulted in losses of approximately $292 million. Together, these two attacks account for around 76% of all global cryptocurrency hack losses in the first four months of 2026, and North Korea's cumulative crypto theft since 2017 now exceeds $6 billion. (TRM Labs)
On a lighter note, a novel but unconventional interview tactic is gaining traction for filtering North Korean operatives out of remote IT hiring pools: asking candidates to insult Kim Jong Un. State-conditioned operatives often hesitate or refuse, revealing a behavioural flag that conventional identity checks would miss. (MSN) Experts note it should supplement rather than replace proper background verification.
On 7 April, AI company Anthropic published a detailed technical assessment documenting the cybersecurity capabilities of its latest model, Claude Mythos Preview. (Anthropic) The headline finding was that during internal testing, Mythos autonomously discovered and exploited previously unknown software vulnerabilities across every major operating system and web browser. These capabilities emerged as a downstream consequence of general improvements in how the model reasons about and writes code. In one documented case, the model chained four separate vulnerabilities to escape the security boundaries of both a browser and the underlying operating system, a level of sophistication historically associated with nation-state offensive programmes. Engineers with no formal security background could prompt the model overnight and wake up to a working exploit.
Rather than releasing the model publicly, Anthropic launched Project Glasswing, a controlled consortium giving access to selected defenders including AWS, Apple, Microsoft, Google, CrowdStrike, and JPMorgan Chase, with the goal of putting Mythos's discovery capability to work finding and fixing critical vulnerabilities before attackers develop equivalent tools. (Anthropic) Anthropic estimates comparable capabilities will emerge from other AI labs within six to eighteen months.
The Australian Signals Directorate (ASD) in April published specific guidance on frontier AI models and their cyber security implications, which is worth reviewing alongside these developments. (ASD)
Security around the model itself has not been airtight. Bloomberg reported on 21 April that a small group of users in a private Discord channel accessed Mythos on the day of its announcement, exploiting access through a contractor account and guessing the model's location based on Anthropic's known URL naming patterns. (Bloomberg) Anthropic confirmed the activity appears contained to a vendor environment. Separately, Anthropic suffered an unrelated lapse: source code and over half a million lines of code associated with its Claude Code product were briefly exposed in a publicly accessible cache for approximately three hours. (The Hacker News)
Whether Mythos represents a genuine capability step change or partly reflects competitive positioning in the AI market, the downstream conversation it has generated is real. The Australian Prudential Regulation Authority (APRA), the Association of Superannuation Funds of Australia (ASFA), the US Treasury, and the UK's National Cyber Security Centre (NCSC) all referenced frontier AI model risk in April. The question organisations face now is not whether this class of capability matters, but how quickly they can build the governance and patching velocity to respond to what it surfaces.
The UK's National Cyber Security Centre (NCSC), the government body responsible for the UK's cyber defence, published a warning on 2 May. (NCSC) (The Register) The NCSC's chief technology officer warned that AI-fuelled vulnerability discovery is about to flush out years of accumulated technical debt, creating a wave of newly disclosed flaws arriving faster than most security teams can realistically deal with them.
The mechanism is already visible in the Mythos announcement. Anthropic's model found a 27-year-old vulnerability in OpenBSD and a 17-year-old remote code execution flaw in FreeBSD's network file server autonomously, in hours. The same class of capability, whether developed by AI companies, competitors, or eventually criminal groups, will increasingly do this at scale across the software the world runs on. The NCSC's practical guidance is direct: shrink your internet-facing attack surface now, prioritise perimeter systems first and work inward, prepare to patch quickly and at scale, and replace end-of-life systems rather than maintaining them indefinitely.
For Australian organisations this warning lands alongside APRA's call to tighten patching timelines and the ASD's guidance on frontier AI model risk. They are all pointing at the same thing. The window to get ahead of AI-driven vulnerability discovery is narrow, and organisations already behind on patch cadence are accumulating risk faster than they may realise.
Before covering April's incidents, it is worth understanding who ShinyHunters are and their direct relevance to Australia, because that context matters for reading what followed this month.
ShinyHunters is an English-speaking cybercriminal group active since 2019 and known primarily for large-scale data theft and "pay or leak" extortion. Over time the group has developed close ties with Scattered Spider, another loosely organised collective that specialises in social engineering, tricking employees into handing over access credentials through fake IT support calls and text messages. The two groups are now widely understood to share members, tactics, and operations, functioning as overlapping parts of a broader criminal network known as "The Com." (Krebs on Security)
Australia has been a direct target. In July 2025, ShinyHunters breached Qantas, exposing personal data belonging to approximately 5.7 million customers via a compromised third-party call centre platform. (Australian Aviation) The group demanded $1 million Australian dollars and subsequently leaked data after Qantas did not meet the demand.
On 17 April 2026, Tyler Robert Buchanan a 24-year-old British national from Dundee, Scotland, operating under the alias "Tylerb" pleaded guilty in a California federal court to wire fraud conspiracy and aggravated identity theft in connection with his role in Scattered Spider. (The Register) (Krebs on Security) Buchanan admitted to participating in attacks between 2021 and 2023 that compromised at least a dozen major technology companies and resulted in the theft of at least $8 million in cryptocurrency from individuals. He faces sentencing on 21 August 2026 with a maximum penalty of 22 years in prison. His co-conspirator received 10 years and $13 million in restitution in a prior sentencing in 2025. Despite mounting law enforcement pressure, both groups continue to operate. When individual members are arrested, others fill the roles rather than the operation shutting down.
Against that backdrop, April's ShinyHunters breach activity was extensive.
Rockstar Games. Rockstar confirmed a data breach via a third-party provider after ShinyHunters claimed responsibility and leaked what it described as over 78 million records of internal analytics. The entry point was a third-party analytics platform with connections to the Snowflake cloud data environment. Rockstar characterised the incident as limited and non-material. (The Register)
Udemy (24 April; data subsequently published). ShinyHunters claimed exfiltration of over 1.4 million user records from online learning platform Udemy, including email addresses, full names, phone numbers, physical addresses, and instructor payment details, issuing a "pay or leak" ultimatum with a 27 April deadline. Udemy did not engage, and the dataset was published publicly. The breach is linked to the same third-party cloud access pathway as the Rockstar incident, and the dataset was indexed by breach notification service Have I Been Pwned on 26 April. (Have I Been Pwned) (BitDefender)
Checkmarx. Data stolen from the private code repository of Checkmarx, an application security company, was published publicly. Access was traced back to an earlier supply chain attack on Trivy, a widely used open-source security scanner, which had been tampered with to steal developer credentials. Using those harvested credentials, attackers subsequently published malicious versions of Checkmarx's own security tools designed to harvest API keys, tokens, and configuration files from developers who installed them. Checkmarx states customer data was not stored in the affected repository, though a forensic investigation continues. (BleepingComputer) This is a good illustration of supply chain long-tail risk with downstream effects surfacing weeks after the initial breach.
APRA Letter to Industry on AI — 30 April. The Australian Prudential Regulation Authority (APRA), which regulates banks, insurers, and superannuation funds, closed the month with a cross-industry letter to all regulated entities on artificial intelligence risk. (APRA) Based on a targeted engagement with large banks, insurers, and superannuation trustees in late 2025, APRA identified four consistent gaps across the sector: information security practices not keeping pace with the AI threat environment; governance frameworks lagging behind the speed of AI deployment; concentration risk and opacity in AI supply chains; and risk and audit functions lacking the specialist capability to independently assess AI systems.
The cyber security findings are pointed. APRA observed that access controls have not been adjusted for AI agents acting autonomously in systems, that AI-assisted software development is outpacing change management controls, and that patching timelines are not aligned with an accelerated threat environment. APRA also flagged the use of enterprise AI tools outside approved frameworks as a supervisory concern — shadow AI is no longer just an IT policy problem.
The letter references frontier models including Mythos directly, and directs entities to the ASD's current guidance on the topic. The closing message is unambiguous: where entities fail to adequately manage AI risks in proportion to their size and complexity, APRA will escalate supervisory action and pursue enforcement. For anyone in a chief risk, technology, or information security role at an APRA-regulated entity, this letter requires a response, not just a read.
Superannuation Sector Moves Toward Coordinated Cyber Response. The Association of Superannuation Funds of Australia (ASFA), the peak body representing the $4.5 trillion superannuation industry, has applied to the Australian Competition and Consumer Commission (ACCC) for authorisation to operate a dedicated threat intelligence sharing platform called the Superannuation Cyber and Financial Crime Exchange, or SuperFCX. (iTnews) The application was lodged in March following the 2025 credential-stuffing attacks that hit several major funds — AustralianSuper, REST, Hostplus, Insignia, and the Australian Retirement Trust — resulting in $750,000 in losses from ten compromised AustralianSuper accounts alone.
A structural problem exposed by that incident was that when one fund identified and reported suspicious activity to government, the other funds were not informed — information that could have reduced sector-wide losses sat in a silo. SuperFCX is designed to close that gap. Under Australian competition law, rival funds sharing operational security intelligence without regulatory clearance risk breaching the Competition and Consumer Act, which is why the ACCC application was necessary. Submissions on the application closed 27 April.
ASFA's chief executive has linked the initiative directly to the Mythos announcement, pointing to the US Treasury's convening of senior bank executives to discuss frontier AI risk as a signal that Australian boards should be responding with the same urgency.
April was a busy month domestically. The incidents below span state government, community organisations, communications infrastructure, and financial services.
Genealogy SA. SafePay ransomware listed Genealogy South Australia, a large family history society, with over 4,300 members, on its dark web leak site, and subsequently published exfiltrated material including business, financial, and insurance documents, historic genealogical records, and personal correspondence. Genealogy SA confirmed the incident but noted it had been discovered in February 2026, meaning the public extortion attempt came months after the organisation had already contained it and notified members. (Insurance Business Australia)
NSW Treasury Insider Arrest. A 45-year-old NSW Treasury staff member was arrested and charged after allegedly downloading over 5,600 sensitive government documents and transferring them to an external server. The breach spanned multiple NSW government departments, was detected by internal security monitoring, and prompted a joint investigation with NSW Police Strike Force Civic. A search warrant at the individual's home led to seizure of electronic devices. (NSW Government) Insider threat is underweighted in most security programmes with this case a reminder that monitoring needs to cover privileged internal access, not just external attack paths.
Gelatissimo (claimed, under investigation). Ransomware group DragonForce listed the Australian gelato franchise on its leak site, claiming exfiltration of 352 GB of data including employee names, partial tax file numbers, emails, phone numbers, financial account details, and a visa application containing sensitive personal information affecting staff across Australia and the Philippines. Gelatissimo has confirmed it is investigating unauthorised access, though the scope of the claims remains unverified. (Cyber Daily)
Mastercom. Ransomware group INC Ransom published what it claims is customer and hardware data belonging to Mastercom, a Granville, NSW-based communications company providing two-way radio and communications services to hundreds of businesses and local councils as well as emergency services. Mastercom's managing director confirmed awareness of the claims. (Insurance Business Australia) The downstream exposure risk is notable given the customer base includes councils and emergency services.
Bendigo and District Aboriginal Co-operative (BDAC). BDAC confirmed a cyber incident following INC Ransom claims, stating it was detected and contained on the same day with limited impact on services to the community. BDAC notified the OAIC and the ACSC and is cooperating with authorities. (Cyber Daily)
Generation Life. Financial services firm Generation Life, a subsidiary of ASX-listed Generation Development Group, disclosed a cyber incident involving unauthorised access to part of its systems via a third-party service provider. The incident was detected and contained rapidly, with no evidence of impact to core systems or unauthorised transactions. Generation Life notified APRA, the ACSC, and the National Office of Cyber Security. An investigation is ongoing to determine whether any client data was accessed. (Money Management) (Financial Standard)
Adobe Acrobat Reader Zero-Day — CVE-2026-34621. A critical flaw in the way Adobe Reader processes JavaScript in PDF files allows an attacker to run malicious code on a victim's machine simply by getting them to open a crafted PDF. The vulnerability has been actively exploited since at least November 2025, and CISA added it to its Known Exploited Vulnerabilities catalogue on 13 April with a remediation deadline of 27 April for federal agencies. Patch immediately. (Adobe)
Affected versions (Windows and macOS):
cPanel Authentication Bypass — CVE-2026-4194. A critical authentication bypass vulnerability in cPanel and WebHost Manager — widely used software for managing web hosting environments — is being actively exploited in the wild. The ACSC has published an advisory urging organisations running cPanel-based hosting infrastructure to apply vendor patches immediately. (ACSC)
Online Code Repositories — ACSC High Alert (1 April). The Australian Cyber Security Centre issued its second high-priority alert on code repository targeting in five months. Threat actors are modifying public software packages to introduce malicious code, scanning repositories for stored passwords and API keys, and migrating private repositories to public to expose sensitive material — primarily through phishing, social engineering, and stolen authentication tokens. The Axios and Checkmarx incidents from this month are live examples of exactly what this advisory describes. (ACSC)
FIRESTARTER Malware — CISA and ACSC Alert (23 April). CISA, in coordination with the UK's National Cyber Security Centre, published a malware analysis report identifying FIRESTARTER, a backdoor targeting Cisco Firepower and Secure Firewall devices running ASA or FTD software. FIRESTARTER survives firmware upgrades, meaning devices that have already been patched may still be compromised and accessible to attackers. The ACSC has published separate guidance directing Australian organisations running affected Cisco devices to run diagnostic commands, generate core dumps, apply the detection rules from the advisory, and report any findings directly to the ACSC. (ACSC)
China-Nexus Covert Networks — Joint Advisory (23 April). A broad international coalition including the ACSC, CISA, the FBI, the NSA, and partners from Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden published a joint advisory on a significant shift in how Chinese state-linked threat actors are conducting cyber operations. Rather than routing attacks through infrastructure they directly control, Chinese state-linked actors have moved to using large-scale "covert networks" — essentially botnets assembled from compromised home routers, Internet of Things devices, and other edge hardware — to hide and route their malicious activity. These networks are maintained by Chinese-linked companies, continuously updated, and shared across multiple actor groups simultaneously, making it hard to trace activity back to its true origin. All organisations should map and baseline their edge device traffic, particularly VPN and remote access connections, and implement multi-factor authentication for all remote connections. (ACSC)
Russian GRU Targeting Western Logistics and Technology Companies — Updated Advisory (April). The ACSC co-signed an updated version of an advisory, originally published in May 2025, warning that Russian military intelligence has been running a sustained espionage campaign against Western logistics companies and technology firms since 2022. The campaign targets organisations involved in the coordination, transport, and delivery of foreign assistance to Ukraine, spanning shipping brokers, rail operators, port authorities, air traffic management, defence contractors, and the IT companies that connect them across at least 13 NATO countries. Tactics include spearphishing with fake login pages, password spraying, and exploitation of known vulnerabilities in Microsoft Outlook and WinRAR. The April update corrects two previously published indicators of compromise. Logistics and technology companies with any involvement in Ukraine-related supply chains should review the full advisory for indicators and mitigation guidance. (ACSC)
April did not offer much breathing room. Supply chain compromise ran through almost every major incident: Axios, Vercel, Checkmarx, Generation Life and the consistent thread is that attackers are entering through trusted third parties rather than battering at hardened perimeters. The Australian picture added insider threat, ransomware against community organisations and local government suppliers, and two financial sector disclosures to that mix.
The Tylerb guilty plea is a genuine law enforcement win against the Scattered Spider collective, but the group continues to operate.
The regulatory environment is catching up quickly. APRA's AI letter and ASFA's SuperFCX application both landed in the same month as Mythos, and that timing reflects a genuine shift in how Australian regulators are thinking about AI risk as something requiring board attention today.
Patching deserves particular attention heading into May. The NCSC's patch tsunami warning is a timely reminder that this is structural, not cyclical with AI-assisted vulnerability discovery surfacing decades of buried code debt faster than most patch programmes were designed to absorb. Organisations need to know what they are running, know how quickly they can patch it, and close the gap between those two answers. That means accurate asset inventories, tested patch cadence, prioritisation frameworks that weight internet-facing and perimeter systems first, and clear escalation paths when a critical advisory lands outside business hours.
The practical priorities out of April are not complicated, even if the execution is: audit third-party application integrations and the permissions they hold, tighten patch cadence, treat shadow AI as a governance issue rather than an IT one, and make sure incident response plans account for the speed at which modern attacks move through systems.
Request a consultation with one of our security specialists today or sign up to receive our monthly newsletter via email.
Get in touch Sign up!