Get 24/7 incident response assistance from our global team
Please review the following rules before submitting your application:
1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.
2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.
Your guide to AI innovation, adoption, and acceleration in cybersecurity
The High-Tech Crime Trends Report 2026 reveals how this shift has industrialized cybercrime, exposed the limits of perimeter-based defenses, and elevated identity and trust as the new primary attack surfaces.
Your guide to AI innovation, adoption, and acceleration in cybersecurity
Learn more
ANZ faces a rapidly evolving cyber threat environment with ransomware operators, hacktivist groups and financially motivated threat actors all active in the region. Group-IB’s March 2026 ANZ Threat Landscape provides a deep dive into ransomware, hacktivism, compromised accounts and financial fraud with local context, named victims and adversary profiles specific to the ANZ market.
Unlike aggregated open-source reports, this intelligence is drawn directly from Group-IB’s proprietary telemetry, dark web monitoring and infostealer tracking.
Healthcare Becomes the Primary Ransomware TargetAdversary of the Month: DieNetSupply Chain Compromise Hits Australian DevSecOps PipelinesAustralian Financial Data and Retailer Records Sold on Underground ForumsANZ Bank Card Compromises Rise 17.39% Qilin is the most active group this month with three recorded attacks, including a confirmed incident against Fortress Systems in Australia. DragonForce and Gunra each claimed two incidents. Lockbit recorded two activities. SafePay and Black Shrantac each claimed one. In New Zealand, The Gentlemen is the most notable actor, having disclosed data from Intra Ltd on their dedicated leak site. Healthcare was the hardest-hit sector with five incidents, followed by Commerce and Retail with three, and Manufacturing and Real Estate each with two.
DieNet is a politically motivated threat actor group active since 2025, conducting DDoS, hacktivism and defacement attacks across government, financial services, telecommunications, education, energy and critical infrastructure. In March 2026 alone, they claimed over 192 attacks – compressing the equivalent of their prior 12 months of output into a single month. Their primary MITRE ATT&CK technique is Network Denial of Service. DieNet targets any nation or organisation they perceive as misaligned with their political position, including Australian government agencies, universities and major consumer brands. Their impact profile over the past 12 months includes 401 Network Denial of Service attacks and 12 Exfiltration Over C2 events.
Serious, and directly relevant to any team running open-source tooling in automated pipelines. The Trivy scanner compromise attributed to TeamPCP on 20 March affected multiple release versions and GitHub Actions workflows simultaneously. The attack succeeded because pipelines use version tags – which attackers can overwrite – rather than cryptographic hashes. The malicious code enabled credential stealing and exfiltration from downstream environments without visible tampering indicators. ANZ organisations should audit all third-party tool dependencies in their CI/CD pipelines, enforce hash-based integrity checks, and review GitHub Actions workflows for unexpected modifications.
March 2026 produced two significant ANZ-specific underground incidents. Infinity Australia’s financial services data including passport details, driver’s licences, tax file numbers and bank statements were listed for sale on exploit[.]in on 31 March by threat actor einein786. Phonebot customer data, including account-specific loyalty balances, was separately posted by threat actor 2019, a newly active actor specialising in healthcare, ecommerce and business services databases. Both incidents carry risk of follow-on fraud, identity theft and targeted social engineering against affected individuals.
Hacktivist groups aligned with pro-Iran or pro-Palestine political positions have significantly increased global attack tempo in response to the escalating Iran-Israel-US conflict. By 25 March 2026, Group-IB had recorded more than 500 conflict-linked cyber attacks globally. In Australia, three incidents were recorded in March: RipperSec’s DDoS on ZFA Australia, Z-Pentest’s claimed access to food services surveillance infrastructure in Queensland, and Group 313’s DDoS attack on the Moodle education platform affecting university staff and students. These attacks are motivated by Australia’s perceived geopolitical alignment. Organisations should monitor threat actor chatter and scheduled attack announcements via Group-IB’s Threat Intelligence Platform for early warning of planned operations.
An essential read for ANZ Security and Risk Professionals:
Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Heads of Security.Fraud, Risk and Compliance Leaders.Government and Law Enforcement Professionals.Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.Board Level and Executive Decision Makers.
If you are responsible for protecting digital assets, customers or national infrastructure in Australia or New Zealand, this report is for you.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
