AUNZ Intelligence Insights Report, Q2 2026
← Research Hub

AUNZ Intelligence Insights Report, Q2 2026

92 active ransomware groups. Billions of credential attempts against edge devices. A new wave of mobile banking trojans built to empty Australian bank accounts.

Group-IB‘s intelligence report for this quarter Q2 2026 maps exactly who is targeting the Australia and New Zealand (ANZ) region right now – and what they will do next.

Synopsis

Drawing on Group-IB’s proprietary Threat Intelligence, dark web monitoring, and incident response data, it details the advanced persistent threats (APTs), ransomware, fraud, mobile malware, initial access, and data leak activity shaping the region’s risk landscape between April and June 2026.

 

This quarter, the ANZ region sat squarely in the path of both financially driven cybercrime and geopolitical spillover. Australia ranked 16th globally for attacks, while nation-state actors, ransomware affiliates, and phishing-as-a-service operators all expanded their Australian and New Zealand targeting. The report gives security leaders a concise, evidence-based picture of the threats that matter, and a forward look at what Q3 2026 is likely to bring.

 

Every figure in this report is sourced from Group-IB’s own intelligence collection. It is written for defenders who need to prioritise, not just observe.

Key Findings and Insights

Ransomware pressure intensified across the region. Ransomware pressure intensified across the region.

Group-IB identified 92 active ransomware groups in Q2 2026 - representing a 16.46% increase over Q1 - with 2,202 victim organisations published to dedicated leak sites. Within ANZ, Qilin (11 attacks), INC (5), and The Gentlemen (4) were the most active groups.

Health Care and Real Estate were the most-hit ANZ sectors. Health Care and Real Estate were the most-hit ANZ sectors.

Each recorded six ransomware attacks this quarter, followed by Commerce and Shopping.

FortiBleed exposed the region's edge-device weak spot. FortiBleed exposed the region's edge-device weak spot.

This large-scale credential-harvesting campaign against internet-exposed Fortinet FortiGate VPN gateways drove an estimated 1.16 billion credential attempts against more than 320,000 targets, compromising credentials tied to 73,932 unique device URLs across 194 countries.

Mobile banking trojans matured their Australian targeting. Mobile banking trojans matured their Australian targeting.

Three campaigns - TrickMo.C, Rokarolla, and OverlayPhantom - deployed overlay attacks, SMS interception, and near-complete device takeover against Australian banking users, with some routing command-and-control through blockchain to resist takedown.

Investment and impersonation fraud caused outsized consumer harm. Investment and impersonation fraud caused outsized consumer harm.

CoinLure impersonated Australian Securities and Investments Commission (ASIC)-regulated entities across a network of fake investment platforms, while Gold Bull used deepfakes of well-known Australian economists to run pump-and-dump scams.

Australia ranked 7th worldwide for Smishing Error524 phishing domains.Australia ranked 7th worldwide for Smishing Error524 phishing domains.

126 confirmed domains in a multi-brand operation spanning 72 countries.

Data leaks hit a broad cross-section of Australian business. Data leaks hit a broad cross-section of Australian business.

Sixteen new incidents exposed more than 1.75 million user records across retail, e-commerce, financial services, education, and government; with the majority traced to a single dark web threat actor.

Nation-state activity carried real spillover risk. Nation-state activity carried real spillover risk.

TortoiseShell, Lazarus and MuddyWater were all active. Hacktivist groups 313 Team and Z-Pentest ran targeted operations against Australian government and operational technology systems.

Who Must Read This Report

CISOs and security leaders in Australia and New Zealand who need to prioritise defensive investment against the threats actually targeting the region.CISOs and security leaders in Australia and New Zealand who need to prioritise defensive investment against the threats actually targeting the region.

SOC and threat intelligence teams looking for current tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK.SOC and threat intelligence teams looking for current tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK.

Fraud and financial-crime teams at banks, fintechs, and payment providers tracking mobile banking trojans and investment fraud.Fraud and financial-crime teams at banks, fintechs, and payment providers tracking mobile banking trojans and investment fraud.

Risk, compliance, and board-level stakeholders who need a clear, evidence-based read on regional cyber risk. Risk, compliance, and board-level stakeholders who need a clear, evidence-based read on regional cyber risk.

Incident response and IT teams managing edge devices, VPN gateways, and third-party/supply-chain exposure.Incident response and IT teams managing edge devices, VPN gateways, and third-party/supply-chain exposure.

Government and critical infrastructure operators assessing nation-state and hacktivist spillover from global conflicts.Government and critical infrastructure operators assessing nation-state and hacktivist spillover from global conflicts.

Know who's targeting your region before they reach your network.

Download ANZ Threat Evolution in Q2 2026 for the full breakdown of threat actors, ransomware groups, fraud campaigns, and forward-looking forecasts – sourced from Group-IB’s Threat Intelligence.

Frequently asked questions

What is the ANZ Threat Evolution in Q2 2026 report?

arrow_drop_down

The ANZ Threat Evolution in Q2 2026 report is a quarterly threat intelligence publication from Group-IB that analyses the cybercriminal and nation-state threats targeting Australia and New Zealand between April and June 2026. It covers ransomware, initial access brokers, mobile malware, fraud campaigns, compromised hosts, and data leaks, with forecasts for Q3 2026.

Who were the most active ransomware groups in the ANZ region in Q2 2026?

arrow_drop_down

Group-IB identified Qilin as the most active ransomware group in the ANZ region with 11 attacks, followed by INC with 5 and The Gentlemen with 4. Globally, Qilin also led with 298 published attacks out of 2,202 total across 92 active groups.

How does Group-IB threat intelligence differ from a generic threat feed?

arrow_drop_down

Unlike aggregated threat feeds, Group-IB’s intelligence is built from first-hand dark web monitoring, incident response casework, and adversary tracking, then mapped to specific regional targeting. This report, for example, names the exact groups, campaigns, and industries active against Australia and New Zealand rather than reporting global averages, so defenders can prioritise the threats that actually apply to them.

How will the ANZ threat landscape evolve in the next 6 to 12 months?

arrow_drop_down

Group-IB forecasts continued growth in supply-chain attacks, more mobile banking trojans maturing their Australian targeting, and follow-on attacks exploiting credentials harvested in the FortiBleed campaign — including lateral movement, privilege escalation, and potential ransomware deployment. Group-IB also anticipates evolving phishing methods that use enticement, such as discounted goods, rather than traditional fear-based lures.

What are the first three steps to reduce exposure to the threats in this report?

arrow_drop_down

Audit and secure internet-exposed edge devices — especially Fortinet FortiGate VPN gateways — and rotate any potentially compromised credentials. 2. Strengthen mobile banking and consumer fraud defences against overlay attacks and SMS-based one-time-password interception. 3. Review third-party and supply-chain exposure, since many regional data leaks originated from smaller connected vendors.

How many Australian data leaks did Group-IB detect in Q2 2026?

arrow_drop_down

Group-IB detected 16 new incidents of Australian company data leaked into the public domain in Q2 2026, exposing more than 1.75 million user records across retail, e-commerce, financial services, education, and government sectors.

Is the report free to download?

arrow_drop_down

Yes. The ANZ Threat Evolution in Q2 2026 report is available as a free download by completing the form on this page.