APT Groups Using Aussie SMBs as Ladder Rungs in 2026: The 3 Threat Actors You Can't Ignore

---

It's 6:47 AM on a Tuesday and your bookkeeper's phone buzzes with an Okta push notification. She didn't request it. She hits "Approve" anyway because she's late dropping the kids at school and it's probably just IT doing maintenance. That single tap just gave Scattered Spider a session token into your Microsoft 365 tenant. They'll sit there for three weeks, reading your email, finding out who your biggest client is, and crafting the exact phishing lure that gets them into that client's network. Congratulations — your 12-person engineering firm is now the supply chain compromise vector for a breach that'll make the AFR front page.​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The uncomfortable truth for Australian SMBs in 2026 is that you don't need to be interesting to be useful. You just need to trust someone who is. Here are the three APT groups turning businesses like yours into ladder rungs — and what you can actually do about it.

Scattered Spider: The English-Speaking Identity Thieves

Scattered Spider — tracked by CrowdStrike as Scattered Spider and by Microsoft as Octo Tempest — is unique among APT groups for one unsettling reason: they sound like your mate from Brisbane. Native English-speaking operators run sophisticated social engineering campaigns that bypass technical controls by targeting the human in the loop [1].​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How they get

in: SIM swapping, MFA fatigue attacks (bombarding employees with push notifications until someone cracks), and help-desk impersonation where attackers call your IT provider claiming to be a new starter who lost their phone. Their initial access broker ecosystem means access to your environment gets packaged and sold to ransomware affiliates within 24-48 hours [2].

What makes SMBs vulnerable: Most small businesses use Microsoft 365 with default security settings. MFA is on, but it's basic push-based MFA — the kind Scattered Spider specialises in defeating. Worse, SMBs with 5-25 staff rarely have conditional access policies, meaning a single compromised account grants access to everything. One breached bookkeeper's account → read access to every supplier invoice → complete mapping of who you pay and how much.

The supply chain angle: Scattered Spider operators conduct reconnaissance on a target's vendors and service providers. If you're an architecture firm that does work for a defence contractor, your email threads with that contractor are the intelligence payload. The group doesn't breach you to steal from you — they breach you to become you when emailing their real target [3].

Lazarus Group: Ransomware That Funds Nuclear Programmes

Most SMB owners hear "Lazarus Group" and think North Korean crypto heists. That was 2022. In 2026, the Lazarus subgroup Andariel is running Medusa ransomware operations that have already hit Australian healthcare nonprofits and educational facilities [1]. The average ransom demand is $260,000 — and unlike commodity ransomware gangs, Lazarus operators don't negotiate. They know hospitals, aged care providers, and disability services will pay because downtime directly threatens human lives.

How they get in: Lazarus operators exploit unpatched VPN appliances and public-facing applications. The group deploys a three-stage toolkit: infostealers to harvest credentials, remote access trojans like Comebacker for persistence, and Medusa ransomware for the final encryption event [1]. They're also increasingly targeting managed service providers — compromising one MSP gives them access to dozens of downstream SMB clients.

Why Australian SMBs should care: The Australian Signals Directorate's 2025 Threat Report identified healthcare and aged care as the fastest-growing ransomware target sector. If you run a medical practice, allied health clinic, or NDIS provider, you're in the crosshairs. But the broader concern is Lazarus's supply chain methodology: they compromise the weakest link in a service chain — often a small IT vendor or cloud service provider with privileged access to multiple downstream organisations [4].

The detection that would have caught them: Lazarus operators rely on known C2 infrastructure patterns and use specific DNS query behaviours that stand out against normal enterprise traffic. A basic DNS firewall or a simple outbound traffic monitoring rule — looking for beaconing patterns to known-bad IP ranges — would generate the alert that most SMBs are missing entirely.

Volt Typhoon: The Silent Squatters

Volt Typhoon — a PRC state-sponsored group tracked by the Five Eyes intelligence alliance — doesn't steal money or encrypt files. They steal residency. The group's playbook is to compromise edge networking devices (routers, firewalls, VPN concentrators) and establish long-term, low-observability persistence that goes undetected for 12-18 months [5]. Their target is critical infrastructure — energy, water, transport, communications. But they don't breach those targets directly.

The SMB vector: Volt Typhoon operators compromise the small engineering contractors, maintenance providers, and field service companies that have legitimate VPN access into critical infrastructure environments. A 15-person SCADA integrator in Newcastle with a standing site-to-site VPN into a water treatment plant is worth more to Volt Typhoon than a direct attack on the plant itself [5]. No one monitors the contractor's firewall logs. No one questions why that VPN tunnel transferred 14 GB of data at 3 AM for three consecutive nights.

Living-off-the-land: Volt Typhoon almost never deploys malware. They use native Windows and Linux tools — PowerShell, WMI, SSH, RDP — to move laterally and exfiltrate data. This makes them invisible to signature-based antivirus and endpoint detection that SMBs typically run [6]. The only reliable detection is behavioural: monitoring for new privileged account creation, unusual process ancestry chains, and abnormal network flows.

Three Detections Any SMB Can Set Up This Week

None of these require a security operations centre, a dedicated analyst, or a six-figure tooling budget. Each can be implemented with tools you probably already have.

1. MFA Enrollment and Credential Modification Alerting

Scattered Spider's entire business model collapses if you notice when a new MFA device gets registered or a password reset occurs outside business hours. Microsoft 365 includes this alerting natively in the Unified Audit Log. Enable it. Configure a flow that sends a real-time notification to the business owner's phone whenever a new authentication method is registered. Yes, it'll trigger during legitimate onboarding. The five-second sanity check is worth the signal.

2. Outbound C2 Connection Monitoring via DNS Filtering

Lazarus malware phones home. It has to. Commodity DNS filtering services — Quad9 (free), Cisco Umbrella (AUD $3-5/user/month), or even the threat intelligence feeds built into most enterprise-grade firewalls — block known C2 domains based on continuously updated threat feeds. If your firewall or DNS resolver can query a threat intelligence blocklist, you've just forced Lazarus operators to burn infrastructure trying to reach your endpoints.

3. Privileged Group Membership Change Monitoring

Volt Typhoon operators need to create local admin accounts or add compromised accounts to privileged groups to move laterally. Every Windows environment logs these events. Group Policy can forward Security Event ID 4728 (member added to security-enabled global group) and Event ID 4732 (member added to security-enabled local group) to a central log or email alert. If a new domain admin appears at 11 PM on a Saturday, someone needs to know before Monday morning.

FAQ

Conclusion

APT groups don't need to care about your business to destroy it. They just need you to trust the wrong email, run the wrong update, or connect to the wrong customer's network with the wrong credentials. The three detections above — MFA alerting, DNS-based C2 blocking, and privileged account monitoring — are low-cost, high-signal controls that turn your business from a convenient stepping stone into a noisy, unappealing target. None requires a security team. All three together cost less than the excess on a cyber insurance policy that won't pay out because you didn't have MFA on your admin accounts.

Don't know where to start? Visit consult.lil.business for a free 30-minute cybersecurity triage session. We'll map your supply chain risk, identify the three highest-impact controls for your specific business, and give you a prioritised remediation plan you can hand straight to your IT provider — no jargon, no upsell, no obligation.

References

1. ThreatHive, "APT Groups Targeting Healthcare in 2026: Who They Are and How to Detect Them," ThreatHive Blog, May 2026. https://threathive.ai/blog/apt-groups-targeting-healthcare-2026/
2. CrowdStrike, "Scattered Spider: The Elusive Adversary Exploiting Identity," CrowdStrike Falcon Adversary Intelligence, 2025. https://www.crowdstrike.com/adversaries/scattered-spider/
3. Microsoft Threat Intelligence, "Octo Tempest: A Dangerous and Evolving Threat Actor," Microsoft Security Blog, October 2024. https://www.microsoft.com/en-us/security/blog/2024/10/25/octo-tempest-a-dangerous-and-evolving-threat-actor/
4. Australian Signals Directorate, "ASD Cyber Threat Report 2024–2025," Australian Government, 2025. https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report
5. Cybersecurity and Infrastructure Security Agency (CISA), "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Joint Cybersecurity Advisory AA23-129A, May 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
6. Netlas, "Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies," Netlas Blog, January 2026. https://netlas.io/blog/top_10_critical_threat_actors/
7. MITRE ATT&CK, "Groups," MITRE ATT&CK Knowledge Base, 2026. https://attack.mitre.org/groups/
8. ACSC, "Essential Eight Maturity Model," Australian Cyber Security Centre, 2025. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight