TL;DR

APT28, MuddyWater, and Lazarus are actively exploiting zero-days, AI-generated malware, and spear-phishing campaigns in 2026 — and your SMB is not too small to be in the blast radius. Most small businesses aren't direct targets, but they are ladder rungs: stepping stones used to reach bigger victims through your vendor relationships, shared infrastructure, and supply chain. Here's what's actually happening and three detections you can set up this week for next to nothing.​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Threat Actors Operating Right Now

The first quarter of 2026 has been brutal. Nation-state APT groups are operating at scale, and the line between espionage and financial crime has blurred to the point where your business can get hit by either — or both.

APT28 (Fancy Bear), Russia's GRU-linked group, exploited a Microsoft Office zero-day (CVE-2026-21509, CVSS 7.8) in a campaign called Operation Neusploit. The vulnerability bypasses Office's OLE filtering and gives attackers remote code execution. CISA added it to the actively exploited vulnerabilities catalogue on 26 January 2026. If anyone in your business opens a Word document, you're in scope.​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌

‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

MuddyWater (APT33, Static Kitten), linked to Iran's Ministry of Intelligence and Security, launched Operation Olalampo in January 2026. They're deploying AI-generated Rust backdoors (CHAR, GhostBackDoor) that use Telegram's Bot API for command-and-control — meaning malicious traffic looks identical to normal messaging activity. They've compromised US financial institutions, airports, and defence contractors. They've also targeted an Israeli branch of a US software company — a textbook supply-chain pivot.

Lazarus Group, North Korea's most prolific cyber unit, was the single most active APT group globally in January 2026, according to NSFOCUS's threat telemetry. Their campaigns blend financial theft with espionage, and they have a documented history of using compromised small businesses as infrastructure to launder operations.

Why Your SMB Is in the Crosshairs

Here's the uncomfortable reality: 77% of all APT incidents in January 2026 started with a spear-phishing email. Not a sophisticated zero-day. Not a nation-state budget. A phishing email. Your finance team gets those every day.

The ladder-rung problem works like this. MuddyWater compromises a US software company that provides services to defence and aerospace. That software company has vendors. Those vendors have smaller vendors. One of those smaller vendors is an Australian IT consultancy with 12 staff. That consultancy has access to the network of a mid-sized manufacturer in Melbourne. The manufacturer has a contract with a defence prime.

No one targeted the 12-person consultancy directly. But they're on the path, and they have the weakest defences on the chain.

Ransomware groups have also started borrowing APT tradecraft. Bitdefender's March 2026 threat debrief documented ransomware operators extending dwell times inside networks — sometimes for weeks — before encrypting, a tactic historically associated with state-sponsored espionage, not criminal extortion. The Gentlemen ransomware group now uses BYOVD (Bring Your Own Vulnerable Driver) attacks to kill endpoint detection before deploying payloads.

Three Detections You Can Set Up Cheaply

1. Monitor for anomalous Office process spawning (detect APT28-style attacks)

Enable PowerShell script block logging (free — it's a Windows Group Policy setting). Then create an alert for any WINWORD.EXE or EXCEL.EXE process spawning powershell.exe, cmd.exe, or wscript.exe. This catches the macro-to-shell pattern used in CVE-2026-21509 exploitation. Forward logs to a free SIEM tier (Microsoft Sentinel has a free tier, or use Wazuh's open-source edition).

2. Alert on unexpected RMM tool installations (detect MuddyWater and Lazarus)

MuddyWater's HTTP_VIP malware deploys AnyDesk as a persistence mechanism. Lazarus has used TeamViewer and other legitimate remote management tools in past campaigns. Set up an endpoint detection rule that alerts whenever AnyDesk, TeamViewer, ScreenConnect, or similar RMM tools are installed or executed outside of your approved software catalogue. Defender for Endpoint (included in Microsoft 365 Business Premium) can do this with a custom detection rule.

3. Monitor outbound connections to messaging APIs from servers (detect Telegram C2)

MuddyWater's CHAR backdoor uses api.telegram.org for command-and-control. Your file servers, domain controllers, and workstations should never be making outbound connections to Telegram, Discord, or other consumer messaging APIs. Set up a simple firewall egress rule to block these destinations from non-user endpoints, and alert on any connection attempts. This is free on any modern firewall — Fortinet, Sophos, pfSense.

FAQ

Are Australian SMBs really targeted by nation-state groups?

The Australian Signals Directorate's annual threat report consistently identifies Australian organisations as targets of state-sponsored cyber operations. You don't need to be the primary target. If you're connected to a supply chain that leads to a government agency, defence contractor, or critical infrastructure operator, you're a viable stepping stone.

What's the minimum viable security an SMB should have?

Multi-factor authentication on everything internet-facing, endpoint detection and response (Microsoft Defender for Endpoint is included in many Microsoft 365 plans), patch management within 48 hours for critical vulnerabilities, and outbound firewall rules restricting server internet access. These four controls would have prevented or detected most of the APT activity observed in Q1 2026.

How do I know if I'm already compromised?

Look for the signals described above: Office processes spawning command shells, unapproved RMM tools running on endpoints, and servers making unusual outbound connections. If you lack visibility into these, that's itself a finding. A free compromise assessment from a reputable provider is a good starting point.

Conclusion

The threat landscape in 2026 doesn't discriminate by company size. APT groups are using AI to generate malware faster, exploiting zero-days within days of disclosure, and treating your SMB as infrastructure for their real targets. The three detections above cost next to nothing and would catch the most common attack patterns we're seeing right now. Don't wait for a breach notification to find out you were someone's ladder rung.

Need help figuring out where your gaps are? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian small and mid-sized businesses.

References

  1. NSFOCUS Monthly APT Insights – January 2026 — APT28 Operation Neusploit, CVE-2026-21509 exploitation, Lazarus activity levels
  2. Bitdefender Threat Debrief | March 2026 — AtomSilo re-emergence, ransomware-APT convergence, BYOVD tactics
  3. ExtraHop — The Digital Front of Iranian Cyber Offensive and Defensive Response — MuddyWater Operation Olalampo, CHAR/GhostBackDoor analysis, detection strategies

TL;DR

  • Two-thirds of hackers steal passwords instead of breaking into computers
  • Once they have a password, they can reach your most important files in just a few hours
  • Multi-factor authentication (MFA) stops most of these attacks cold
  • You can fix this with 5 simple steps that cost nothing but time

The Real Problem: Your Keys, Not Your Locks

Imagine you come home and find your front door unlocked. You didn't leave it that way — someone used your keys. The lock worked fine. The problem was that someone had your key.

That's what's happening to businesses right now.

A new report from Sophos, a company that fights hackers, found that 67 out of every 100 cyberattacks start with a stolen password [1]. Hackers aren't breaking down doors. They're walking right in using keys they stole, bought, or tricked people into giving them.

This matters because stealing a password is much easier than hacking a computer system.

What Happens After They Steal a Password

Here's what typically happens:

  1. They get a password: This might be from tricking someone with a fake email, buying stolen passwords online, or guessing weak passwords
  2. They log in normally: No alarms go off because they're using a real password
  3. They look around: They check what files they can access, what computers are connected, and who has admin rights
  4. They move deeper: They try to get into more important accounts, often within just a few hours
  5. They strike: They steal your files or lock everything with ransomware

The scariest part? Sophos found that hackers can reach the most important parts of a business computer system within hours of getting in [1].

Why They Work Nights and Weekends

Think about when your office is empty. Nights. Weekends. Holidays.

Hackers know this too. The Sophos report found that most ransomware attacks happen when businesses are closed [1].

Why?

  • Fewer people watching for problems
  • Slower response times
  • More time to work without getting caught

If a hacker gets in on Friday evening, they have all weekend to cause damage before anyone notices on Monday morning.

The Missing Protection: MFA

Remember that 67% of attacks start with stolen passwords. Here's the thing that would stop most of them: Multi-Factor Authentication (MFA).

MFA means needing two things to log in:

  • Something you know (your password)
  • Something you have (your phone, a security key, or your fingerprint)

Sophos found that 59 out of 100 businesses that got hacked didn't have MFA turned on [1].

Without MFA, stealing a password is like having a key to your house. With MFA, it's like having a key AND needing your fingerprint to open the door. Even if a hacker has your password, they can't get in without the second thing.

The 5 Things You Should Do Right Now

You don't need to be a computer expert to protect your business. Here are five practical steps:

1. Turn on MFA Everywhere

Every account that offers MFA should have it turned on. Email, banking, cloud storage — everything.

The best option: Use a security key (a small USB device you tap to log in). Even hackers can't fake physical possession.

Good option: Use an authenticator app on your phone (like Google Authenticator or Microsoft Authenticator). These generate codes that change every 30 seconds.

Okay option: SMS codes to your phone. Better than nothing, but hackers can sometimes intercept these.

2. Check Who Has Access

Not everyone needs access to everything. This is called "least privilege."

Ask yourself:

  • Does every employee need access from anywhere?
  • Do you really have 5 admins, or could you have just 1 or 2?
  • Can you turn off access you're not using?

The fewer doors into your business, the fewer chances for hackers.

3. Update Your Edge Devices

"Edge devices" are the things that connect your business to the outside world: your router, your firewall, your VPN.

These are front-door locks. When the companies that make them find problems, they release updates. Hackers are very quick to attack businesses that don't update.

Make a rule: Update critical security devices within one week of a security update being released.

4. Get Help Watching While You Sleep

If hackers work nights and weekends, you need someone watching then too.

For most small businesses, hiring a 24/7 security team isn't realistic. But you can hire a Managed Detection and Response (MDR) service. They watch your systems around the clock and alert you immediately if something looks wrong.

Think of it like a security monitoring service for your business.

5. Keep Records

You can't stop an attack you don't know about.

Sophos found that many businesses weren't keeping logs — records of who logged in, when, and from where [1]. Without logs, you can't see what happened after an attack.

What to keep:

  • Login records for at least 6-12 months
  • Firewall logs for 3-6 months
  • Any changes to user accounts or permissions

Store these somewhere secure. If a hacker gets in, they'll try to delete these logs to hide their tracks.

Why This Matters Now

The Sophos report isn't theory. It's based on investigating hundreds of real businesses that got hacked in 2025 [1].

These businesses thought it wouldn't happen to them. They were wrong.

The good news is that protecting your business doesn't require expensive tools or security experts. It requires:

  • MFA turned on
  • Careful access control
  • Regular updates
  • Someone watching for problems
  • Good record-keeping

These are practical steps you can take this week.

A Simple Analogy: Your House vs. Your Business

Imagine your house has:

  • One front door with a deadbolt
  • Windows that lock
  • Maybe a back door
  • Keys that only a few trusted people have

Your business computer system is similar, but with one big difference: hackers can try your front door from anywhere in the world, thousands of times per second, without you ever seeing them.

That's why MFA is so important. It's like having a lock that needs your key AND your fingerprint. Even if someone copies your key, they can't get in.

What This Costs

The five steps above:

  1. MFA: Free (most services include it)
  2. Access review: Free (just your time)
  3. Updates: Free (just your time)
  4. Monitoring service: $100-500/month for most small businesses
  5. Log storage: Free to low cost depending on your setup

Compare that to the cost of a ransomware attack: an average of $4.88 million globally in 2025 [7].

The question isn't whether you can afford to protect your business. It's whether you can afford not to.

FAQ

MFA does add a few seconds to every login. But compare that to the days or weeks of downtime from a ransomware attack. Frame it as protecting their jobs and the business they depend on. Modern MFA options (like phone apps or security keys) are much faster than they used to be. Many people find that after a week, they don't even notice it anymore.

They can try, but it's much harder. Some advanced attacks can bypass SMS codes, but phishing-resistant MFA (like security keys) is extremely difficult to defeat. The goal isn't perfection — it's making attacks so difficult that hackers move on to easier targets. Most criminals, like most burglars, look for unlocked doors, not unpickable locks.

If your business has employees working remotely, you almost certainly have edge devices. These include: VPN servers (for remote access), routers (the devices that direct internet traffic), firewalls (security gateways), and remote access tools like TeamViewer or Splashtop. Check the manufacturer's website for security updates, or ask your IT provider to do this for you.

Not every business needs continuous monitoring. At minimum, ensure that critical alerts (failed admin logins, new user accounts created, access from unusual locations) send you an immediate notification, day or night. For many small businesses, this middle ground provides significant protection without the cost of full MDR services.

Use this analogy: "We're spending money on locks, but leaving keys under the mat. Hackers aren't picking locks — they're finding the keys we left out. MFA is like requiring both a key and a fingerprint. It's simple, it's cheap, and it stops most break-ins before they start." Focus on the business risk (downtime, lost revenue, reputational damage) rather than technical details.

References

[1] Sophos, "Active Adversary Report 2026," Sophos, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2024. [Online]. Available: https://www.cyber.gov.au/sites/default/files/2024-06/ESSENTIAL-EIGHT-IMPLEMENTATION-GUIDE.pdf

[11] National Cyber Security Centre, "Password Guidance for Organisations," NCSC, 2024. [Online]. Available: https://www.ncsc.gov.uk/collection/passwords/password-guidance-for-organisations

[12] CISA, "Multi-Factor Authentication," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/news-events/news/secure-our-world/multi-factor-authentication

[13] Google, "Security Keys: The Strongest Form of 2FA," Google, 2024. [Online]. Available: https://landing.google.com/advancedprotection/

Identity security doesn't have to be complicated or expensive. lilMONSTER helps small businesses protect what they've built with practical, jargon-free cybersecurity. Get in touch for a free consultation — we'll explain everything in plain English.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation