Lumen Technologies has released its 2026 Lumen Defender Threatscape Report, which argues that cyber attackers are shifting upstream into network infrastructure.<\/p>\n
Produced by Black Lotus Labs, the research examines malware-backed proxy networks built from compromised small office and home office routers, internet of things devices, and virtual infrastructure. It says these networks help attackers hide malicious traffic within legitimate internet activity, making detection harder for organisations that rely mainly on endpoint tools.<\/p>\n
In Australia, the findings point to risks tied to internet-facing infrastructure and edge devices rather than any single industry. Organisations operate across highly distributed enterprise, operational technology, cloud, and partner environments, leaving routers, VPN gateways, and firewalls exposed as attractive entry points.<\/p>\n
The report argues that cyber operations now resemble coordinated industrial activity rather than isolated incidents. It describes a “heist crew” model in which attackers use generative AI to rebuild infrastructure quickly, rotate systems at speed, and make campaigns harder to disrupt.<\/p>\n
Australia Focus<\/p>\n
Lumen links Australia’s threat picture to the country’s digital connectivity and strategic position in the region. As collaboration grows across defence, cyber, AI, and critical technologies under AUKUS, parts of Australia’s digital and physical infrastructure are increasingly factored into the targeting decisions of nation-state and state-aligned actors, it says.<\/p>\n
According to the report, that trend affects sectors including telecommunications, energy, ports, logistics, research institutions, and managed service providers. These organisations sit close to the systems and services that support broader economic activity and government priorities.<\/p>\n
Lumen cited figures from the Australian Signals Directorate showing an 83% year-on-year rise in notifications of potentially malicious cyber activity. It also pointed to internet-exposed edge devices as a persistent source of vulnerability for critical infrastructure operators.<\/p>\n
One of the report’s central arguments is that exposure now defines risk more than sector or intent. In practice, that means organisations with visible online assets and weakly monitored edge infrastructure may face elevated risk even if they are not traditional high-profile targets.<\/p>\n
“Across Australia and the wider Asia Pacific region, attackers are increasingly operating upstream of the enterprise, leaving organisations with limited visibility at a critical stage of the attack,” said Wai Kit Cheah, APAC CISO & Connected Ecosystem Leader at Lumen Technologies.<\/p>\n
“By seeing attacker infrastructure as it forms at the network layer, Lumen and our Black Lotus Labs team can identify coordinated activity early, disrupt campaigns while they are still in motion, and help reduce the operational burden on security teams before real damage is done,” Cheah said.<\/p>\n
Attack Methods<\/p>\n
The report identifies several methods that Black Lotus Labs says are becoming more common. One is the growth of residentially disguised proxies, in which attackers hijack compromised home and small business devices and use them as seemingly legitimate identities on the internet.<\/p>\n
That approach can help bypass geolocation controls and undermine security assumptions that treat residential traffic as lower risk. Another trend is the use of stolen criminal infrastructure by espionage groups, which can blur attribution by masking nation-state activity behind the noise of ordinary cybercrime.<\/p>\n
Attackers are also targeting the “vault door” at the edge as endpoint detection tools become more established inside corporate systems, according to Lumen. Devices such as routers, VPN appliances, and firewalls often hold privileged access but offer fewer forensic clues and less visibility for defenders.<\/p>\n
Scale Claims<\/p>\n
Lumen says its threat intelligence arm has visibility into 99% of public IPv4 addresses and monitors more than 200 billion NetFlow sessions and 46,000 command-and-control servers each day. It says that network view helped it participate in eight multi-partner takedowns in 2025 and disrupt 5,000 IP addresses.<\/p>\n
The report also examines several named operations as examples of the broader shift in cyber attacks. These include Raptor Train, described as a nation-state botnet that used a control centre to manage more than 200,000 compromised internet of things devices.<\/p>\n
It also highlights Kimwolf, a distributed denial-of-service botnet that, according to Lumen, scaled to hundreds of thousands of bots within weeks through residential proxy ecosystems. Black Lotus Labs said it observed the botnet triple in size in one week and launch attacks reaching 30 terabits per second.<\/p>\n
A third example is Rhadamanthys, which the report describes as a malware-as-a-service operation with subscription tiers and customer support that affected more than 12,000 victims at the time of its takedown.<\/p>\n
Chris Kissel, Vice-President of Security & Trust at IDC, commented on the need for earlier visibility in cyber defence. “Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” Kissel said.<\/p>\n
“Lumen’s massive infrastructure and the quality of Black Lotus Labs provides optimal visibility of the IP backbone greatly reducing the odds of successful cyber-attack campaigns,” he said.<\/p>\n","protected":false},"excerpt":{"rendered":"Lumen Technologies has released its 2026 Lumen Defender Threatscape Report, which argues that cyber attackers are shifting upstream…\n","protected":false},"author":2,"featured_media":596915,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[29869,282,77,64,63,81,147510,291339,60497,21040,241967,13933,284,291342,37855,180127,76338,280,21043,38824,274,45933,291341,291340,2707,62991,123611,44,248110,248109,290489,2717,53554,30884],"class_list":{"0":"post-596914","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-australia","8":"tag-apac","9":"tag-artificial-intelligence-ai","10":"tag-asia-pacific","11":"tag-au","12":"tag-australia","13":"tag-australian","14":"tag-australian-signals-directorate","15":"tag-black-lotus","16":"tag-cloud-security","17":"tag-critical-infrastructure","18":"tag-cyber-espionage","19":"tag-cybercrime","20":"tag-cybersecurity","21":"tag-distributed-denial-of-service-ddos","22":"tag-endpoint-detection-and-response-edr","23":"tag-energy-sector","24":"tag-firewalls","25":"tag-generative-ai-genai","26":"tag-incident-response","27":"tag-infosec","28":"tag-internet-of-things-iot","29":"tag-lumen-technologies","30":"tag-managed-service-provider-msp","31":"tag-network-edge","32":"tag-network-infrastructure","33":"tag-network-security","34":"tag-network-visibility","35":"tag-news","36":"tag-operational-technologies-ot","37":"tag-ot-security","38":"tag-security-operations-centres-socs","39":"tag-telcos","40":"tag-threat-intelligence","41":"tag-zero-trust-security"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/596914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/comments?post=596914"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/596914\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media\/596915"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media?parent=596914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/categories?post=596914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/tags?post=596914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}