Black Lotus Labs reveals why upstream network visibility is essential to detecting and disrupting disguised proxies, edge exposure, and AI-driven attacks
Australia, 9 April 2026 – Lumen Technologies (Lumen) has released its 2026 Lumen Defender Threatscape Report, identifying a fundamental shift in the digital battlefield: the most critical threat signals no longer live on the endpoint, but upstream in the network itself.
Authored by Black Lotus Labs, Lumen’s threat research and operations arm, the report leverages the company’s position as one of the world’s largest internet backbone operators to document how cyber criminals have evolved into “heist crews” with industrialised, highly coordinated operations. Most notably, it reveals critical insights into how threat actors use disguised proxies, compromised edge devices, and generative AI to pre-stage attacks.
Key Findings
The 2026 Threatscape Report identifies critical shifts in how attackers operate:
- Generative AI as an Operational Engine: Threat actors are using AI to iterate and regenerate malicious infrastructure at machine speed. This automation helps sustain malicious campaigns, compressing the window between exposure and impact.
- Targeting the “Vault Door” at the Edge: As endpoint detection and response (EDR) has matured, attackers have pivoted to internet-exposed edge devices – routers, VPN gateways, and firewalls. These assets offer privileged access, limited forensic capabilities, and typically operate outside traditional endpoint security visibility.
- The Rise of Residentially Disguised Proxies: Criminal and nation-state crews are industrialising proxy networks using compromised small office/home office (SOHO) devices. By hijacking these “rentable identities,” attackers blend into legitimate residential traffic to bypass Zero Trust and geolocation controls.
- Blurred Lines of Attribution: Elite espionage campaigns are increasingly built on “stolen staging,” where nation-state actors hijack criminal infrastructure to hide their fingerprints behind noisy, common criminal activity.
Australia: Infrastructure Exposure in a Geopolitically Contested Threatscape
Across Asia Pacific, the infrastructure-centric threat trends documented by Black Lotus Labs—edge exploitation, malware-backed proxy networks, and AI-driven automation—are increasingly shaping cyber risk. In Australia, these dynamics are further intensified by scale, geographic distribution, and geopolitical exposure, placing infrastructure firmly on the front line of cyber operations.
Australian organisations operate highly distributed digital environments spanning enterprise IT, operational technology, critical infrastructure, cloud platforms, managed service providers, and partner networks. Internet-facing edge devices play a central role in maintaining connectivity across this landscape. As endpoint security has matured, adversaries have shifted their focus to these assets, exploiting them as points of leverage that sit outside traditional security visibility.
Black Lotus Labs research shows that modern cyber operations are built upstream, using malware-backed proxy networks assembled from compromised SOHO devices, IoT systems, and virtual infrastructure. These networks allow attackers to disguise activity within legitimate traffic, eroding long-standing trust assumptions around residential and low-risk IP space. In Australia’s highly connected economy, exposure—rather than sector or intent—now defines risk.
Australia’s risk profile is further elevated by its alignment under the AUKUS security partnership, which increasingly positions national digital and physical infrastructure as an extension of allied capability. As collaboration accelerates across defence, cyber, AI, and critical technologies, Australian infrastructure is more frequently incorporated into the targeting calculus of well-resourced nation-state and state-aligned actors. This activity disproportionately affects telecommunications, energy, ports, logistics, research institutions, and managed service providers that underpin alliance readiness.
A report1 by the Australian Signals Directorate (ASD) recorded an 83% surge in notifications of potentially malicious cyber activity year-on-year, with critical infrastructures receiving more than twice the number of alerts compared to the prior year. Additionally, internet exposed- edge devices were identified as persistent vulnerability. In this environment, routine connectivity and infrastructure decisions increasingly carry strategic implications, reinforcing the need for upstream network visibility to detect and disrupt campaigns before they reach critical systems.
“Across Australia and the wider Asia Pacific region, attackers are increasingly operating upstream of the enterprise, leaving organisations with limited visibility at a critical stage of the attack,” said Wai Kit Cheah, APAC CISO & Connected Ecosystem Leader at Lumen. “By seeing attacker infrastructure as it forms at the network layer, Lumen and our Black Lotus Labs team can identify coordinated activity early, disrupt campaigns while they are still in motion, and help reduce the operational burden on security teams before real damage is done.”
The Professionalisation of Cybercrime
The report also identified a new standard for cyber operations: the “heist crew” model. Rather than deploying standalone malware, threat actors now operate with the precision of a logistics firm, using generative AI to rotate infrastructure at machine speed and “rentable identities” through compromised home routers to blend into everyday residential traffic.
In Australia, this model is particularly effective due to the scale and distribution of connected infrastructure across enterprise, industrial, and service‑provider environments. High levels of connectivity expand the pool of devices and networks that adversaries can quietly co‑opt, further eroding traditional trust assumptions around residential and otherwise “clean‑looking” IP space.
With visibility into 99% of public IPv4 addresses and monitoring of more than 200 billion NetFlow sessions and 46,000 C2 servers daily, Lumen’s network vantage allows Black Lotus Labs to identify coordinated infrastructure behaviour as it emerges. In 2025, Lumen participated in eight multi-partner takedowns and disrupted 5,000 IPs to degrade adversary capabilities.
The report deconstructs several high-profile operations that define this new era:
- Raptor Train: A nation-state botnet that utilised an enterprise-grade control centre to manage over 200,000 compromised Internet of Things (IoT) devices.
- Kimwolf: A massive, distributed denial-of-service (DDoS) botnet that scaled to hundreds of thousands of bots in weeks by exploiting residential proxy ecosystems. Lumen observed Kimwolf triple its bot count in just one week and launch attacks reaching 30 terabits per second (Tbps).
- Rhadamanthys: The largest malware-as-a-service platform by volume at the time of takedown that operates like a professional startup, complete with subscription tiers and customer support for more than 12,000 victims.
“Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” said Chris Kissel, IDC vice-president, Security & Trust. “Lumen’s massive infrastructure and the quality of Black Lotus Labs provides optimal visibility of the IP backbone greatly reducing the odds of successful cyber-attack campaigns.”
The full 2026 Lumen Defender Threatscape Report is now available for download.
About Lumen
Lumen is unleashing the world’s digital potential. We ignite business growth by connecting people, data, and applications – quickly, securely, and effortlessly. As the trusted network for AI, Lumen uses the scale of our network to help companies realise AI’s full potential. From metro connectivity to long-haul data transport to our edge cloud, security, managed service, and digital platform capabilities, we meet our customers’ needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, X: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.
Forward-Looking Statement
This press release includes certain forward-looking statements about future events. These forward-looking statements are not guarantees of future results, are based on our current expectations only and are subject to various uncertainties. Actual results may differ materially from those anticipated by us in these statements due to several factors, including those referenced in our filings with the U.S. Securities and Exchange Commission.
Media Contact:
Bud Communications on behalf of Lumen Technologies
Email: lumen@budcomms.com
