OpenText Cybersecurity has released its annual ‘Nastiest Malware 2025’ report, naming the six most damaging malware groups impacting organisations globally. Four of the top groups had a significant presence in Australia over the past year, including Qilin, Akira, Scattered Spider, and ShinyHunters.

Organised ransomware and cyber-extortion groups are now operating as sophisticated businesses, complete with dedicated sales teams, negotiation playbooks, and customer-support-style features for criminal affiliates. This formalisation of cybercrime poses escalating risks for Australian organisations managing sensitive data and critical operations.

According to OpenText Cybersecurity's 2025 threat analysis, four major threat groups - Qilin, Akira, Scattered Spider, and ShinyHunters - have significantly targeted Australian organisations during the past year. The shift reflects not random attacks but calculated business strategy by mature criminal enterprises.

Qilin leads the global threat landscape, having executed more than 200 confirmed incidents worldwide. The group's Australian targets include Metricon Homes, Office National, Belmont Christian College, Malibu Boats Australia, Wyong Rugby League Club, and JKC Australia LNG.

The group introduced what it describes as a "Call Lawyer" feature - the first of its kind built directly into a ransomware control panel. The feature allows criminal affiliates to click a button opening encrypted chat with a Qilin-provided "negotiation advisor." These advisors guide criminals through ransom negotiations, calculate victim payment capacity, and draft professional-appearing "proof of data deletion" statements.

This level of business-like structure marks a significant escalation from traditional ransomware approaches. It also demonstrates how the underground criminal economy has matured, creating structured support systems that parallel legitimate enterprise operations.

Akira exemplifies this strategic evolution. After targeting healthcare and education sectors heavily in 2024 - drawing regulatory attention and law enforcement pressure - the group shifted tactics. Akira now focuses on high-value enterprises and managed service providers capable of paying substantial ransoms without triggering international outrage.

This reorientation suggests threat actors increasingly calculate reputational and regulatory risk alongside financial returns. Believed Australian targets include LeasePLUS, Consonic, Thornton Engineering, and Regency Media.

Scattered Spider (tracked as UNC3944) and ShinyHunters are believed to have collaborated in large-scale attacks on Qantas and Telstra this year. UK law enforcement arrests revealed Scattered Spider's operators were teenage hackers. They reportedly gained domain administrator access within 40 minutes, exploiting social engineering and help-desk impersonation techniques. ShinyHunters has separately targeted Google, Workday, and global financial institutions.

Scattered Spider deployed deepfake voice calls and help-desk impersonation techniques this year with increasing sophistication. The group operates as an access broker, selling network entry points to other criminal groups, thereby amplifying its impact across multiple threat actors.

These developments reflect a broader trend in cybercriminal operations. Threat groups now form alliances, share exploit kits, and distribute Malware-as-a-Service tools to other attackers. Groups like Akira and Qilin treat extortion as enterprise sales operations, targeting organisations specifically selected for payment capacity and employing dedicated affiliates managing negotiations through custom-built portals.

OpenText Cybersecurity's 2025 threat list also includes Play Ransomware and Lumma Stealer, with honourable mentions for LockBit 5.0, AsyncRAT, and ClickFix.

Commenting on the findings, OpenText Cybersecurity (APAC) Regional Vice President Steve Stavridis said the 2025 list highlights how the growing accessibility of attack tools is fuelling a new wave of cybercrime where even unskilled actors can launch sophisticated, business-style operations.

“New technology has lowered the technical barrier to creating and deploying malware. Criminals can even purchase malware products from other groups and access customer support-like features,” Mr Stavridis said.

“We are at the point of a viable ‘malware sector’, with increasingly sophisticated and organised groups that are pivoting strategies, developing negotiation ‘playbooks’, forging alliances, and creating innovative approaches.

“The impact of these groups is not merely financial. Patient treatment may be delayed at compromised hospitals, projects may be stalled for engineering and construction companies, and students’ futures may be jeopardised if their educational institution’s records are made public.

“Cybersecurity today is not just about the impenetrability of your walls, but the engagement of your employees. This is due to tools like AI making social engineering attacks bigger, faster, and more sophisticated.”