ASX 200 firms hit by infostealer infections: report

UpGuard has published its annual ASX 200 Cybersecurity Report, which found that 1 in 10 ASX 200 companies had active, verified infostealer infections.

The findings identify identity compromise as a central weakness among Australia's largest listed companies, even as the index posted a modest improvement in its average security score. The ASX 200's average rating reached 728.5 on UpGuard's 0 to 950 scale in 2025, equivalent to a B rating and up 1.58 per cent from the previous year.

According to the report, that gain did not reflect a broad shift towards stronger prevention. Security scores tended to remain flat until a major global cyber incident prompted a short burst of remediation work, after which improvements often faded within months.

Identity exposure

It found that 10 per cent of ASX 200 companies had high-confidence exposure to credentials circulating in infostealer logs, with 71 per cent of those infections concentrated among the largest organisations in the index.

Infostealers are typically used to harvest usernames, passwords and session data from infected devices, which can then be traded or reused in later attacks. The focus on exposed credentials suggests attackers continue to rely on identity-based entry points rather than more complex intrusion methods.

The research also highlighted concentration risk across software suppliers. Most ASX 200 companies depend on the same core software-as-a-service platforms, raising the possibility that a single vendor weakness could affect large numbers of organisations at once.

Weak spots

Encryption remained the lowest-scoring technical category for the second consecutive year, making it the weakest area measured across the index. This leaves data privacy exposed at a time when businesses face greater scrutiny over how they protect corporate and customer information.

Performance was also volatile across the index. In every security category measured, nearly a third of companies finished in a worse position than they had recorded in 2024.

Sector results were uneven. Information Technology led the rankings with a score of 776, followed by Utilities at 769, while Materials ranked last at 673.

The report was based on daily scanning of billions of external data points and used a subtractive scoring model in which organisations begin with a maximum score and lose points for identified risks and vulnerabilities. UpGuard said this approach is designed to measure external cyber risk exposure rather than internal controls.

Continuous risk

The findings come as Australian companies face growing pressure to show they can identify and manage cyber risk on an ongoing basis. Public companies are dealing with a more complex mix of third-party software dependencies, exposed online assets and stolen credentials appearing in criminal markets.

"Even as companies in the ASX 200 continue their efforts to improve security, our research shows that the rise of sophisticated identity threats like infostealers, and new mandates under Australia's Cyber Security Act 2024 mean that periodic security checks are no longer enough," said Greg Pollock, Director of Research and Insights, UpGuard.

"Maintaining robust cybersecurity standards requires a shift to continuous, comprehensive cyber risk posture management that reflects a true end-to-end security posture. Success will be determined by three factors: awareness of change, time to remediation, and security fundamentals," said Pollock.

UpGuard recommended that ASX 200 organisations increase continuous external scanning, move to real-time monitoring of supplier risk and strengthen dark web monitoring for exposed credentials. Those recommendations reflect the report's central conclusion that reactive fixes after headline incidents are not enough to improve resilience across the market.