Latest from Italy, updates in the state-sponsored landscape, ransomware and leaks

Attacks in Italy, several breaches announced, new state-sponsored operations

 View all
Threat Intelligence, News

Attacks in Italy, several breaches announced, new state-sponsored operations

Weekly Threats hor Telsy

Italy: spyware, breaches, ransomware and DDoS

WhatsApp notified approximately 200 users, primarily in Italy, that they had been targeted through a counterfeit version of its iPhone application containing spyware. Those responsible are believed to have used social engineering techniques to convince users to install malicious software mimicking WhatsApp. The company proactively identified the affected users, disconnected them, and urged them to remove the unofficial client and reinstall the original app. The company publicly attributed the operation to the Italian firm Asigint, part of Sio S.p.A., headquartered in Cantù, and announced it would be sending a formal cease-and-desist notice demanding an end to the malicious activities. ITA Airways, Italy’s national carrier, sent an official communication to its customers informing them of a cyberattack. The incident involved unauthorized access to systems managing the Volare loyalty program, with possible data exfiltration. According to the company, the exposed data relates exclusively to personal details, contact information, and Volare profile data, including: first name, last name, email address, phone number, and account details; payment data, passwords, and login credentials were reportedly not affected. Turning to the ransomware landscape, the threat actor known as The Gentlemen claimed on their leak site the compromise of Zanzi S.p.A. and GAPOSA S.r.l.; Qilin Team claimed Seram S.p.A.; INC RANSOM Team claimed Fondazione IRPEA – ETS (Istituti Riuniti Padovani di Educazione e Assistenza); and a group called NetRunner claimed GEG Telecomunicazioni S.r.l. Finally, the hacktivist collective BD Anonymous, allegedly of South Asian/Bangladeshi origin, claimed DDoS attacks against the websites of SIEM S.r.l., the Molise Region, and Elefondati S.r.l.

 

Breaches: European Commission, Cisco, and the Netherlands in the crosshairs

The European Commission suffered a cybersecurity incident involving its public web platform europa[.]eu, hosted on Amazon Web Services (AWS) cloud infrastructure. On March 19, an attacker obtained a secret AWS API key by exploiting a supply chain compromise of Trivy, publicly attributed to TeamPCP. The European Commission was unknowingly running a compromised version of Trivy, received through normal software update channels. Armed with the API key, the adversary launched TruffleHog on the same day — a tool for scanning secrets and validating AWS credentials — then created and associated a new access key to an existing user, subsequently conducting reconnaissance on the compromised cloud environment. On March 24, the first warning signs were detected: potential misuse of Amazon APIs, a possibly compromised account, and unusually high network traffic volumes. On March 27, the Commission made the matter public through an official press release, stating that internal systems had not been compromised. Despite the swift response, the adversary managed to exfiltrate approximately 340 GB of data related to the websites of up to 71 customers of the Europa web hosting service. Of these, 42 are offices or bodies internal to the European Commission, and at least 29 belong to other EU organizations. On March 28, the ShinyHunters group published the stolen dataset on their leak site, claiming to have exfiltrated mail server dumps, databases, confidential documents, contracts, and other sensitive material.  Additionally, ShinyHunters claimed a breach of Cisco Systems Inc., with the alleged exfiltration of over 3 million Salesforce records containing personally identifiable information (PII), GitHub repositories with source code, and AWS buckets containing further internal corporate data. Finally, the Dutch Ministry of Finance, following a security breach, ordered the precautionary shutdown of several systems, including the digital portal for bank treasury operations, with direct repercussions on approximately 1,600 public institutions, including ministries, government agencies, educational organizations, social funds, and local authorities.

 

APT: Iranian, North Korean, and Russian operations

Security researchers have identified and monitored a password spraying campaign targeting Microsoft 365 environments, attributed with moderate confidence to an adversary linked to Iran. The operation unfolded in three distinct waves launched on March 3, 13, and 23, 2026, respectively, primarily targeting government bodies, municipalities, energy sector organizations, and private companies in Israel and the United Arab Emirates. On March 31, 2026, an active supply chain attack was detected involving the npm package Axios — the most widely used JavaScript library for handling HTTP requests, with over 100 million weekly downloads, 3.6 billion annual downloads, and more than 174,000 dependent projects. The activity is attributed with high confidence to the North Korean Lazarus Group. In addition, a spear phishing operation was detected linked to the Russian group Callisto, historically known for credential harvesting attacks, but which over the past year has expanded its operations to include WhatsApp account compromises and the use of custom malware for sensitive data exfiltration. The most recent activity leverages the DarkSword exploit kit for iOS, delivered via fake emails impersonating the Atlantic Council with a subject line referencing a fictitious invitation to discussions. Finally, CERT-UA detected a phishing campaign conducted by a cluster designated UAC-0255, which distributed fraudulent emails posing as CERT-UA itself and distributing malware called AGEWHEEZE. The messages invited recipients to download a password-protected archive from the Files.fm service and install a supposed “specialized software.” The targeting was broad: government organizations, medical centers, security companies, educational institutions, financial institutions, and software houses. In parallel, the adversaries set up the domain cert-ua[.]tech, a clone of cert[.]gov[.]ua, containing instructions for downloading the payload. Embedded in the page’s HTML code was the string “С Любовью, КИБЕР СЕРП” (“With Love, CYBER SERP”), referencing the Telegram channel CyberSerp_Official, on which an explicit claim of the attack was published on March 28, 2026.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.