Latest from Italy, updates in the state-sponsored landscape, ransomware and leaks

Attacks in Italy, several breaches announced, new state-sponsored operations

 View all
Threat Intelligence, News

Cyber operations in the Iranian conflict, attacks in Italy, developments in the APT landscape

Weekly Threats hor Telsy

Iran: cyberattacks in the context of the conflict

Within the context of the escalation between the United States, Israel, and Iran, the cyber domain continues to represent a significant operational space, with malicious activities and hacktivist operations observed in parallel with geopolitical and military developments. The main cyber activities attributable to known and emerging adversaries involve claims of DDoS attacks by pro-Iranian, pro-Russian, pro-Palestinian, and South Asian hacktivists, collectively targeting entities across multiple sectors in Israel, the USA, Qatar, Kuwait, Jordan, Saudi Arabia, the UK, Belgium, Egypt, Cyprus, the UAE, Oman, and Bahrain. Among the known hacktivist groups observed as active are Handala, Conquerors Electronic Army, NoName057(16), DieNet, Fatimiyoun Cyber Team, Server Killers, RipperSec, NetStrike, Islamic Cyber Resistance – 313 Team, BD Anonymous, Hider_Nex, TEAM FEARLESS, FAD Team, Nation of Saviors, The Garuda Eye, Keymous Plus, and RuskiNet. Ransomware offensives have also been reported, including one carried out by INC RANSOM Team in Turkey and two by Cyber Islamic Resistance targeting Bangladesh and the USA. The Iranian group MuddyWater has been attributed with high confidence to an offensive campaign named Operation Olalampo, active since 26 January 2026 against organizations and individuals mainly in the MENA region, consistent with the ongoing geopolitical tensions. In addition, already during the first weeks of the conflict, researchers observed a wave of cyber espionage and credential-theft campaigns targeting Middle Eastern governmental and diplomatic organizations, conducted by adversaries such as: the Chinese UNK_InnerAmbush; the Palestinian Molerats; a presumably Pakistani adversary named UNK_RobotDreams; an unknown attacker called UNK_NightOwl; the pro-Russian Winter Vivern; and the Iranian Charming Kitten. Finally, a smishing campaign named Operation False Siren has been tracked targeting the Israeli civilian population, particularly users of the Red Alert (צבע אדום) app, the official tool of the Israeli Home Front Command (Pikud HaOref) used to receive real-time missile alerts. There is currently no official attribution for this operation; it is only known that the adversary demonstrates advanced Android development capabilities, native-level Hebrew proficiency, and deep knowledge of the Israeli operational context.

 

Italy: new ransomware claims and phishing operations

During the past week, several ransomware attacks targeting Italian entities have been tracked. LockBit Team claimed on its leak site the compromise of SIA – Conserviera Adriatica, Commerfrutta Di Stancari, and F.A.C. S.r.l.; DragonForce Team claimed Tazzetti S.p.A.; NightSpire claimed Giaroli S.A.S.; and Qilin Team claimed the alleged compromise of GA.MA. S.r.l. On the phishing front, a campaign conducted via WhatsApp has been detected which, exploiting the theme of International Women’s Day, aims to steal victims’ credit card data. The mechanism unfolds in four stages: the victim receives a link promising a fake giveaway, is invited to fill out a form to “claim the prize,” is encouraged to share the message with their contacts (thereby amplifying the scam), and is finally redirected to a fraudulent payment page where card details are requested.

 

APT: offensives linked to China detected

During 2024, a Chinese adversary named UAT-9244 was observed targeting South American telecommunications providers using three previously unseen malware strains called TernDoor, PeerTime, and BruteEntry. Specifically, TernDoor can execute commands via remote shell; launch arbitrary processes; read and write files; collect system information; and uninstall itself. PeerTime is a Linux ELF backdoor targeting multiple architectures (ARM, AARCH, PPC, MIPS), suggesting that it was designed to compromise a wide range of embedded systems and network devices used in telecommunications environments. Finally, there is BruteEntry, which consists of an instrumental binary based on Go and a brute-force component. Its role is to transform compromised devices into scanning nodes known as Operational Relay Boxes (ORB). Also on the Asian front, on 1 March 2026, security researchers observed two phishing campaigns aimed at deploying malware orchestrated by China-linked APT groups and targeting institutional and strategic entities based in Qatar. The first operation aims to deploy the PlugX backdoor, while the second delivers the Cobalt Strike payload. The almost immediate focus on Qatar by China-affiliated APT actors may reflect not only opportunistic intelligence collection related to the regional crisis, but also a broader shift in reconnaissance priorities toward a state positioned at the intersection of multiple competing regional and global powers and interests.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about ourCyber Threat Intelligence solution.