Handala: one of the faces of pro-government hacktivism in Iran

Updates in cybercrime, the latest from Italy, several ITW exploits emerged

 View all
Threat Intelligence, News

Cybercrime in Italy, new data breaches, vulnerabilities in Microsoft Defender

Weekly Threats hor Telsy

Italy: new phishing and ransomware attacks

A new phishing campaign has been detected in Italy exploiting the name of the Ministry of Health to exfiltrate personal and credit card data. The email, with the subject line “The status of your reimbursement,” prompts the recipient to click a link under the pretext of a supposed refund related to healthcare services. The link redirects the user to a malicious portal posing as a Ministry page for “Identity Verification for LEA Reimbursement” (Essential Levels of Care), requesting personal details (first name, last name, residential address, city, postal code, and phone number) as well as payment information (credit card number, expiry date, and CVV code). In addition, a new operation has targeted SPID users, exploiting the name and logo of the Agency for Digital Italy (AgID). The email, with the subject line “Your digital certificate has just been renewed,” contains a link leading to a malicious page that replicates the official SPID login portal and is designed to steal service credentials. On the ransomware front, Coinbase Cartel has claimed on its leak site the alleged compromise of ASTM S.p.A., an international industrial group operating in the management of motorway networks under concession, the design and construction of major infrastructure works, and infrastructure technology. According to the blog post, the name, revenue, and sector point to ASTM S.p.A.; however, the ransomware operator provided the domain of A.ST.I.M. S.r.l., a technology company based in Ravenna (RA) that supplies high-tech systems, products, and services to the industrial, naval, security, and defence sectors.

 

Breaches: ANTS and Rituals affected

On 15 April 2026, France Titres — the French National Agency for Secure Documents (ANTS) — detected a serious cybersecurity incident affecting the portal ants[.]gouv[.]fr, the government platform through which millions of French citizens manage applications for passports, identity cards, residence permits, and driving licences. The attack compromised personal data belonging to both private and professional accounts. According to the French Ministry of the Interior, the potentially exposed information includes: login credentials, title, first and last name, email address, date of birth, and unique account identifier. In some cases, depending on the user’s profile, postal address, place of birth, and phone number may also have been exposed. Authorities clarified that documents uploaded to the portal — such as attachments and photocopies of records — were not involved in the breach, and that the exposed data does not allow third parties to directly access compromised accounts. In light of what has emerged, an unidentified attacker has claimed to be in possession of a dataset stolen from ANTS containing between 18 and 19 million records, which they intend to put up for sale. The data allegedly includes names, email addresses, phone numbers, dates and places of birth, postal addresses, and account metadata. The claim has not yet been verified and authorities are investigating its authenticity. If confirmed, this would be one of the most serious government data breaches in France’s recent history. Furthermore, Dutch cosmetics giant Rituals has publicly disclosed a data breach affecting its loyalty programme “My Rituals,” which has over 41 million members. The incident was discovered in early April 2026, when the company was alerted to unauthorised downloads from the members’ database. The relevant authorities were promptly notified and the attackers’ access was blocked.

 

Vulnerabilities: 3 zero-days detected in Microsoft Defender

Three zero-day vulnerabilities affecting Microsoft Defender — named BlueHammer (tracked as CVE-2026-33825), RedSun, and UnDefend — have been publicly disclosed as Proof-of-Concept (PoC) exploits by a researcher known as “Nightmare Eclipse,” in protest against Microsoft’s handling of the disclosure process, and are confirmed to be exploited in the wild. When used together, they can be chained into an exploit chain capable of leading to full system compromise with SYSTEM privileges. BlueHammer and RedSun are Local Privilege Escalation (LPE) vulnerabilities, while UnDefend induces a functional Denial-of-Service (DoS) condition on Microsoft Defender, preventing antivirus definition updates and degrading the effectiveness of the protection engine. Microsoft patched BlueHammer (CVE-2026-33825) in the April 2026 Patch Tuesday, while RedSun and UnDefend remain unpatched. From a technical standpoint, RedSun exploits Microsoft Defender’s handling of files tagged with “cloud tags.” By registering a malicious Cloud Files provider and manipulating reparse points, the attacker tricks Defender into rewriting a controlled file into sensitive directories, such as C:\Windows\System32, using its own SYSTEM token. This allows the placement of an arbitrary binary that can subsequently be executed with elevated privileges, resulting in full system compromise. Meanwhile, UnDefend degrades defensive capabilities by preventing antivirus signature updates, amplifying the operational impact of the other exploits. The vulnerabilities affect Windows 10 (all supported versions), Windows 11 (all supported releases), and Windows Server 2016 through 2025, provided Windows Defender is enabled. Security researchers at a well-known US cybersecurity firm have observed active exploitation of all three vulnerabilities; in particular, BlueHammer has been exploited since at least 10 April 2026, while RedSun and UnDefend were detected on a system compromised via a breached SSLVPN account. The exploitation activities occurred following typical enumeration commands — whoami /priv, cmdkey /list, net group, and others — indicating manual activity by a malicious threat actor.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.