Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

Phishing and ransomware in Italy, notified data breaches, new spyware attacks

 View all
Threat Intelligence, News

DDoS and ransomware in Italy, supply-chain attacks, new Russian offensives

Weekly Threats hor Telsy

Italy: attacks on various portals linked to the Winter Olympic Games, with ransomware claims

After targeting German and Ukrainian entities, the pro-Russian collective NoName057(16) redirected its DDoS attacks against several Italian portals and websites related to the Milan–Cortina 2026 Winter Olympic Games. The targeted entities include: Hotel Ambra Cortina, Parc Hotel Victoria Cortina d’Ampezzo, Franceschi Parkhotel Cortina, Hotel Cortina, Hotel de la Poste, Municipality of Giugliano in Campania, HERABIT, Municipality of Parma, Municipality of Reggio Emilia, Regional Council of the Aosta Valley, Skiarea Campiglio Dolomiti di Brenta, Bormio Ski, Ski[.]it, Plan de Corones (Kronplatz) ski area, ItalyTenders, Port Authority of Olbia and Golfo Aranci, Municipality of Palermo, Sinfomar, Vulcanair S.p.A., the Italian Customs and Monopolies Agency, Team Germany, the German Olympic Sports Confederation (DOSB), the Austrian Olympic Committee, the Finnish Olympic Committee, and Ristorante Tivoli Cortina. The group justifies its hostile activities by claiming that, in February 2026, Italy continues to support Ukraine, maintaining a pro-Ukrainian and pro-Atlantic stance under the government led by Giorgia Meloni, despite internal divisions within the governing coalition. On February 5, the pro-Palestinian collective Dark Storm Team also joined the operations, targeting the websites of Marche Airport and Bolzano Airport. In addition, new cybercrime offensives have targeted the Italian peninsula. The Uffizi Galleries in Florence and Sapienza University of Rome were affected by cyber attacks that resulted in the disruption of administrative services and digital services, respectively. Turning to the ransomware landscape, TA505 claimed on its leak site the compromise of Augustea Holding S.p.A.; TA505 claimed Locatelli Autoservizi S.r.l.; and Akira Team claimed Ferretti Construction S.r.l.
 

Supply chain: attacks abuse Notepad++ and eScan

Between June and December 2025, a supply-chain campaign was observed involving the update distribution infrastructure of Notepad++, which was abused to deliver malicious payloads to a limited set of selected victims. The operation was attributed with moderate confidence to the Chinese APT group Lotus Blossom, based on the convergence of TTPs, toolchains, and similarities with previously documented activity. Technical evidence indicates that the compromise did not affect the application’s source code, but rather the hosting infrastructure used to distribute updates. The attackers leveraged this access to serve malicious installers only to specific targets, avoiding indiscriminate dissemination. Identified victims include: individuals residing in Vietnam, El Salvador, and Australia; a government organization based in the Philippines; a financial company based in El Salvador; and an IT services provider based in Vietnam. In addition, a second supply-chain attack, unrelated to the previous one, abused the update platform of the eScan antivirus product by the Indian company MicroWorld. The attackers gained unauthorized access to one of the company’s update servers, compromising the update distribution infrastructure.

 

APT: new operations from Moscow

A cyber espionage campaign dubbed Operation Neusploit has been identified, targeting European countries through the exploitation of a critical Microsoft Office vulnerability and attributed with high confidence to the Russian group Sofacy. On January 26, 2026, Microsoft released a security update to address CVE-2026-21509 (CVSS 7.8), a flaw that allows attackers to bypass Office security features. Just three days later, on January 29, active exploitation of the vulnerability was observed via specially crafted RTF files.The attacks targeted users in Ukraine, Slovakia, and Romania, using social-engineering lures written in English and local languages. The adversary implemented server-side evasion techniques, delivering the malicious DLL only when requests originated from targeted geographic regions and included specific HTTP User-Agent strings.In addition, security researchers observed Russian threat actors, specifically a group tracked as UTA0355, abusing Microsoft 365 and Google OAuth and Device Code authentication flows to compromise corporate accounts through increasingly sophisticated phishing campaigns. The operations focused on the creation of fraudulent websites impersonating real international security events in Europe, specifically the Belgrade Security Conference, the Brussels Indo-Pacific Dialogue, and the World Nuclear Exhibition. Primary targets include international security professionals, foreign policy experts, and individuals with prior senior government roles in the United States. The attack techniques involve a multi-stage approach, in which the attacker initially establishes seemingly benign communications with targets before sending malicious links. The adversary creates highly convincing websites and offers support via WhatsApp or Signal to guide victims through the entire fraudulent process, ensuring that they provide the required OAuth codes.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.