New attacks in Italy, reported data breaches, AI and cybersecurity

The role of ISO certifications in ACN cloud qualification: security and quality for the Public Administration

 View all
Threat Intelligence, News

Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Weekly Threats hor Telsy

APT: North Korean, Iranian, and Ukraine-focused operations tracked

Between August and November 2025, security researchers identified a new campaign by the North Korean group ScarCruft, dubbed Artemis, aimed at distributing malware via malicious HWP documents. The operation shows an evolution in spear-phishing lures and the reuse of tactics previously documented in the group’s activities, including the impersonation of public figures and the use of steganography to conceal malicious modules within images. The observed C2 infrastructure leverages legitimate cloud services, in particular Yandex Cloud. Analysis of tokens and cloud accounts—some active since 2023—indicates long-term infrastructure management and a direct linkage to earlier campaigns. Shifting to the Middle East, a spear-phishing campaign attributed to the Iranian actor MuddyWater has been identified, targeting multiple sectors including diplomatic, maritime, financial, and telecommunications entities. Victims are instructed to enable content to trigger the execution of a malicious VBA macro responsible for deploying RustyWater, a Rust-based implant that systematically collects information from the target machine, including username, computer name, domain, and installed security software. Finally, between October and December 2025, CERT-UA documented a targeted attack campaign against the Ukrainian Defense Forces orchestrated by the group UAC-0190, identified with medium confidence as Void Blizzard. The attacker impersonates charitable organizations to distribute a backdoor dubbed PLUGGYAPE, leveraging messaging applications (such as Signal and WhatsApp) to lure victims into visiting spoofed websites that mimic charitable foundation pages.

 

Malware: updates on threats and newly identified campaigns

Security researchers observed a campaign distributing AsyncRAT by abusing Cloudflare’s free infrastructure and legitimate Python environments downloaded from official sources. Specifically, the operation strategically uses Cloudflare’s free-tier services together with TryCloudflare tunneling domains to host WebDAV servers, concealing malicious activity behind infrastructure generally considered trustworthy. Another development involves a multi-stage campaign named SHADOW#REACTOR, which delivers the Remcos RAT, providing attackers with full remote control of compromised systems, including: interactive desktop access; file system management with browsing, upload, download, and deletion capabilities; execution of arbitrary commands and interactive shells; keylogging and clipboard monitoring; persistence configuration; as well as proxy and tunneling features to enable lateral movement within the compromised network. In December 2025, VoidLink also emerged—a Linux malware framework composed of custom loaders, implants, a rootkit, and modular plugins, specifically designed to operate in cloud and containerized environments for extended periods. To date, no documented real-world infections have been observed. Additionally, analysts identified an active malware campaign exploiting a DLL side-loading vulnerability in the legitimate utility ahost.exe, a component of the open-source c-ares library used for asynchronous DNS lookups, to deploy commodity malware, including infostealers and RATs disguised as business documents. Lastly, an operation distributing an Android banking trojan named deVixor has been tracked, targeting users, banks, financial institutions, payment services, and cryptocurrency exchanges located in Iran. Its Telegram-based architecture enables large-scale infection management by assigning a unique identifier to each distributed APK, allowing individual device tracking and centralized control through Telegram bots that send commands and receive real-time updates.

 

Breach: multiple cybersecurity incidents detected

BreachForums—the current iteration of the well-known hacking forum used to trade stolen data and illicit cybercrime services—suffered a data breach resulting in the disclosure of its user database table. The current administrator, identified as “N/A,” acknowledged the breach, explaining that a backup of the MyBB user table had been temporarily exposed in an unprotected directory during restoration operations from the .hn domain in August 2025 and was downloaded during that brief window. Endesa, Spain’s main electricity provider, and its subsidiary Energía XXI notified customers of a serious cybersecurity incident that compromised contract-related information, including customers’ personal data. The company stated that there is currently no evidence of fraudulent use of the compromised data; however, some threat actors have published what they claim to be data samples, asserting possession of approximately 20 million records allegedly offered for sale to a single exclusive buyer. JPMorgan Chase, a U.S. multinational financial services company, also notified certain investors of a data breach linked to a cybersecurity incident that occurred in late October 2025 at the external law firm Fried Frank, reportedly affecting 659 individuals. In addition, Eurail B.V.—the company responsible for managing and marketing Interrail and Eurail Passes—reported a cybersecurity incident that resulted in unauthorized access to personal data belonging to some customers, including travelers participating in the European Union’s DiscoverEU program. At present, the identity and exact number of affected individuals have not yet been determined. Kyowon Group (Kyowon), a South Korean conglomerate specializing in education and publishing, disclosed that a cyberattack disrupted its operations and may have compromised customer information. According to Korean media, more than 9.6 million accounts are registered with the company—corresponding to approximately 5.5 million individuals—whose information may have been exposed. Instagram, by contrast, denied the existence of a breach of its systems following the online circulation of data allegedly related to more than 17 million accounts. Finally, on January 13, 2026, Polish Minister of Energy Miłosz Motyka stated that in late December 2025 Poland’s electricity system was subjected to a large-scale cyberattack aimed at targeting energy-sector communication systems. The attack was unsuccessful and did not cause any disruption to electricity supply.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.