Latest from Italy, updates in the state-sponsored landscape, ransomware and leaks

Attacks in Italy, several breaches announced, new state-sponsored operations

 View all
Threat Intelligence, News

EU Sanctions Against Iran and China, Beijing’s Activities in Asia and the Gulf, New iOS Exploit Kit

Weekly Threats hor Telsy

EU: Sanctions on Chinese and Iranian Entities for Cyberattacks and Internal Repression

The Council of the European Union has imposed restrictive measures against three entities and two individuals held responsible for cyberattacks against EU member states and international partners. The sanctions target two Chinese companies — Integrity Technology Group, which compromised over 65,000 EU devices between 2022 and 2023, and Anxun Information Technology, active against critical infrastructure, along with its two co-founders — and the Iranian company Emennet Pasargad, responsible for data breaches, disinformation operations at the 2024 Paris Olympics, and attacks on Swedish SMS services. In a subsequent move, the Council approved an additional package of restrictive measures, this time targeting 16 individuals and 3 Iranian entities, in response to the violent crackdown on popular protests in January 2026, which resulted in thousands of civilian casualties. Among those designated are the Deputy Minister of Interior for Security and Law Enforcement Affairs, commanders of local IRGC (Pasdaran) branches, and the Naji Research and Development Company (NRDC), developer of the mass surveillance app Nazer, along with the head of Tehran’s Cyber Police, responsible for censorship and digital persecution. Also related to Iran, the Polish National Centre for Nuclear Research (NCBJ) stated that attackers targeted its IT infrastructure, but the offensive was detected and blocked before it could cause any damage. Although the Agency did not attribute the attack to specific groups or states, indicators were found that could link the offensive to Iran.

 

APT: Chinese Cyber Operations from Southeast Asia to the Persian Gulf

A cyber espionage operation dating back to at least 2020, suspected to be conducted by Chinese adversaries, has been tracked targeting military organisations in Southeast Asia via AppleChris, MemFun, and Getpass. During the campaign, identified under the cluster CL-STA-1087, the attackers sought and collected specific files regarding military capabilities, organisational structures, and collaborations with Western Armed Forces, showing particular interest in documents related to C4I systems — command, control, communications, computers, and intelligence infrastructure. The initial access vector remains unknown. Once access was obtained, the adversaries maintained their presence silently for several months. Upon resuming activity, they began by deploying the AppleChris backdoor, released in different variants across multiple endpoints following lateral movement achieved through native Windows tools such as WMI and .NET commands. Furthermore, on 1 March 2026, a campaign targeting Persian Gulf countries aimed at deploying PlugX was detected, attributed with high confidence to a China-linked adversary and with medium confidence to the Mustang Panda group. The infection chain begins via a ZIP archive containing an LNK file disguised as a photograph. When the victim opens it, the file executes a series of hidden operations in the background. It first downloads a CHM file from an attacker-controlled server, then uses hh.exe — a legitimate Windows program — to extract its contents: a second LNK shortcut, the decoy PDF shown to the victim, and a compressed archive containing all the malicious files needed for subsequent stages.

 

DarkSword: The New iOS Exploit Kit Used by Multiple Adversaries

Security researchers have discovered DarkSword, an iOS exploit kit active since at least November 2025 and used by multiple adversaries against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine, with the aim of deploying three malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Disclosed on 18 March 2026, it is the second iOS exploit kit discovered in a month, following Coruna. The first adversary observed exploiting DarkSword is known as UNC6748, active from early November 2025 via a Snapchat-themed site targeting Saudi users, aimed at deploying the backdoor designated GHOSTKNIFE. The second tracked attacker is PARS Defense, a Turkish surveillance vendor, active in Turkey in late November 2025 and in Malaysia in January 2026, with greater OPSEC: an obfuscated loader, encrypted exploits in transit, and correct selection of the RCE module for each iOS version, with the goal of deploying the GHOSTSABER backdoor. The third identified adversary is UNC6353, a suspected Russia-linked espionage group already known for watering hole campaigns on Ukrainian websites using Coruna. Between December 2025 and March 2026, the attacker adopted DarkSword to deploy the GHOSTBLADE data miner on compromised Ukrainian sites.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about ourCyber Threat Intelligence solution.