Chinese and Russian APT activity tracked, multiple breach disclosures, ShadowV2 observed and malicious npm packages identified

Chinese front companies BIETA and CIII and steganography in APT operations

 View all
Threat Intelligence, News

Italy targeted by multiple adversaries, new APT operations, latest developments in cybercrime

Weekly Threats hor Telsy

Italy: DDoS, phishing, and ransomware attacks detected, along with BadCandy distribution

During the first weekend of the month, NoName057(16) continued to claim DDoS attacks against the following Italian targets: the Regional Council of Valle d’Aosta; the Municipalities of Giugliano in Campania, Reggio Emilia, and Palermo; Tiscali; HERABIT; the Italian Air Force; the Port Authority of Olbia and Golfo Aranci; the Sicilian Regional Assembly (ARS); Sinfomar; the Port Network Authority of the Eastern Adriatic Sea (Port of Trieste); Vulcanair; the Customs and Monopolies Agency; Acqua Novara.VCO; AMAT Palermo; and the Ministry of Labour and Social Policies. Meanwhile, pro-Russian hacktivist collectives Server Killers and Dark Storm Team joined the cause and targeted the Italian airport sector, hitting the Cagliari Airport Management Company (SOGAER) and the airports of Milan Bergamo, Bologna Guglielmo Marconi, Naples Capodichino, Palermo Falcone e Borsellino, Apulia, Trieste, and Turin Caselle. Also in Italy, a smishing campaign has been tracked targeting customers of a telecommunications operator to steal sensitive and banking data. Several phishing operations were also observed, including: a fake Bank of Italy portal designed to harvest personal and banking information; a new wave of the Facebook-themed campaign via Messenger exfiltrating sensitive data including access codes to the social platform; and two campaigns abusing the Italian Revenue Agency’s name and logo—one luring victims to fill out a “Cryptocurrency Tax Declaration” to steal crypto wallets and collect personal data, and another designed to obtain financial information under the pretext of a supposed € 1,495.39 refund. In the ransomware field, Qilin Team claimed responsibility for compromising Studio Corvo, based in Parma, which provides tax, accounting, and business consulting services for companies and individuals. Finally, the National Cybersecurity Agency (ACN) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) published aligned analyses on the BadCandy web shell campaign in Lua exploiting CVE-2023-20198 in Cisco IOS XE devices. Both agencies provide a consistent assessment, indicating that BadCandy remains an active threat and recommending the prompt application of patches.

 

APT: Activity linked to Russia, China, North Korea, and Iran observed

Security researchers detected a campaign dubbed Operation SkyCloak, targeting Russian and Belarusian military personnel—specifically the Russian Airborne Forces (VDV) and the Belarusian Special Forces—through a multi-stage attack chain exposing multiple local services via Tor. Evidence collected so far has not allowed attribution to any known actor, although tactical similarities have been noted with previous operations associated with both Moscow-aligned and pro-Ukrainian APT groups. Still in Russia, between April and September 2025, Sandworm intensified its campaigns against Ukraine, deploying ZEROLOT and Sting wipers against strategic sectors such as education, government, energy, logistics, and grain production. In China, the cluster UNC6384—likely linked to Mustang Panda—was identified as responsible for an espionage operation targeting European diplomatic entities in Hungary, Belgium, and other nations during September and October 2025. The offensive combined the exploitation of the CVE-2025-9491 0-day—a Windows Shortcut flaw disclosed in March 2025—with social engineering tactics themed around real diplomatic conferences. In North Korea, ScarCruft deployed a backdoor called HttpTroy and a new loader dubbed MemLoad against a single victim in South Korea. At the same time, Lazarus Group used variants of Comebacker and BlindingCan malware to hit two targets in Canada. In the Middle East, between June and August 2025, a new presumably Iranian cluster named UNK_SmudgedSerpent was observed targeting academics and foreign-policy experts using lures focused on domestic Iranian politics, including social change and investigations into the IRGC’s militarization. Lastly, U.S. company SonicWall reported that state-sponsored actors were behind the September 2025 breach exposing firewall configuration backup files. The company stated that the malicious activity was fully contained and clarified that the incident was not related to the ongoing global ransomware attacks on firewalls and other edge devices by Akira Team.

 

Cybercrime: arrests, backdoors, and new campaigns

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian citizen suspected of being a member of the Conti ransomware operation, was extradited from Ireland to the United States, where he faces up to 25 years in prison. Russian authorities arrested three individuals in Moscow believed to be the developers and operators of Meduza Stealer, a sophisticated Malware-as-a-Service (MaaS) designed for information theft. The same criminal group is thought to operate another MaaS known as Aurora Stealer. Investigators also discovered that the three had developed and distributed a botnet capable of disabling security protections on target systems.
Security researchers identified a previously unseen backdoor called SesameOp, used in a July 2025 incident, which employs the OpenAI Assistants API as its command-and-control (C2) channel. The threat abuses legitimate service functions to send and receive instructions without exploiting any vulnerability. Microsoft and OpenAI disabled the API key involved and confirmed that no interactions occurred beyond those specific calls. In North America, researchers observed a series of intrusions targeting road transport and logistics companies, delivered via malicious emails and links distributing remote monitoring and management (RMM) tools—including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve—allowing attackers to hijack freight and steal physical goods. Specifically, the cluster used three tactics to distribute RMM tools: compromising load boards, hijacking email threads, and direct targeting via email campaigns. Based on the observed activity, the group does not appear to target specific companies but rather acts opportunistically, affecting both small family-run businesses and large transport organizations. It is suspected that the cluster collaborates with organized crime groups, with the stolen goods later resold online or shipped abroad.  

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.