Iranian conflict and cyber warfare, attacks in Italy, LeakBase and Tycoon 2FA disrupted

Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

 View all
Threat Intelligence, News

Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

Weekly Threats hor Telsy

Italy: multiple malicious activities observed

Over the past week, several offensive operations targeted Italian entities. Specifically, a new distribution campaign involving a malware strain named UpCrypter was tracked, inducing targets to download an apparently legitimate file disguised as a document related to a supposed order. In addition, a phishing operation leveraging the OAuth 2.0 authorization protocol was observed, aimed at obtaining persistent Access Tokens through emails sent to corporate mailboxes of organizations located in Italy. Two further campaigns were identified abusing the names of INPS and Enel S.p.A., both designed to harvest banking credentials. Moreover, malicious activities targeting Italian organizations were detected, based on the exploitation of known vulnerabilities affecting inadequately updated Roundcube Webmail instances, with the objective of achieving persistence, privilege escalation, and reconnaissance on compromised systems. The operations likely involved the exploitation of one or more of the following vulnerabilities: CVE-2025-49113, CVE-2025-68460, and CVE-2025-68461. Regarding the ransomware landscape, Qilin Team claimed on its leak site the compromise of Forcellini Ristorazione and CMA Robotics S.p.A.; Tengu claimed Martec S.p.A.; Payouts King claimed an unspecified Italian target; and NightSpire claimed Officine Fratelli Amadori S.n.c. and Saturno Trasporti S.r.l.

 

APT: offensive activity linked to Russia, China, and North Korea detected

Security researchers recently identified and responded to a targeted social engineering attack against a European financial institution supporting Ukraine and involved in regional development and reconstruction initiatives. The activity, attributed to the UAC-0050 cluster, was likely aimed at intelligence collection or financial theft. The operation involved spoofing a Ukrainian judicial domain to deliver an e-mail containing a link to a remote access payload which, once executed, deployed an MSI installer for Remote Manipulator System (RMS), a legitimate remote administration tool developed by the Russian company TektonIT. On the North Korean front, the Lazarus Group APT leveraged the Ransomware-as-a-Service (RaaS) Medusa against the U.S. healthcare sector and a Middle Eastern target. The adoption of Medusa, alongside an increasingly sophisticated toolset, confirms that North Korea views extortion-driven cybercrime as a strategic, economically profitable, and diplomatically resilient lever. Finally, researchers uncovered and dismantled a cyber espionage campaign conducted by a group believed to be linked to the intelligence services of the People’s Republic of China, known as UNC2814. The group targeted telecommunications operators and government institutions across 42 countries in Asia, Africa, and the Americas using a previously undocumented backdoor named GRIDTIDE. After gaining access, the adversary laterally moved via SSH, escalated privileges to obtain root permissions, and installed the malware as a persistent system service.

 

Vulnerabilities: exploitation reported affecting Roundcube Webmail, FileZen, BeyondTrust, and Cisco products

CISA added CVE-2025-49113 and CVE-2025-68461, both affecting Roundcube Webmail, to its KEV catalog. Fixed in June 2025, CVE-2025-49113 is a Deserialization of Untrusted Data vulnerability allowing authenticated users to achieve remote code execution due to improper validation of the _from parameter in program/actions/settings/upload.php. A Proof-of-Concept was released on June 6, 2025, for educational and research purposes. CVE-2025-68461, resolved in December 2025, is a Cross-Site Scripting vulnerability via the animate tag in an SVG document. CISA also added CVE-2026-25108 affecting FileZen. Remediated in February 2026, this OS Command Injection flaw could allow an authenticated user to execute arbitrary commands through specially crafted HTTP requests. Security researchers documented the global exploitation of CVE-2026-1731 in BeyondTrust, used to deploy SparkRAT and VShell to compromise organizations in the financial, legal, technology, healthcare, and academic sectors across the United States, France, Germany, Australia, and Canada. After adding the vulnerability to its KEV catalog on February 13, CISA confirmed its use in ransomware attacks. Finally, Cisco released security advisories addressing multiple vulnerabilities, including a 0-day exploited in the wild. CVE-2026-20127 (CVSS 10.0) affects Cisco Catalyst SD-WAN Controller and is an Authentication Bypass vulnerability that could allow a remote unauthenticated attacker to bypass authentication and obtain administrative privileges. The issue stems from an improper peer authentication mechanism. Successful exploitation could grant access as an internal user account with elevated, non-root privileges, enabling NETCONF access and manipulation of the SD-WAN fabric configuration. Cisco PSIRT is aware of limited in-the-wild exploitation. Cisco Talos is tracking exploitation and post-exploitation activity under the UAT-8616 cluster, assessed with high confidence as a highly sophisticated adversary. Following confirmation of active exploitation, Talos identified evidence that malicious activity dates back to at least 2023. Investigations indicate the attacker likely obtained root access via software version downgrade, exploiting CVE-2022-20775, a Path Traversal vulnerability in the Cisco SD-WAN CLI interface, before restoring the original software version and achieving root-level access.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about ourCyber Threat Intelligence solution.