Handala: one of the faces of pro-government hacktivism in Iran

Updates in cybercrime, the latest from Italy, several ITW exploits emerged

 View all
Threat Intelligence, News

Latest from Italy, updates in the state-sponsored landscape, ransomware and leaks

Weekly Threats hor Telsy

Italy: several malicious activities observed

In the past week, several offensives have targeted Italian entities. Specifically, Microsoft reported an advanced phishing campaign exploiting the legitimate “device code flow” authentication mechanism to compromise corporate accounts, with evidence of targeting also directed at the Italian Public Administration. The attack does not introduce a new technique but enhances its effectiveness through a combination of abuse of legitimate features, use of trusted infrastructure, and large-scale automation via AI. A phishing operation aimed at obtaining OAuth tokens from potential victims has also recently been detected. The message informs the user of the need to complete a verification procedure on their account in order to access the document; the attacker then provides a set of instructions which, if followed, grant full access to e-mail, data, and all resources connected to the account. Furthermore, the free publication was detected on a Telegram channel claiming to be Anonymous Algeria of a RAR archive containing over 500 MB of identity documents belonging to Italian citizens. However, to date there is no evidence that these data originate from a recent or previously undisclosed breach. Moving to the ransomware landscape, LockBit Team claimed on its leak site the compromise of CON.TR.AR – Consorzio Trasportatori Artigiani, Consorzio Selenia soc. coop., Defcon 5 S.r.l., Pegasus S.r.l., WiBeats S.r.l., and Milano Cavi S.r.l.; ANUBIS of Tesla Systems; and finally, a group called Cry0 of Dini S.r.l.

 

APT: offensives attributed to China, Russia, Iran, India, and North Korea detected

Security researchers observed malicious campaigns delivering PlugX and orchestrated by the Chinese group Mustang Panda, targeting government and diplomatic entities in the Middle East and Europe. The adversary conducted two main types of campaigns: the first based on web bugs, and the second on direct malware delivery via links to malicious files hosted on well-known services. Once installed, PlugX enables the collection of detailed system information, opening of a remote shell to execute commands, and downloading of additional payloads. The Russian group Sofacy conducted a campaign named FrostArmada, active since May 2025, which affected approximately 18,000 victims in at least 120 countries, leveraging large-scale DNS hijacking to support Attacker-in-the-Middle (AitM) attacks against encrypted TLS connections. The campaign’s infrastructure was dismantled as part of a joint operation named Operation Masquerade, carried out by the FBI and the U.S. Department of Justice in collaboration with international public and private partners. In the United States, government agencies FBI, CISA, NSA, EPA, DOE, and CNMF warned about ongoing exploitation activities conducted by an Iran-affiliated APT targeting internet-connected operational technology (OT) devices, including programmable logic controllers (PLCs) produced by Rockwell Automation or Allen-Bradley, used across various U.S. critical infrastructure sectors. The activity included exfiltration of device project files and manipulation of data displayed on HMI interfaces and SCADA systems, in some cases causing operational impacts and financial losses. In the MENA region (Middle East and North Africa), investigations by the Digital Security Helpline of Access Now, the California-based cybersecurity company Lookout, and the Digital Forensic Lab of the Beirut-based NGO SMEX uncovered a cyber espionage campaign, active since at least 2022 and still ongoing, targeting members of civil society. The operation relies on a large and persistent phishing infrastructure consisting of hundreds of domains impersonating digital services, communication platforms, technology providers, and in some cases government portals, and is moderately attributed to a hack-for-hire operation with likely links to the Indian state-sponsored group Bitter. Finally, on the North Korean front, between February 6 and April 7, 2026, social engineering campaigns orchestrated by Lazarus Group were detected, leveraging fake meetings on Zoom or Microsoft Teams to deliver malicious payloads. Documented capabilities of the distributed threats include theft of passwords stored in browsers; crypto wallet seed phrases and API keys; keylogging; theft of session tokens to take over Telegram accounts; extraction of password managers such as 1Password, Bitwarden, and Keychain; replacement of browser extensions with malicious versions; and exfiltration of SSH keys and cloud credentials.

 

Cybercrime: Storm-1175 releases Medusa ransomware and Anthropic exposes Claude Code source code

Security researchers observed the financially motivated group Storm-1175 deploying the Medusa ransomware against organizations in the healthcare, education, professional services, and finance sectors in Australia, the United Kingdom, and the United States. The threat is distributed across the network via PDQ Deployer or through a Windows Group Policy update, leveraging the organization’s own infrastructure to simultaneously encrypt all reachable devices. Data are both encrypted and exfiltrated, and victims are threatened with publication if they do not pay. On March 31, 2026, Anthropic accidentally exposed client-side source code of Claude Code through a 59.8 MB JavaScript source map mistakenly included in the npm package @anthropic-ai/claude-code version 2.1.88. The leak involved 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing orchestration logic, permissions, execution systems, hidden features, build details, and security-related components. Attracted users download a 7-Zip archive named Claude Code – Leaked Source Code (.7z), containing a Rust executable ClaudeCode_x64.exe acting as a dropper and delivering two payloads: Nocturnal Stealer (Vidar v18.7), an infostealer collecting credentials, credit card data, browser history, and crypto wallets, and GhostSocks, a proxying tool that turns infected devices into proxy infrastructure to mask the attackers’ real location.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.