Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

New attacks in Italy, data breaches reported, offensives from China

Weekly Threats hor Telsy

Italy: new phishing and ransomware offensives

Over the past two weeks, multiple phishing campaigns have targeted Italian users. One operation abused the name and logo of Fineco Bank. In particular, a fraudulent email with the subject “Confirmation of account protection measures” aimed to notify the potential victim of an alleged credentials non-compliance, urging them to click on the embedded link to avoid limitations on their bank account. In addition, several malicious activities illicitly leveraged the name of the PagoPA system to deceive citizens with fake payment requests. Fraudulent messages often reference fines, penalties, or unpaid fees, requesting immediate payment to avoid alleged legal consequences. These deceptive communications are delivered via email, SMS, or messaging apps and attempt to persuade users to promptly pay an amount, click on suspicious links, scan QR codes, or provide personal, banking, or credit card information. Finally, an additional offensive was tracked using the Conad logo, aimed at tricking users into unknowingly subscribing to a paid service. Turning to the ransomware landscape, INC RANSOM Team claimed the compromise of Talarico S.r.l. on its leak site; Qilin Team claimed Callipo Group S.r.l.GIV S.r.l., and SEACSUB S.p.A.Warlock claimed Silanos S.r.l.CHAOS claimed Veplastic S.p.A.; LockBit Team claimed SAV Antivibranti S.r.l.; and SAFEPAY claimed Elad S.r.l..

 

Data breaches: security incidents impact ESA, Korean Air, and WIRED

The European Space Agency (ESA) stated that it is aware of a recent cybersecurity incident involving servers located outside the Agency’s corporate network. A forensic security analysis has been launched, and measures have been implemented to secure any potentially affected devices. Analyses conducted so far indicate that only a very limited number of external servers may have been involved. These systems support unclassified collaborative engineering activities within the scientific community. The statement was issued following the appearance, on an underground forum, of a post advertising the sale of data allegedly belonging to ESA. The threat actor claims to have exfiltrated more than 200 GB of data, allegedly including source code, CI/CD pipelines, API tokens, access tokens, confidential documents, configuration files, Terraform files, SQL files, hardcoded credentials, and more. Korean Air, South Korea’s flag carrier, suffered a data breach impacting information belonging to thousands of its employees. The compromise did not originate directly from Korean Air’s systems, but from those of Korean Air Catering & Duty-Free (KC&D), the in-flight catering service provider and former subsidiary that became an independent entity in 2020. Specifically, KC&D notified Korean Air that it had recently been targeted by a cyberattack affecting servers hosting its corporate ERP system. Finally, on December 20, 2025, a threat actor named Lovely published a database on an underground forum containing 2,366,576 records of subscribers to WIRED magazine. The attacker accused the U.S. publishing group Condé Nast of failing to take user data security seriously. The exposed dataset spans from April 26, 1996, to September 9, 2025, and includes 2,366,574 unique email addresses.

 

China: attacks traced to multiple Sinophone groups

A campaign orchestrated by the Chinese threat actor Evasive Panda was tracked between November 2022 and November 2024, targeting selected entities in Turkey, China, and India through Adversary-in-the-Middle attacks. In addition, a sophisticated campaign conducted by the Chinese APT group Void Arachne targeted Indian entities using tax-themed phishing lures. Analysis revealed previous attribution errors that had incorrectly linked this activity to the Indian group SideWinder. Moreover, security researchers discovered an APT group dubbed LongNosedGoblin, aligned with Beijing, targeting government entities in Southeast Asia and Japan for cyber-espionage purposes. Active since at least September 2023, the actor uses Group Policy to deploy malware and move laterally within compromised networks, and leverages cloud services such as Microsoft OneDrive and Google Drive as C2 servers. Its operations are characterized by the use of a custom toolset. Finally, the activities of a presumed Chinese group named DarkSpectre were documented. The group is responsible for three parallel campaigns that infected 8.8 million users through more than 300 browser extensions distributed across Chrome, Edge, Firefox, and Opera over a seven-year period.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.