NoName057(16) targets Italy, new cybercrime offensives, the latest from Moscow and Pyongyang

Italy targeted by multiple adversaries, novel APT operations, emerging threats, and supply chain compromises

 View all
Threat Intelligence, News

New attacks in Italy, malware and supply chain offensives detected, data breaches reported

Weekly Threats hor Telsy

Italy: several malicious activities observed

A phishing campaign has been detected in Italy that uses a malicious clone of the Caritas Italiana website to carry out identity theft against citizens, with particular attention to the most vulnerable segments of the population. The attack vector is currently unknown, but it is plausible that users reach the fraudulent portal through a link contained in an e-mail or via SMS. The site presents itself by offering fake “Financial Assistance of €”, exploiting the trust placed in the charity. Moving to the ransomware landscape, over the past week, several offensives targeted Italian organizations. Specifically, SAFEPAY claimed on its leak site the compromise of Zona Ovest di Torino S.r.l, Soavegel S.r.l. and Studio Ubertazzi; The Gentlemen claimed Media Consulting S.r.l., Digiplex S.r.l., Datamatic S.p.A. and IPE Technologies S.r.l.; Everest Team claimed Studio Marchi – Studio Professionale Associato; Qilin Team claimed Complastex S.p.A. and Inox Market Service S.p.A. In addition, a ransomware group known as Bavaqai, allegedly an extension of MedusaLocker, claimed on its leak site to have breached SIT S.p.A. Moving into the state-sponsored sphere, Sistemi Informativi S.p.A., a Rome-based company wholly owned by IBM Italia and a strategic provider of technological infrastructure for the Italian Public Administration as well as numerous large private companies, was the target of a cyber intrusion attributable to the Chinese group GhostEmperor.

 

Threat: supply chain attacks and previously unseen malware

In early May 2026, security researchers discovered a supply chain attack that compromised the official installers of DAEMON Tools Lite, one of the most widely used software programs for disk drive emulation on Windows. The attackers managed to insert a backdoor directly into the installation packages distributed from the legitimate website of the vendor AVB Disc Soft, and the operation generated thousands of infections attempts in more than 100 countries. Another supply chain attack affected Bitwarden CLI. Specifically, researchers detected the distribution of a compromised version of the @bitwarden/cli@2026.4.0 package via the public npm registry. The detected payload suggests a strong overlap with the Shai-Hulud campaign, orchestrated by the TeamPCP group. The company clarified that no data stored in users’ vaults appears to have been compromised, nor were production systems or the integrity of the product’s legitimate source code impacted. Among the new threats that emerged, a previously unseen backdoor called Deep#Door was observed, designed to target Windows systems. Its most notable capabilities include credential theft, including the extraction of data from browsers such as Chrome, Edge and Firefox, SSH keys, AWS, Azure and GCP cloud accounts, Wi-Fi networks, and Windows Credential Manager. The malware also performs keylogging, clipboard monitoring, screenshot capture, webcam access, and audio recording of the surrounding environment. Finally, an operation targeting the energy sector in Venezuela was detected, aimed at deploying a previously unseen wiper called Lotus Wiper, whose sole objective is the irreversible deletion of information and permanent damage to Windows systems, and whose entire infection process is repeated in multiple cycles to ensure the total unrecoverability of the data.

 

Data breach: violations affecting Trellix, DigiCert, Instructure and Vimeo

Trellix, an American cybersecurity company founded in 2022 through the merger of McAfee Enterprise and FireEye, has officially confirmed that it suffered a data breach involving unauthorized access to a portion of its source code repository. The compromise was later claimed by the RansomHouse ransomware group, which made available on its leak site a link to download several images as proof of the breach. DigiCert, one of the world’s leading certificate authorities, suffered a security incident that led to the improper issuance of 60 EV (Extended Validation) code-signing certificates, at least 27 of which were subsequently associated with malware. On May 1, 2026, the U.S. company Instructure, provider of the Canvas online learning platform, disclosed that it had suffered a cyberattack. A few days later, the incident was claimed by the ShinyHunters group, which allegedly stole 3.65 TB of uncompressed data relating to 275 million individuals. Finally, the same adversary claimed responsibility for the compromise of Vimeo, the well-known video hosting and streaming platform, which disclosed that it had been involved in a security incident originating from a breach suffered by its third-party provider Anodot, an analytics and anomaly detection portal.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.