New attacks in Italy, novel APT operations, reported data breaches

Italy: multiple malicious activities observed

A phishing campaign has been detected in Italy leveraging the name of the Agenzia delle Entrate–Riscossione with the aim of stealing login credentials belonging to both private users and institutional accounts. Compared to previous similar operations, this activity stands out for a stronger focus on Public Administrations (PA), while still involving entities from the private sector. Since the beginning of 2026, the Italian CSIRT has observed a significant increase in ransomware attacks nationwide attributable to the Akira Team group, with 13 confirmed incidents, mainly affecting small and medium-sized enterprises (SMEs). Evidence indicates systematic exploitation of unpatched n-day vulnerabilities on perimeter devices, particularly SonicWall firewalls, and the compromise of exposed SSL VPN services—methods fully consistent with the adversary’s TTPs, historically focused on abusing security solutions to gain initial access and maintain persistence. The same adversary, in the past week, has claimed on its leak site the compromise of Pharmathek S.r.l. and CSA S.p.A. (Central Shipping Agency S.p.A.). Continuing with ransomware attacks targeting Italian entities, The Gentlemen claimed breaches of IC&Partners and Marchesi di Barolo; Qilin Team of ICM S.p.A.; LockBit Team of Radio Studio Più S.r.l.; DragonForce Team of SGI Sistemi Gestione Integrata S.r.l.; and a group named Lamashtu of Servetto S.r.l., Logitech S.r.l., EFO Service S.r.l., Safety MED S.r.l., and Client Solution S.p.A. Finally, Sae Scientifica S.r.l. was affected by a cybersecurity incident involving a corporate email account. According to reports, the attack was contained with no evidence of further compromise; however, in the absence of technical details, a potential exposure of e-mail communications and the data contained therein cannot be ruled out with certainty.

APT: Iranian, North Korean, and Taiwan-focused operations tracked

Security researchers observed a campaign highly likely attributed to the Iranian group MuddyWater targeting the energy, government, and aviation sectors in the Middle East, aimed at exfiltrating sensitive data through the exploitation of at least five recently disclosed vulnerabilities. In addition, the adversary has been observed maintaining a direct operational link with the Russian Malware-as-a-Service (MaaS) platform named CastleRAT, through which a novel malware called Chainshell is distributed against Israeli targets. Through CastleRAT, MuddyWater gains immediate access to Hidden VNC, Chrome cookie encryption bypass, and resilient blockchain-based C2—capabilities that would otherwise require significant time to develop internally. On the North Korean front, between April 6 and 9, 2026, a cluster of obfuscated malicious npm packages published by multiple throwaway accounts was tracked, whose infection chain leverages a two-stage distribution strategy. Evidence revealed that these packages are variants of OtterCookie, an infostealer attributed with high confidence to the Lazarus Group. Still focusing on North Korea, ScarCruft has been observed orchestrating a sophisticated cyber espionage campaign using two fake Facebook profiles to distribute the RokRAT backdoor. The threat’s capabilities include screenshot capture; remote command execution; system information gathering; and the exfiltration of files with specific extensions, including Office documents; PDFs; files in the Korean HWP format; and audio recordings. Finally, security researchers identified a cluster tracked as UAT-10362 conducting spear phishing campaigns against Taiwanese NGOs and likely universities, with the aim of deploying a new malware family named LucidRook. The set of advanced techniques, including modular architecture; the use of legitimate infrastructure; and anti-analysis controls, indicates a sophisticated adversary with mature operational capabilities, engaged in targeted operations rather than opportunistic campaigns.

Data breach: security incidents impact Rockstar Games, McGraw-Hill, and Booking.com

On April 11, 2026, the American video game company Rockstar Games confirmed that a limited amount of non-material corporate information was accessed in connection with a breach that occurred at a third party, specifying that the incident had no impact on the organization or on players. The hypothesized technical vector—linked to the theft of authentication tokens via Anodot, a third-party integration connected to the Snowflake environment—has not received official confirmation from Rockstar. Additionally, the U.S. publisher McGraw-Hill was involved in an incident of unauthorized data access, caused by a misconfiguration of the Salesforce platform. The company, supported by security experts, stated that it promptly secured the affected resources and is working with Salesforce to permanently remediate the issue. The extortion group ShinyHunters has claimed responsibility for both attacks. Finally, Booking.com confirmed, in a statement released to a well-known industry news outlet, that unauthorized actors managed to access the data of some users, particularly information related to their bookings. The company did not disclose the exact number of individuals affected but ensured individual notifications and the continuous availability of customer support services.

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.