Updates on React2Shell exploitation, the latest from Beijing and Tehran, new attacks in Italy

Phishing and ransomware in Italy, global data breaches, new state-sponsored operations

 View all
Threat Intelligence, News

New attacks in Italy, state-sponsored activity, operations in Ukraine

Weekly Threats hor Telsy

Italy: cybercrime operations target the country

During the past week, several phishing campaigns targeting Italy were identified. In one case, a fake login portal for students and staff of the University of Parma (UniPr) attempted to steal institutional credentials through a page mimicking the university’s private-area access portal. At the same time, copyright-themed emails redirected users to a fake Meta reCAPTCHA page, followed by a fraudulent Facebook login popup designed to exfiltrate social media credentials. Additional fraudulent messages concerning supposed mailbox storage-space exhaustion attempted to harvest victims’ account credentials. Furthermore, a large-scale distribution of the Remcos RAT via DBatLoader—still ongoing—was observed, using the GLS brand as a lure to induce users to fill out a fake redelivery form; as well as a distribution campaign for the XWorm malware using Booking[.]com-themed invoices. Finally, a sophisticated Phishing-as-a-Service (PhaaS) framework was uncovered, designed to impersonate the access and payment pages of the Italian IT and web-hosting provider Aruba S.p.A. The kit includes a CAPTCHA filter to evade security scanners, pre-fills user data to appear more legitimate, and uses Telegram bots to instantly exfiltrate stolen information. Turning to the ransomware landscape, DragonForce Team claimed the compromise of Ponzini S.p.A.; RansomHouse claimed Fulgar S.p.A.; Qilin Team claimed Viabizzuno S.p.A.; Everest Team claimed SIAD S.p.A.; and INC RANSOM Team claimed Galileo S.r.l.

 

APT: operations from Asia and 0-days

Security researchers analysed an intrusion into a U.S. non-profit organisation attempting to influence Washington’s policy on international issues. Evidence shows that the adversaries aimed to establish persistence and maintain long-term access to the victim’s network, where they remained active for several weeks in April 2025. Technical indicators—such as the use of the legitimate component vetysafe.exe to sideload a malicious DLL (sbamres.dll)—suggest a Chinese origin. A copy of the same DLL had previously been used in operations attributed to Space Pirates, while a variant with a different filename has been observed in GhostEmperor (aka Kelp, Salt Typhoon) campaigns. The same technique has also been employed by Earth Longzhi, a subgroup of Axiom (APT41). Regarding North Korea, ScarCruft was observed abusing Google’s Find Hub tool to track victims’ GPS location and remotely factory-reset Android devices. The group distributed malware through highly customised spear-phishing and social engineering operations, using themes tied to South Korean government entities and disguising payloads as “stress-relief programs” sent via KakaoTalk—South Korea’s instant-messaging platform—from compromised accounts belonging to psychologists and activists working with young North Korean defectors. Additionally, Lazarus Group employed a new variant of the Comebacker backdoor in a campaign active since at least March 2025, using lures related to aerospace and defence organisations. Finally, it was identified that an advanced threat actor exploited the Citrix zero-day vulnerability CVE-2025-5777 and the Cisco Identity Service Engine (ISE) 0-day CVE-2025-20337 to deploy custom malware before the vulnerabilities were publicly disclosed and patches were available.

 

Ukraine: InedibleOchotense impersonates a well-known cybersecurity company

In May 2025, security researchers observed a previously unknown Russia-aligned group named InedibleOchotense conducting a spear-hishing campaign against several Ukrainian entities, impersonating a well-known Slovak cybersecurity company. The operation involved sending emails and Signal messages containing a link to a trojanised installer that delivered a legitimate product alongside the Kalambur backdoor. Analysis of one of the messages revealed that, although written in Ukrainian, the first line contained the Russian word “заказник”, likely indicating a typo or translation error. The URL embedded in the email pointed to a malicious domain distributing a ZIP archive containing a legitimate file and a Kalambur variant. Given the widespread use of that security company’s products in Ukraine, it is likely the adversary sought to exploit its reputation to increase the credibility of the message and induce victims to install the payload. InedibleOchotense’s TTPs show strong overlaps with a Sandworm campaign documented in February 2025—characterised by the use of the BACKORDER downloader—and with an operation attributed to subgroup UAC-0212. 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.