Chinese and Russian APT activity tracked, multiple breach disclosures, ShadowV2 observed and malicious npm packages identified

Chinese front companies BIETA and CIII and steganography in APT operations

 View all
Threat Intelligence, News

New attacks targeting Italy, the latest state-sponsored operations, and newly discovered malware

Weekly Threats hor Telsy

Italy: NoName057(16) and phishing campaigns threaten the Peninsula

The hacktivist group NoName057(16) has claimed new DDoS attacks against Italian portals in protest against the preparation of the twelfth military aid package for Ukraine, which includes ammunition and SAMP/T missiles—a move that demonstrates Italy’s continued support for Kyiv despite financial constraints and cuts to U.S. assistance. Targets reportedly include: the Regional Council of Valle d’Aosta; Lazio Region; Municipality of Giugliano in Campania; Municipality of Potenza; Tiscali; Tessellis; HERABIT; Municipality of Parma; Municipality of Reggio Emilia; Ministry of Infrastructure and Transport; Italian Air Force; Public Contracts Service; Pro-Q S.r.l.; CoopVoce; Fastweb S.p.A.; Italian Union of Public Administration Workers (UILPA); NTC Italia; Piedmont Region; Italy Tenders; Banchedati[.]biz; Port Authority of Olbia and Golfo Aranci; Municipality of Palermo; Sicilian Regional Assembly (ARS); North Adriatic Ports Association (NAPA); Sinfomar; Ministry of Labour and Social Policies; Eastern Adriatic Sea Port System Authority – Port of Trieste; Central Northern Tyrrhenian Sea Port System Authority – Ports of Rome and Lazio; A2A Group; Vulcanair S.p.A.; Customs and Monopolies Agency; Acqua Novara.VCO S.p.A. and AMAT Palermo S.p.A. On the group’s Telegram channel, Emilia-Romagna Region also appears among the affected entities; however, its compromise could not be independently verified. In the cybercrime landscape, new phishing campaigns have been identified, including: one targeting students and staff of the University of Florence (UniFi), leveraging Weebly to host a fraudulent login page; another impersonating the Electronic Health Record (FSE), Ministry of Economy and Finance, Ministry of Health, and Department for Digital Transformation, which distributed fake refund emails; a third themed around driver’s license renewal, masquerading as communications from the Ministry of Infrastructure and Transport (MIT); and finally, a campaign seemingly originating from an Italian ministry and targeting national government entities with the goal of credential exfiltration. Additionally, a smishing campaign was detected distributing fraudulent SMS messages that claimed a toll payment was pending, redirecting users to a fake Autostrade per l’Italia (Aspi) portal requesting personal data such as license plate, mobile number, and payment card details. 

 

APT: new operations detected targeting Ukraine, Russia, Japan, and Brazil

Security researchers observed a two-month intrusion against a large Ukrainian business services organization and a one-week attack against a local government entity, both leveraging a limited malware set and relying heavily on Living-off-the-Land tactics, dual-use tools, malicious executables, and PowerShell downloaders. Notably, attackers deployed the LocalOlive web shell, previously linked to the Russian state-sponsored group Sandworm. Although a direct connection to the Moscow-based APT cannot be confirmed, both operations appear to be of Russian origin. Also in Ukraine, a phishing campaign attributed to the Russian APT Gamaredon Group targeted government entities by exploiting CVE-2025-8088, a vulnerability in WinRAR. In Russia, the country itself was hit by the Operation ForumTroll cyber-espionage campaign, which delivered the LeetAgent malware and the Dante spyware—a commercial tool developed by Memento Labs, the Italian company believed to be the rebranding of Hacking Team. In Japan, a spear-phishing campaign themed around job applications, conducted by the South Korean group DarkHotel, targeted HR personnel at national organizations using updated versions of the SpyGlace malware. Three variants were identified, each incorporating incremental improvements in features, persistence mechanisms, and obfuscation techniques. Finally, in Brazil, researchers tracked a new wave of the Water Saci campaign, which spreads SORVEPOTEL via WhatsApp. The operation analysis revealed an updated infection chain that, instead of using .NET binaries, employs a combination of VBS and PowerShell script downloaders. 

 

Malware: campaigns featuring newly discovered tools

Researchers identified a malware named Baohuo, which spreads via modified versions of the Telegram X Android app and has already infected over 58,000 devices worldwide—including smartphones, tablets, TV set-top boxes, and even Android-based car systems. Baohuo embeds itself within the main executable or in separate DEX files of the Telegram X app repository and uses the Xposed framework to dynamically modify app functions, conceal authorized devices, hide chats and notifications, intercept clipboard content, and display phishing overlays identical to legitimate app windows to steal sensitive data. Also in the Android ecosystem, researchers discovered a new banking trojan called Herodotus, designed for Device Takeover and notable for its ability to mimic human behavior to evade behavioral and biometric detection systems. Active campaigns were observed in Italy and Brazil, where the malware spreads via sideloading, potentially involving smishing campaigns leading to malicious links hosting the dropper. Herodotus simulates human typing during remote control sessions by dividing the attacker’s input into individual keystrokes with random delays (300–3000 ms), mimicking natural rhythm, and reducing detection likelihood. It can intercept SMS messages, record visual activity via Accessibility logging, and display blocking overlays to conceal fraudulent operations or prevent the victim from accessing banking apps. Lastly, researchers uncovered a new Malware-as-a-Service (MaaS) dubbed Atroposia, designed to combine espionage, credential theft, and network manipulation in a single modular solution, making cybercrime accessible even to low-skill threat actors. With a subscription cost between USD 200 and 900, an intuitive control panel, and a customizable plugin system, Atroposia exemplifies how modern criminal toolkits’ sophistication and ease of use have drastically lowered the entry barrier for conducting complex intrusion and data-theft campaigns. 

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.

1