Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

Phishing and ransomware in Italy, global data breaches, new state-sponsored operations

Weekly Threats hor Telsy

Italy: offensive cybercrime hits the country 

A new phishing campaign targeting Italian users has been identified, leveraging the name and visual identity of the Italian Government and the Presidency of the Council of Ministers to steal banking credentials. The email, titled “Verifica dei Dati Bancari – Governo Italiano”, urges the recipient to click on a link as part of a purported administrative data-update procedure. Once clicked, the victim is redirected to a portal that faithfully replicates the official graphics of the Presidency of the Council of Ministers, where users are asked to select their banking institution via a drop-down menu listing major national and international groups. These include Intesa Sanpaolo, UniCredit, Monte dei Paschi di Siena, BNL, ING, BPER, BCC, Fineco, Crédit Agricole, and PostePay. After the selection, the target is redirected to a tailored page mimicking the chosen bank’s login portal, with the objective of harvesting customer ID codes and PIN/passwords. Additionally, another operation has been detected impersonating the Italian Revenue Agency (Agenzia delle Entrate, AdE) to exfiltrate personal and banking data. The email—titled “Notifica di rimborso fiscale – ITA286771593”—contains a link redirecting the target to a fraudulent page promising a supposed €115.50 tax reimbursement. The fraudulent page imitates the AdE’s official portal and prompts victims to fill in a form with personal details and credit card information to obtain the alleged refund. Finally, in the ransomware landscape, Qilin Team has claimed on its leak site the compromise of Saca Industrie S.p.A., Ilca Targhe S.r.l., and Battaglioli S.r.l. Meanwhile, an operator known as Devman has claimed the breach of an Italian entity whose domain remains partially obfuscated (mttcar*[.]**[.]it).

 

Breach: incidents in South Korea, the United States, Canada, and France 

Coupang, South Korea’s largest online retailer, has confirmed a massive data breach compromising personal information belonging to 33.7 million customer accounts. This is one of the most severe data breaches in the country’s recent history, potentially affecting 65% of South Korea’s 51.7 million population. In parallel, Marquis Software Solutions—a financial software provider serving over 700 U.S. banking institutions across data analytics, CRM, compliance reporting and digital marketing—has reported a major security breach on August 14, 2025. The ransomware attack exploited vulnerabilities in the company’s SonicWall firewall, allowing the adversary to exfiltrate sensitive files related to customer systems. The incident is highly significant, affecting more than 400,000 individuals across 74 U.S. banks and credit unions. Additionally, on December 3, 2025, Canadian wireless telecom operator Freedom Mobile Inc. disclosed that unauthorized activity was detected on October 23 within its customer account management platform. Internal investigations revealed that a third party misused a subcontractor’s account to access the personal data of a limited number of customers. France has also seen several affected entities this week. Leroy Merlin, the home improvement and gardening retailer, is notifying customers that their personal information has been compromised—an incident reportedly limited to customers in France. The French Football Federation (FFF) has also disclosed a breach after attackers exploited a compromised account to access administrative management software used by football teams.

 

APT: details released on Asian and Middle Eastern operations 

A suspected case of operational collaboration has been observed between Russia’s Gamaredon Group and North Korea’s Lazarus Group. Analysis indicates that the two APTs used the same command-and-control (C2) infrastructure to distribute malware. On July 24, 2025, an IP address associated with Gamaredon’s known C2 infrastructure was identified; four days later, the same IP began distributing an obfuscated variant of InvisibleFerret, a malware family attributed to Lazarus Group. The payload was delivered via a server structure identical to that previously observed in Contagious Interview. While the IP may represent a proxy or VPN endpoint, the temporal proximity of both groups’ activities and the shared hosting pattern suggest likely infrastructure reuse. It remains unclear whether Lazarus leveraged a Gamaredon-controlled server or both actors operated on the same client instance. In Pakistan, a new, still-active espionage campaign conducted by Islamabad-based group Barmanou has been observed targeting Indian government organizations with malware tailored specifically for Linux BOSS environments. Meanwhile, an APT of unclear origin known as Bloody Wolf, active since late 2023, has intensified spear-phishing operations across Central Asia by impersonating government agencies—particularly Ministries of Justice—to enhance credibility. Targeted sectors appear to include finance, government, and IT. Moving to the Middle East, researchers have documented an operation by Iranian APT MuddyWater conducted between September 2024 and March 2025, predominantly targeting Israeli organizations in critical infrastructure, engineering, transportation, utilities, and local government, as well as a single technology target in Egypt. Lastly, within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, security researchers observed active exploitation attempts from several China-nexus threat groups, including Earth Lamia and an adversary referred to as Jackpot Panda. 

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.