Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

Phishing and ransomware in Italy, notified data breaches, new spyware attacks

 View all
Threat Intelligence, News

Phishing and ransomware in Italy, notified data breaches, new spyware attacks

Weekly Threats hor Telsy

Italy: cybercrime operations across the peninsula

A resurgence of activity linked to a thread hijacking campaign documented in December 2025 has recently been identified. The campaign targets organizations based in Italy and is aimed at carrying out Business Email Compromise (BEC) financial fraud. Early technical evidence confirmed the compromise of corporate email inboxes through the delivery of a phishing email. The message, characterized by mainly text-based content, refers to an alleged financial report to review. By clicking the link in the message body, the recipient is redirected to a login landing page that reproduces Microsoft Outlook Web logos and visual elements. At this stage, the victim is first asked to enter login credentials and then to provide an OTP code obtained via SMS or through a legitimate authentication app. At the end of the procedure, no file or document is delivered; instead, an error message is displayed, an element that may lead the user to downplay what happened. Once access to the compromised mailbox has been obtained, the adversary does not act immediately, but instead analyzes the communication content to identify any ongoing business exchanges. Leveraging this context, the attacker uses Email Thread Hijacking techniques, inserting themselves into legitimate conversations between the organization and its customers or partners. In addition, the following were identified: a new INPS-themed smishing activity aimed at stealing documents and personal data; and the distribution of an infostealer called VIPKeyLogger. Moving to the ransomware landscape, INC RANSOM Team claimed on its leak site the compromise of Bitgo S.r.l.; NightSpire claimed ATI S.r.l.; DragonForce Team claimed Wipro Ferretto S.r.l.; Akira Team claimed Icat Food S.p.A. and iSMA CONTROLLI S.p.A.; Qilin Team claimed Casartigiani – Confederazione Autonoma Sindacati Artigiani and ABAR S.p.A.; The Gentlemen claimed SEAC S.p.A.; and Space Bears claimed Elgon Cosmetics.

 

Breach: violations across the public sector, fintech, and transport

The French Ministry of the Economy disclosed that an attacker obtained unauthorized access to the Fichier national des comptes bancaires et assimilés (FICOBA), the national database that indexes all bank accounts opened at French institutions, exposing 1.2 million bank accounts. Starting in late January 2026, the adversary used stolen credentials belonging to an authorized official as part of information exchanges between ministries to access a portion of the database containing personal data, including bank account details (RIB/IBAN), account holder identity, address, and, in some cases, tax identifier. Figure Technology Solutions, a fintech founded in 2018 and described as operating on the Provenance blockchain for lending and home equity services — with more than $22 billion in home equity originated through over 250 partners — confirmed a breach affecting approximately 967,200 accounts. According to reports, data referring to January 2026 and later published online include email addresses, names, phone numbers, physical addresses, and dates of birth. Access to the company’s systems was reportedly obtained through social engineering after an employee was tricked into providing it. Responsibility was claimed by the extortion group ShinyHunters, which published 2.5 GB of alleged data on its leak site. The attacker also claimed similar operations against several organizations including Canada Goose, Panera Bread, Betterment, SoundCloud, CrowdStrike, and Match Group (owner of Tinder, Hinge, Meetic, Match[.]com, and OkCupid). Eurail B.V., the operator providing access to 250,000 kilometers of European railways, confirmed that data stolen following a breach earlier this year were put up for sale in underground environments. The company stated that an adversary also published a sample of the data on the Telegram messaging platform, but it is still determining the type of records and the number of customers involved.

 

Spyware: activity identified against Angolan and Kenyan targets

A new investigation by Amnesty International’s Security Lab found that in 2024 Intellexa’s Predator spyware was used to compromise the phone of Teixeira Cândido, a prominent Angolan journalist, press freedom activist, lawyer, and former secretary-general of the Angolan Journalists’ Union (SJA). From April 29 to June 16, 2024, during his final months as secretary-general of the SJA, Cândido received a series of WhatsApp messages on his iPhone from an unknown Angolan number. The sender used a common Angolan name and pretended to be part of a group of students interested in the country’s social and economic affairs. After an initial period dedicated to building trust, the adversary sent the first malicious link on May 3, designed to infect the journalist’s phone with Predator. This pattern continued for weeks, with the attacker sending additional malicious links, each of which pretended to lead to news articles and seemingly legitimate websites. Further messages encouraged him to open the links. On May 4, 2024, the journalist appears to have opened a malicious link, which would have led to infection with the spyware, enabling unrestricted access to his device. In addition, an investigation by Citizen Lab revealed the use by Kenyan authorities of a commercial forensic extraction tool produced by the Israeli company Cellebrite against the Samsung Android phone of Boniface Mwangi, a prominent dissident voice, activist, and Kenyan politician who has announced his intention to run in Kenya’s 2027 presidential election.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about ourCyber Threat Intelligence solution.