Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

Phishing and ransomware in Italy, offensives hit the West, new 0-days disclosed

Weekly Threats hor Telsy

Italy: cybercrime activity across the country

A new Polizia di Stato–themed phishing campaign has been tracked in Italy. As observed in previous cases, the email abuses the name and logo of the Italian State Police to exfiltrate email credentials. The malicious page used in the operation, built with Webflow, leverages an API of the same service to transmit the stolen data. In addition, an operation aimed at stealing PayPal account credentials from potential victims has been detected. The email notifies the recipient of an alleged anomalous transaction and urges them to click a link to cancel it. The link redirects the target to a specially crafted portal displaying an authentication form resembling the official PayPal login page, where users are prompted to enter their email address and password. If the user proceeds, a one-time password (OTP) is requested. At the first attempt, an error message is displayed along with a request to re-enter the code. If the requested data are provided, a new page confirms the successful completion of the operation and presents a link to view the “account summary.” Clicking this link redirects the user to the official PayPal website. Finally, a new INPS-themed smishing campaign currently underway has targeted several individuals. As in previous operations, potential victims receive an SMS containing a link leading to a malicious page that mimics the official website of the National Social Security Institute and is accessible only from mobile devices. Once the fake page is opened, in addition to personal details and IBAN information, targets are asked to upload identity documents. Turning to the ransomware landscape, Medusa Team claimed on its leak site the compromise of Callipo Group S.r.l.; Sinobi claimed AIRCOND S.r.l. and Fhiaba S.r.l.; and a group named MS13089 claimed Studio DGP Dottori Commercialisti.

 

West: attack in France and new APT operations

On Friday, 12 December 2025, French Minister of the Interior Laurent Nuñez confirmed that the email servers of the Ministry of the Interior had been targeted by a cyberattack detected overnight between Thursday 11 and Friday 12 December 2025. An investigation is ongoing to determine the full extent of the breach and identify those responsible. According to Nuñez, an attacker gained access to a number of files, although there is currently no evidence of serious compromise. In response to the incident, the Ministry implemented standard protective measures, strengthened security protocols, and reinforced access controls to the information systems used by ministerial staff. Following the attack, French authorities arrested a suspect born in 2003. In parallel with the breach, the underground forum BreachForums was relaunched, with one of its administrators publicly claiming responsibility for the attack in a post. Although the claim has not been verified, the post states that the Ministry was targeted to avenge the arrest of several friends, likely referring to the 2025 arrests of five BreachForums moderators and administrators. In addition, security researchers identified and disrupted a multi-year, Russian state-sponsored campaign that, between 2021 and 2025, targeted Western critical infrastructure, with a particular focus on the energy sector. The activity was attributed with high confidence to the Main Intelligence Directorate (GRU), highlighting infrastructural overlaps with Sandworm and Curly COMrades. These overlaps suggest complementary operations within a broader GRU campaign, with a potential operational split whereby one cluster focuses on network access and initial compromise, while another handles host-based persistence and evasion. Finally, in recent months, a new wave of attacks attributed to the Chinese threat actor Earth Alux has been identified. The actor has expanded its operational scope to new regions, showing increased focus on government targets in Europe, alongside continued activity in Southeast Asia and South America.

 

0-day: ITW exploitation of flaws in Cisco, SonicWall, Apple, and Google

On 10 December 2025, Cisco became aware of a new campaign exploiting a 0-day vulnerability targeting a limited subset of devices with specific exposed ports running Cisco AsyncOS for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Tracked as CVE-2025-20393 (CVSS 10.0), the flaw is an Improper Input Validation vulnerability that allows arbitrary command execution with root privileges on the underlying operating system of affected devices. Ongoing investigations revealed the presence of a persistence mechanism implemented by the attacker to maintain a degree of control over compromised devices. With moderate confidence, the attacker—tracked as UAT-9686—is believed to be a Chinese APT. The activity, dating back at least to late November 2025, enables the adversary to execute system-level commands and deploy a Python-based threat dubbed AquaShell. SonicWall released advisory SNWLID-2025-0019 to disclose a 0-day vulnerability exploited in the wild affecting SMA1000, specifically its Appliance Management Console (AMC). Identified as CVE-2025-40602 (CVSS 6.6), the flaw is classified as Missing Authorization and Execution with Unnecessary Privileges. Specifically, it is a Local Privilege Escalation caused by insufficient authorization in the AMC. The vendor reported that the vulnerability was exploited in combination with CVE-2025-23006 (CVSS 9.8) to achieve unauthenticated remote code execution with root privileges. Finally, Apple released operating system updates to address several vulnerabilities, including the following two 0-days exploited in the wild: CVE-2025-43529, a Use After Free, and CVE-2025-14174, a Memory Corruption issue. Apple stated that it is aware of reports indicating that these two issues may have been exploited in an extremely sophisticated attack against specific individuals on versions of iOS prior to iOS 26. Last week, Google patched a 0-day initially tracked as ID 466192044; it later updated the advisory to identify the flaw as CVE-2025-14174—the same identifier assigned by Apple, indicating coordinated disclosure between the two companies—and described it as an Out-of-bounds Memory Access in ANGLE. All of the vulnerabilities described above have been added to CISA’s KEV catalog.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.