New attacks in Italy, reported data breaches, AI and cybersecurity

The role of ISO certifications in ACN cloud qualification: security and quality for the Public Administration

 View all
Threat Intelligence, News

Ransomware and phishing in Italy, new Asia-based state-sponsored activity, Cisco and Fortinet 0-days

Weekly Threats hor Telsy

Italy: new cybercrime attacks 

New operations linked to a phishing campaign themed around the renewal of the health insurance card have been identified in Italy, initially reported on January 8, 2026. The theme has proven particularly effective in targeting a broad audience. Specifically, the campaign relies on sending emails informing potential victims of an alleged imminent expiration of the document, urging them to proceed with renewal. The goal is to push targets to provide personal data and, in some cases, to make undue payments via fraudulent links. The attack chain unfolds in two phases: in the first, victims are asked to enter personal information such as first name, last name, email address, and phone number; in the second, not always presentthey are prompted to fill in credit card detailsjustified by an alleged payment for shipping costs. In addition, an operation themed around the Italian Revenue Agency (Agenzia delle Entrate – AdE), aimed at harvesting users’ SPID digital identity credentialsexploited fraudulent communications inducing potential victims to access their AdE reserved area. Also SPID-themed, a second phishing activity was reported, in which emails with subjects such as “ImportantConfirm your SPID data” or “Verification request for your digital identity” invite recipients to access their private area to check and possibly update the data provided for SPID usage via a link in the message. The latter redirects users to a fake SPID page hosted on Google SitesFinallyadditional offensives targeted staff at several Italian universitiesincluding the University of Salerno (UNISA) and the University of Bergamo (UniBg). Turning to the ransomware landscapeSarcoma claimed on its leak site the compromise of MecMatica S.r.l.; The Gentlemen claimed San Carlo Gruppo Alimentare S.p.A. and Sud Trasporti S.r.l.; LockBit Team claimed Frandent Group S.r.l.; and Qilin Team claimed Colacem S.p.A., Fluorsid S.p.A., and Calzaturificio Casadei S.p.A. 

 

APT: Asia-Pacific operations tracked 

A cyber-espionage campaign attributed with moderate confidence to the Chinese actor Mustang Panda and targeting U.S. government entities has been identified, characterized by the use of a backdoor dubbed LOTUSLITE. The attack leverages geopolitical themes related to U.S.–Venezuela relations as lure material for spear phishing operations. The infection vector consists of a ZIP archive named “US now deciding what’s next for Venezuela.zip” containing a renamed legitimate executable (“Maduro to be taken to New York.exe”) and a hidden malicious DLL called kugou.dll. The executable, originally a launcher for a Tencent music streaming service, loads the DLL via DLL side-loading using LoadLibraryW and GetProcAddress. In the second half of 2025, a campaign by the South Korean group DarkHotel (APT-C-06) was observed using an installer distributed via USB devices to deliver malicious payloads. From a technical and tactical standpoint, the activity represents a direct continuation of operations documented in the first half of the same yearHoweverunlike the June 2025 attackthis campaign does not employ the payload known as DarkSealinsteadit reuses a payload already observed in early-2025 operations. spear-phishing campaign dubbed Operation Poseidonattributed to the North Korean actor ScarCruftabused the redirection mechanisms of legitimate advertising platforms to route victims toward external malware distribution infrastructuresdisguising malicious links as legitimate advertising traffic and thereby evading email filters and reputation-based controls. 

 

Cisco and Fortinet: vulnerabilities exploited ITW 

Cisco released security advisories for several vulnerabilitiesincluding a 0-day exploited in the wild. Tracked as CVE-2026-20045 (CVSS 8.2), the flaw could allow an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected device. Specifically, the issue stems from improper validation of user-supplied input in HTTP requests. An attacker could exploit the vulnerability by sending a crafted sequence of HTTP requests to the web-based management interface of an impacted device. Successful exploitation could allow the threat actor to gain user-level access to the underlying operating system and subsequently escalate privileges to root. On January 21, 2026, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and instructed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate it by February 11, 2026. Fortinet customers are experiencing attack attempts exploiting a patch bypass for the critical FortiGate authentication vulnerability CVE-2025-59718previously addressedin order to compromise fully updated firewalls. One affected administrator stated that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully remediate the flawwhich was supposed to be fixed in early December with the release of FortiOS 7.4.9. Moreoverstarting January 15, 2026, security researchers began observing a new cluster of automated malicious activity involving unauthorized changes to FortiGate firewall configurationsThis activity included the creation of generic persistence accounts, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurationsWhile the parameters of initial access have not yet been fully confirmed, the current campaign shows similarities to activity described in December 2025 related to CVE-2025-59718 and CVE-2025-59719. 

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.