HQC: key encapsulation based on codes

New attacks in Italy, state-sponsored activity, operations in Ukraine

 View all
Threat Intelligence, News

Recent attacks in Italy, new malware developments, Ukraine hit by malicious campaigns

Weekly Threats hor Telsy

Italy: New offensives hit the country

The Israeli-made spyware Graphite, developed by Paragon Solutions, has reportedly infected the devices of Italian businessman Francesco Gaetano Caltagirone and UniCredit CEO Andrea Orcel. Both figures play key roles in the ongoing restructuring of Italy’s banking system. According to reports, the spyware was deployed through zero-click attacks, exploiting a WhatsApp vulnerability in Caltagirone’s case and an iMessage flaw in Orcel’s. The entrepreneur was unknowingly added to a chat with familiar contacts where a PDF file carrying the malware was shared. At this time, the identity of those behind the attacks remains unknown. On the phishing front, new campaigns have been detected — one targeting Lombardy region residents through fake emails impersonating a debt collection agency, claiming unpaid healthcare services. This operation appears linked to a cyberattack against Paziente Consapevole, a private healthcare platform used by Lombardy general practitioners and managed by Murex Software, which allegedly led to the compromise of patients’ personal and medical data. Regional government systems were not affected. Additionally, a campaign is exploiting the rollout of the new Entry/Exit System (EES) — designed to record personal information of non-EU and non-Schengen citizens entering Italy for short stays. A fraudulent domain mimicking the official website lures users into submitting their surname and document number.
Fake Zimbra login pages hosted on Weebly have also been found, targeting credentials of Tuscany regional government and Local Health Authority (ASL) employees. Among ransomware groups, Qilin Team claimed responsibility for breaching Valtorta – Raising S.r.l., a manufacturer of lifting and mechanical transport systems, while DragonForce Team claimed the compromise of Autorotor S.r.l., an industrial automation machinery company. A group called The Gentlemen also claimed to have breached ICET Studios S.r.l., a Cologno Monzese (Milan)-based firm active in film, advertising, and large event productions. Finally, utilities Sorgenia and Dolomiti Energia notified customers of a data breach following a cyberattack that may have involved a shared service provider. 

 

Malware: Multiple campaigns tracked

Researchers detected an operation leveraging the Astaroth banking trojan to target several Latin American countries, with potential expansion to Italy and Portugal, using GitHub repositories to enhance C2 infrastructure resilience. In late September 2025, a new backdoor dubbed ChaosBot emerged, capable of reconnaissance and arbitrary command execution via Discord as a C2 channel. Its distribution relied on compromised CiscoVPN credentials, a privileged Active Directory account, and phishing emails containing a PDF lure themed around the State Bank of Vietnam. The Malware-as-a-Service (MaaS) platform Stealit began exploiting Node.js Single Executable Application (SEA) functionality to deliver its payloads. Advertised as a Remote Access Trojan (RAT), it exfiltrates data, executes commands, controls webcams, monitors screens in real time, and includes ransomware modules for Android and Windows. A malware called PhantomVAI Loader was observed delivering infostealers such as AsyncRAT, XWorm, FormBook, and Dark Crystal RAT through a multi-stage, evasive infection chain initiated via emails containing obfuscated JavaScript/VBS attachments. Lastly, a group identified as TA585 distributed an advanced MaaS platform named MonsterV2, functioning as a RAT, stealer, and loader. Its architecture includes a wide set of C2 commands (terminate or suspend processes, take screenshots, start keyloggers, manipulate and exfiltrate files, shut down or force crashes, and establish HVNC connections). It also incorporates geo-fencing mechanisms to prevent infections within CIS countries. 

 

Ukraine: Updates from the Russian-Ukrainian conflict

The Russian APT Sofacy conducted a social engineering campaign delivering a custom malware called ZooFlip to Ukrainian government-linked systems. Victims received messages containing an attachment that, when opened, initiated a multi-stage infection chain using VBA macros to deploy the ZooFlip dropper. Since mid-September 2025, CERT-UA has tracked a cluster labeled UAC-0239, which has targeted Ukraine’s Defense Forces and local government authorities using the OrcaC2 framework and a Telegram-based stealer named FILEMESS. Initial infection occurs through phishing emails sent from Ukr[.]net and Gmail services, exploiting the theme of “combating Russian sabotage and reconnaissance groups” and impersonating Ukraine’s Security Service (SBU). The cyber dimension of the Russia-Ukraine conflict now extends into Poland, where Minister for Digital Affairs Krzysztof Gawkowski stated that Russian military intelligence has launched numerous cyberattacks throughout 2025 due to Poland’s strong support for Kyiv, targeting critical infrastructure essential to daily life — not only water and sewage systems, but also the energy sector.

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.