Updates in cybercrime, the latest from Italy, several ITW exploits emerged

Cybercrime: several global campaigns reported

A group called UNC6692 conducted a multi-stage intrusion campaign – based on social engineering techniques and a modular suite of custom malware called SNOW – targeting corporate systems, impersonating IT department or helpdesk employees. After sending victims a substantial volume of emails, the adversary contacted them via Microsoft Teams pretending to be a customer support representative offering assistance in managing the volume of spam received. The link provided, instead of installing a non-existent antispam protection, launched the infection process based on the aforementioned suite composed of: SNOWBELT, a JavaScript backdoor; SNOWGLAZE, a Python WebSocket tunneler on Heroku; and SNOWBASIN, a Python bindshell for remote command execution, screenshot capture and file exfiltration. Security researchers have detected a new wave of the campaign aimed at distributing the GlassWorm malware, which is targeting the Open VSX ecosystem – an open-source registry for Visual Studio Code extensions, managed by the Eclipse Foundation, which serves as an alternative to Microsoft’s official marketplace – with 73 new sleeper extensions. The observed extensions appear to be clones or impersonations of highly popular legitimate extensions, exactly replicating name, icon, description and README to gain trust and accumulate installations before being activated with malicious code. Once a sufficient number of downloads had been reached, six of these extensions were updated to deliver the malware. A campaign dubbed Mini Shai-Hulud targeted the supply chain of official npm packages linked to the SAP Cloud Application Programming Model (CAP) ecosystem and the Cloud MTA Build Tool. The initial compromise presumably stemmed from the exposure of an npm token in the logs of a CircleCI environment associated with an SAP repository. The cross-platform RaaS VECT (now renamed VECT 2.0) – recently used in the TeamPCP group’s supply-chain campaigns – has a critical flaw in its encryption implementation that leads to the permanent destruction of all files larger than 128 KB. The issue, which effectively turns the threat into a wiper, is present in all publicly available versions.

Italy: phishing, ransomware and data for sale in the underground

In Italy, phishing activities and ransomwareattacks against several organizations have been tracked. In detail, a phishing campaign targeting students and staff of the University of Naples Federico II was detected, which leveraged a fraudulent web page (generated via Weebly) to display a fake login form through which cybercriminals aim to exfiltrate institutional credentials. The same adversary is presumably also responsible for another similar operation targeting students and staff of the University of Palermo, again aimed at collecting institutional credentials through a fraudulent page created with Weebly. In the ransomware landscape, a group called M3RX claimed the compromise of Rotak S.r.l.; Qilin Team of Leone Film Group S.p.A., Antica Sartoria S.r.l and Abazia S.p.A.; INC RANSOM Team of SELEX Gruppo Commerciale S.p.A.; and Nova of Reschio, a company in the hospitality sector. Finally, a user of a popular underground forum, known as “zestix”, put up for sale, at the price of 0.085 BTC (about 5,600 euros), more than 187 GB of files associated with Gruppo CAP (CAP Holding S.p.A.), an Italian water and sewerage management company serving the Milan metropolitan area and surrounding territories. The offered package includes 533,313 files concerning project information related to connection survey and testing activities financed by the national PNRR program.

Vulnerabilities: critical exploits exploited ITW emerged at the end of April 2026

In the last days of April 2026, several critical vulnerabilities with active ITW exploitation emerged. A severe Authentication Bypass, tracked as CVE-2026-41940 (CVSS 9.8) and caused by CRLF Injection in the login and session loading processes, affects all supported versions of cPanel & WHM (from 11.40 onward) and WP Squared; attacks have been ongoing since at least February 23, 2026 and cPanel released emergency patches for versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5 and WP Squared 136.1.7, while providers such as Namecheap and Hostgator temporarily blocked access to the panels. CISA added to the KEV catalog, following confirmed exploitation, CVE-2024-7399 (Samsung MagicINFO 9 Server – Path Traversal and Unrestricted File Upload), CVE-2024-57726 and CVE-2024-57728 (SimpleHelp – Missing Authorization and Path Traversal, used to distribute Sliver) and CVE-2025-29635 (D-Link DIR-823X – Command Injection), with a remediation deadline of May 8, 2026 for US Federal Civilian Executive Branch (FCEB) Agencies. GitHub made public CVE-2026-3854 (CVSS 8.8), which allows RCE through a single git push due to lack of sanitization of push options; the vulnerability affects GitHub[.]com and GitHub Enterprise Server up to 3.19.1, with on-premise patches released on March 10, 2026. Microsoft confirmed ITW exploitation of CVE-2026-32202 (Protection Mechanism Failure in Windows Shell), resulting from an incomplete patch of CVE-2026-21510 and linked to a Sofacy (APT28) campaign in December 2025 against Ukraine and the EU, which enables network spoofing and disclosure of sensitive information through malicious files.

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.