Latest from Italy, updates in the state-sponsored landscape, ransomware and leaks

Attacks in Italy, several breaches announced, new state-sponsored operations

 View all
Threat Intelligence, News

War in Iran and cyber operations, offensive activity in Italy, iOS threats, and phishing campaigns

Weekly Threats hor Telsy

Iran: cyber offensives linked to the conflict

In the context of the escalation between the United States, Israel, and Iran, the cyber domain continues to represent a relevant operational space, with malicious activity and hacktivist operations observed in parallel with developments on the geopolitical and military fronts. The main cyber activities attributable to known and emerging adversaries concern claims of DDoS attacks by pro-Iranian, pro-Russian, and pro-Palestinian hacktivists, overall, against organizations across multiple sectors in Israel, Australia, the USA, Kuwait, the United Arab Emirates, Egypt, Romania, Greece, China, Italy, Cyprus, Morocco, Saudi Arabia, Bahrain, the United Kingdom, Finland, Denmark, Qatar, and France. Among the known hacktivists reported as active were NoName057(16), RuskiNet, Islamic Cyber Resistance – 313 Team, Conquerors Electronic Army, Keymous Plus, BD Anonymous, Hider_Nex, DieNet, Mysterious Team Bangladesh, Dark Storm Team, UniT 313, BABAYO EROR SYSTEM, and KONCO ERROR SYSTEM. The FBI attributed with high confidence to Iran’s Ministry of Intelligence and Security (MOIS) a malware campaign active since autumn 2023, aimed at targeting Iranian dissidents, journalists critical of Tehran, and opposition organizations globally, resulting in intelligence collection, data leaks, and reputational damage. The Agency linked these attacks to the Handala group and the Homeland Justice group, which is financed by the Iranian state and connected to the Islamic Revolutionary Guard Corps (IRGC). Remaining on the subject of the pro-Iranian hacktivist collective Handala, on March 23, 2026, U.S. multinational Stryker Corporation provided an update on the cyberattack claimed by the group, stating that a malicious file had been identified which was used to execute commands and conceal the adversary’s activities within its systems. The attacker also conducted an operation against Lockheed Martin, a U.S. aerospace and defense company, targeting the company’s American engineers active in Israel on advanced military programs (F-35, F-22, THAAD). In the previous days, pro-Iranian groups had already focused attention on Lockheed Martin: the Telegram channel APT IRAN claimed a supposed mass data exfiltration (unverified), later amplified by the Cyber Fattah Team collective, suggesting a possible narrative alignment and converging interest in the same target within the context of the conflict. Security researchers are also monitoring a newly formed group called Nasir Security, presumably associated with Iran, specializing in attacks against organizations in the Middle Eastern energy sector.

 

Italy: cybercrime operations on the peninsula

During the past week, several ransomware attacks against Italian targets were tracked. Specifically, LockBit Team claimed on its leak site the compromise of ISOLEDIL; Qilin Team claimed Agencavi S.r.l. and Netalia S.r.l.; and ALP-001 claimed Esprinet S.p.A. The hacktivist collective DieNet instead claimed a DDoS attack against an Automobili Lamborghini portal. In addition, the Papardo Hospital in Messina was hit by a cyberattack that paralyzed terminals, access systems, and the facility’s databases. The SovraCup booking system — responsible for managing appointments and services between hospitals and affiliated private centers — remained offline, with direct repercussions on operational continuity. Management stated that no sensitive data had been stolen, while acknowledging the absence of a certain timeline for full resolution. Finally, on March 23, 2026, a phishing campaign was tracked in Italy exploiting the ChatGPT brand to steal payment card data and security codes. The scheme used represents a form of real-time fraud, particularly dangerous because it reduces the victim’s ability to notice the attack and block the card.

 

New threats: DarkSword, Coruna, and phishing targeting Signal and WhatsApp

Last week, cybersecurity researchers identified an attack campaign based on an advanced tool called DarkSword. Within a few days, an unknown developer published a new version of it on GitHub, making it freely accessible to anyone. According to Apple’s data, about a quarter of all iPhone and iPad users still use iOS 18 or earlier on their devices. With more than 2.5 billion active devices, this likely amounts to hundreds of millions of people whose devices are vulnerable to DarkSword attacks. Still within the iOS landscape, on March 4, 2026, security researchers identified Coruna, an exploit kit targeting iPhone models, of which an updated version has now been observed. The most relevant changes include more accurate checking of XNU versions; support for iOS 17.2 (which was the latest version at the time of development, released in December 2023); compatibility with Apple’s latest processors — A17, M3, M3 Pro, and M3 Max — and a specific check for iOS 16.5 beta 4, the version in which the vulnerabilities had been fixed. In addition to this updated exploit, Coruna includes four further kernel exploits never seen in Operation Triangulation, two of which were developed after that campaign was discovered. On March 20, 2026, the FBI and CISA jointly published an official statement warning that adversaries linked to Russian Intelligence Services are conducting phishing campaigns targeting users of messaging apps, particularly Signal and WhatsApp, focusing on high-profile individuals such as current or former U.S. government officials, military personnel, political figures, and journalists. The attackers compromised individual accounts, but not the encryption or the applications themselves, and no technical vulnerability appears to have been exploited.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.