Cyber Threat Intelligence — attacks on Italian companies

In March, our Cyber Threat Intelligence team initiated an extensive analytical campaign to identify information security compromises.

We observed and tracked criminal groups that have developed backdoors targeting perimeter systems in enterprise environments. Current assessment indicates approximately 3 000 compromised servers across Italian territory alone.

The presence of these backdoors enables threat actors to execute malicious code with maximum privileges within the affected system.

This initial access (T1190) can be leveraged by adversaries for further offensive evolution, particularly in attack scenarios including:

• Ransomware deployment
• Enterprise data exfiltration (TA0010)
• Lateral movement within corporate networks (T1570)

Analysis activities remain ongoing. Particular focus has been directed toward identification of Italian and European organizations affected by this campaign. Through Cyber Threat Intelligence operations, we continue tracking infrastructure patterns and tactical indicators associated with these threat actors.

Technical Implications

Organizations operating perimeter-facing systems must prioritize immediate vulnerability assessment and network segmentation. The presence of persistent backdoor access represents a critical risk vector for subsequent compromise stages, including ransomware deployment and lateral propagation. Continuous monitoring for anomalous code execution and privilege escalation activity remains essential for early detection of post-compromise activity.