Summary
- CERT-AGID reported 94 malicious campaigns between 23 and 29 May, including 75 with Italian targets.
- The agency distributed 1,014 indicators of compromise to accredited entities.
- Themes included fines, banking, orders, hosting renewals, university access, and multiple malware families.
CERT-AGID recorded 94 malicious campaigns affecting Italy during the week of 23 to 29 May, showing sustained pressure on identity systems, public-service brands, financial services, and routine business workflows.
The Italian public-sector computer emergency response team said 75 of the campaigns had Italian targets, while 19 were generic campaigns that also affected Italy. The agency made 1,014 indicators of compromise available to accredited entities through its reporting channels.
In its weekly campaign summary, CERT-AGID identified 16 themes used to deliver malicious activity in the Italian landscape. Fines were the largest theme, with 46 Italian phishing campaigns using unpaid-contravention lures and abusing names linked to PagoPA, SEND, and ATAC. Banking appeared in 11 Italian phishing campaigns and in malware delivery involving AntiDot and QuasarRAT.
Other lures included orders, hosting renewals, quotations, and university access. CERT-AGID said one phishing campaign targeted students and staff at the University of Bari Aldo Moro, using a fraudulent page hosted on Weebly to imitate the university’s private access portal.
The malware activity listed by the agency included QuasarRAT, XWorm, AgentTesla, AntiDot, and PhantomStealer via Guloader. Several campaigns used compressed attachments or SMS messages containing links to malicious APK downloads, combining email, web, and mobile delivery routes.
The campaign volume does not point to one disruptive incident, but it gives a useful view of the weekly load placed on public institutions, banks, universities, hosting providers, registrars, and digital payment brands. Attackers are leaning on trusted administrative processes: paying fines, renewing services, responding to orders, handling quotations, and accessing institutional portals.
Those workflows carry security consequence because they sit close to identity and payments. A fraudulent fine notice may begin as brand abuse, but the same campaign pattern can lead to credential theft, malware installation, payment fraud, mailbox compromise, or later social engineering. The first interaction is often mundane; the exposure can spread if access controls and reporting routes are inconsistent.
Public-service impersonation creates a separate pressure point. As governments digitise payments, notifications, and citizen administration, official-looking portals become more attractive targets for abuse. Trust in digital services is weakened when people cannot reliably distinguish official processes from hostile copies, and that trust deficit affects adoption as well as security.
Universities also remain exposed through identity portals. Student and staff accounts can provide access to email, collaboration tools, research data, administrative services, and supplier communications. A low-cost phishing page can therefore become an entry point into a more complex institutional environment, especially where accounts are reused across cloud and campus systems.
CERT-AGID’s weekly reporting also shows the operational value of national intelligence sharing. Publishing campaign themes and distributing indicators gives defenders a structured view of current tactics, rather than leaving each organisation to treat phishing as isolated noise. The open question sits in uptake: how quickly indicators are absorbed into email controls, endpoint tools, monitoring rules, and user reporting processes.
The Italian data describes a familiar but persistent resilience problem. Phishing and malware campaigns remain effective because they exploit routine administrative trust, identity workflows, and service dependencies that organisations rely on every day.
