Ransomware attack Victim: trevi.it TA: Nova Country: Italy Data: 50gb @ransomnews

Ransomware attack Victim: tavolaspa.com TA: Safepay Country: Italy @ransomnews

Ransomware attack Victim: Verzolla SRL TA: Safepay Country: Italy @ransomnews

Ransomware attack Victim: soraris.it TA: Safepay Country: Italy @ransomnews

new domain in town for TheGentlemen group: thegentlemen[.]cc ip: 104.21.32.140 (Cloudfare) registration: 2026-05-30T15:53:46Z

Hinge database allegedly for sale. Actor "nilojeda" claims 8M records: email, password_hash, oauth_subject_hash, phone_hash, DoB, geolocation. A sample PoC is publicly available in the thread. $400, accepts crypto. No statement from Hinge. If you use Hinge: rotate password, revoke OAuth sessions. @hinge

Spotted a TikTok video promoting free Fortnite skins linking to fortgg[.]cc. Ended up being a full AiTM phishing kit impersonating Epic Games login. The kit uses a custom DNSPod CAPTCHA gate to block scanners then serves a pixel perfect Epic Games credential harvester. Under the hood it hooks fetch and XHR to proxy requests to Epic in real time bypassing all 2FA methods including authenticator app, SMS, backup codes and Epic app. After credential harvest victims are redirected to a fake "Star Locker" page to keep them busy while the operator processes the stolen session token server side. Source code comments are in Russian. Hosted on 91.227.114.14 AS210006 bullet proof infrastructure. Related domains on same IP include Valorant themed kits suggesting a single operator targeting multiple gaming platforms. IOCs: 91.227.114.14 fortgg[.]cc fortvault[.]cc fortstats[.]cc fortniteskill[.]live valdexy[.]com epiclocka[.]shop pay-heleket[.]cc valoturskin[.]top valday[.]top vlrstep[.]top vlrntgnrskn[.]online DROPPED FILES fortgg[.]cc/assets/b4k2m7.js fortgg[.]cc/assets/w5n2p8.js fortgg[.]cc/assets/api.js COOKIE FINGERPRINT sil_ses sil_gate sil_bm KIT IDENTIFIERS Mercury AiTM Star Locker /.merc/ @EpicGames @Fortnite

Same threat actor, new domain. scalealevadores[.]com -> 79.141.166.149 (AS201525 HZ Hosting) Same IP as lfg-homes[.]cam from yesterday's campaign. Infrastructure still active. @JAMESWT_WT

Ransomware attack Victim: Fonderia Corrà TA: The Gentlemen Country: Italy @ransomnews

Analyzed a 4-stage phishing campaign targeting Italian SMBs. ATO initial vector (SPF/DKIM/DMARC all pass) XOR AES-GCM eval(atob()) x3 250-entry ASN blocklist time gate Final payload: Device Code Phishing -> OAuth2 token theft Key IOCs: C2: crudiose[.]com / cremeapi[.]com IP: 81.28.12.12 (G-Core am3-hw-edge-gpig-gc96) Campaign ID: Czj1Ap Kit: randexp.js v0.4.3 (github.]com/fent) Full breakdown -> medium.com/@darkjstr/inside-… @JAMESWT_WT

Ransomware attack Victim: Casa Safer TA: Nova Country: Italy @ransomnews

Ransomware attack Victim: Pieralisi TA: Dragonforce Country: Italy @ransomnews

Ransomware attack Victim: BASE SPA Data: / TA: Space Bears POC: / Country: Italy @ransomnews

From WOMEN.dll dropper → Sleestak infrastructure: Multi-stage JScript PowerShell loader with AES-256 XOR, process hollowing into aspnet_compiler.exe, Microsoft-spoofed scheduled task (logon trigger), and exposed daily-rotating payload directories on open index listing.Full chain analysis, builder artifacts, IOCs : medium.com/@darkjstr/trackin…

Ransomware attack Victim: GITIS S.r.l. Data: / TA: Akira POC: yes Country: Italy @ransomnews

⚠️ New threat actor on the radar ⚠️ 🥷🏻 Spy Corporate 🗓️ added on May 21, 2026 #ransomNews #cybersecurity #newthreatactor