CERT-AGID: Italian Cyberattacks Surge 13% as PagoPA and INPS Face Targeted Campaigns

From May 9 to 15, 2026, CERT-AGID detected 131 malicious campaigns targeting Italy, distributing 1,382 indicators of compromise (IoCs) to accredited organizations. This represents a 13% escalation in operations compared to the previous week—which saw 116 campaigns and 854 IoCs—and a significant 60% increase in distributed indicators. The combination of institutional phishing impersonating PagoPA fines, INPS-themed smishing, and ten active malware families signals an intensification of threats hitting both citizens and potential infrastructure.

131 malicious campaigns detected in Italy from May 9–15, 2026, with 1,382 indicators of compromise distributed to accredited entities.

Institutional Phishing: Exploiting PagoPA and Revenue Agency Brands

The most pervasive vector this week was institutional phishing themed around PagoPA fines. CERT-AGID tracked 24 Italian campaigns utilizing emails that mimic payment requests for unpaid traffic violations. These messages leverage the official branding and visual identity of PagoPA to lure recipients into clicking malicious links or submitting sensitive data on fraudulent pages. Simultaneously, a new campaign impersonating the Italian Revenue Agency has emerged, promising fake refunds for 2025 tax returns with the sole aim of harvesting credit card details.

Both operations demonstrate a strategy centered on Italian digital public services, where user familiarity with the brand lowers perceived risk. The threat is not limited to immediate credential theft; the gathered personal data can be weaponized for future social engineering or identity fraud. The lack of advanced technical exploitation in CERT-AGID’s findings confirms that these attacks rely almost entirely on human psychology and high-quality visual deception.

Smishing and Banking: 34 Campaigns Targeting INPS and Financial Institutions

CERT-AGID reported 17 banking phishing campaigns and an equal number of smishing operations impersonating INPS. The smishing attacks were conducted via "Darcula," a Phishing-as-a-Service (PhaaS) platform. This service allows threat actors to orchestrate large-scale campaigns without needing to manage the underlying hosting and delivery infrastructure. These SMS messages masquerade as institutional alerts, redirecting victims to pages designed to harvest credentials and personal data.

The 17 banking campaigns reflect a sustained interest in compromising individual accounts through social engineering tactics that mimic security alerts or identity verification requests. Data from CERT-AGID does not indicate the use of zero-day vulnerabilities in banking systems; the human factor remains the primary entry point. The Darcula platform, though used in the INPS campaigns, is not believed to be developed or managed within Italy. The scalability of PhaaS models allows attackers to reach thousands of potential victims in hours, significantly increasing their chances of success.

Malware Landscape: FormBook, Remcos, and XWorm Lead Activity

Ten distinct malware families were active this week: FormBook, Remcos, XWorm, AgentTesla, RelayNFC, TrickMo, Guloader, PhantomStealer, Grandoreiro, and Lokibot. Distribution is primarily handled through email attachments disguised as official documents, often nested within compressed archives using extensions such as ZIP, 7Z, GZ, and RAR, or formats like JS, XLS, and XLAM. Once executed, the payloads install infostealers or Remote Access Trojans (RATs) capable of exfiltrating credentials, identification documents, and browsing data.

The simultaneous activity of ten different families suggests a fragmented threat ecosystem where various actors purchase, customize, and deploy toolkits available on the criminal market. This variety increases the burden on defenders, who must manage signatures, behavioral patterns, and command-and-control (C2) communications for a wide range of strains. For enterprises, this translates to heightened pressure on endpoint detection systems to rapidly update signatures across the full threat spectrum.

Rising Trends: A 60% Surge in Indicators of Compromise

A comparison with the previous week (May 2–8, 2026) reveals a clear upward trend. Total campaigns rose from 116 to 131 (+13%), while distributed IoCs jumped from 854 to 1,382—a surge of over 60%. In the prior reporting period, CERT-AGID noted 78 Italian campaigns, 38 generic campaigns, and 12 active malware families. The sharp increase in IoCs suggests that attackers are diversifying their infrastructure, domains, and file hashes to bypass security filters.

While the exact number of victims and the total economic impact remain unknown, the quantitative growth is a reliable indicator of escalation. The shift from 12 to 10 active malware families does not signal a decrease in threat variety, but rather a temporal shift in the deployment of specific criminal toolkits.

In the same period, the global landscape saw critical patches released by vendors including Ivanti, Fortinet, SAP, VMware, and n8n. Additionally, the Ollama vulnerability (CVE-2026-7482), dubbed "Bleeding Llama," was identified, allowing for remote process memory leaks on roughly 300,000 exposed servers. While no direct link has been established between these vulnerabilities and the Italian campaigns reported by CERT-AGID, the concentration of critical flaws expands the overall attack surface for national infrastructures.

Security Recommendations and Mitigation

• Verify the sender of any institutional email regarding PagoPA, INPS, or the Revenue Agency. Access these services by manually typing the official URL into your browser rather than clicking direct links.
• Do not download unexpected attachments, particularly compressed archives or spreadsheets with extensions like ZIP, 7Z, GZ, RAR, JS, XLS, and XLAM, which are common vehicles for malware.
• Report suspicious SMS messages impersonating INPS through the agency's official channels. Avoid replying or clicking any links contained in the message.
• Entities accredited with CERT-AGID should integrate the 1,382 IoCs distributed between May 9 and 15 into their detection systems and audit logs for any communication with the specified domains or hashes.

The measurable 13% growth in campaigns and the 60% spike in indicators of compromise suggest that threat actors are scaling their infrastructure, not just their targets. The heavy use of Italian institutional brands like PagoPA and INPS indicates prior intelligence gathering on digital public services. In this environment, the line between individual users and national infrastructure thins: every stolen credential or malware infection serves as a potential pivot point for wider lateral movement.

Frequently Asked Questions

What are the IoCs distributed by CERT-AGID?

Indicators of Compromise (IoCs) are technical artifacts such as file hashes, malicious URLs, or suspicious IP addresses. CERT-AGID provides these to accredited organizations to help them detect and block malicious activity. 1,382 such indicators were shared between May 9 and 15, 2026.

Why are INPS smishing campaigns using the Darcula platform?

Darcula is a Phishing-as-a-Service (PhaaS) platform that enables attackers to run large-scale smishing operations without managing technical infrastructure. CERT-AGID identified its use in 17 Italian campaigns targeting INPS.

What is the difference between "Italian" and "generic" campaigns?

The 96 Italian campaigns specifically target local brands, themes, or recipients within Italy. The 35 generic campaigns are part of broader global malicious flows that were also detected in Italian network traffic.

Information has been verified against the cited sources and is current at the time of publication.

Sources

• https://cert-agid.gov.it/news/sintesi-riepilogativa-delle-campagne-malevole-nella-settimana-del-9-15-maggio/
• https://cert-agid.gov.it/news/sintesi-riepilogativa-delle-campagne-malevole-nella-settimana-del-2-8-maggio/
• https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html
• https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html