In the past weeks, a new strange campaign emerged in the Italian landscape. It has been baptized “Operation Pistacchietto” from a username extracted from a Github account used to serve some part of the malware. This campaign has been initially studied by C.R.A.M. researchers reporting the attacker seems to be Italian, as evidenced by some Italian words like “pistacchietto” or “bonifico” discovered into analyzed file names and scripts, and due to the location of most of the command and control servers.