Daniel Lunghi's Avatar

Daniel Lunghi

@thehellu.bsky.social

Threat researcher at Trend Micro mostly focused on APT

151 Followers  |  86 Following  |  8 Posts  |  Joined: 03.12.2024  |  1.5222

Latest posts by thehellu.bsky.social on Bluesky

spear phishing email using Trend Micro updates as a lure

spear phishing email using Trend Micro updates as a lure

targeted industries

targeted industries

comparison between this intrusion set and Void Rabisu

comparison between this intrusion set and Void Rabisu

Website mimicking Trend Micro graphical design

Website mimicking Trend Micro graphical design

We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine www.trendmicro.com/en_us/resear...

11.12.2025 15:03 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
There are some links from Earth Estries to Salt Typhoon but we don't have enough evidence to say there is 100% overlap

There are some links from Earth Estries to Salt Typhoon but we don't have enough evidence to say there is 100% overlap

There is a typo in the link (remove the extra "7" at the end, will ask for it to be fixed, thanks!).
Regarding your question, this is what we wrote about Salt Typhoon in our third Earth Estries blogpost www.trendmicro.com/en_us/resear...

22.10.2025 16:42 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Earth Estries and Earth Naga malware links

Earth Estries and Earth Naga malware links

List of Earth Estries and Earth Naga targets, classified by targeted industry and location

List of Earth Estries and Earth Naga targets, classified by targeted industry and location

Collaboration types and the related MITRE tactic stage where such collaboration occurs

Collaboration types and the related MITRE tactic stage where such collaboration occurs

Earth Estries and Earth Naga malware toolkits

Earth Estries and Earth Naga malware toolkits

We saw Earth Estries, an advanced #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups www.trendmicro.com/en_us/resear...

22.10.2025 09:18 β€” πŸ‘ 20    πŸ” 14    πŸ’¬ 2    πŸ“Œ 1

Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" orangecyberdefense.com/global/blog/.... They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

20.02.2025 09:39 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

For incident responders, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and Prefetch files in case you don't have live access to the host anymore

20.02.2025 09:39 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image Post image Post image

We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia www.trendmicro.com/fr_fr/resear...
#APT

20.02.2025 09:39 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
China : Chinese firm behind hacking operations against Uyghurs and Tibetans unveiled Intelligence Online has established a link between a Chinese public security ministry contractor and recent IT hacking operations carried out in China and abroad against the two minorities, reviled

Intelligence Online links the MOONSHINE framework that we discussed in our Earth Minotaur report (www.trendmicro.com/en_us/resear...) to a Chinese company www.intelligenceonline.com/surveillance... (article is free but needs registration to access it). Happy new year UPSEC ! 😘

29.01.2025 10:08 β€” πŸ‘ 9    πŸ” 11    πŸ’¬ 1    πŸ“Œ 0
Preview
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Since Aug 2024 Earth Koshchei (APT29, Midnight Blizzard) used 193 RDP relays and 34 rogue backends against military, MFAs and others. The campaign peak was likely preceded by barely audible campaigns that ended with a bang in Oct 2024. Details and indicators here: www.trendmicro.com/en_us/resear...

17.12.2024 08:33 β€” πŸ‘ 8    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor

Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor

Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit

Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit

multiple Chrome vulnerabilities exploited in the third-party applications

multiple Chrome vulnerabilities exploited in the third-party applications

List of Android applications being targeted Most are very popular in South East Asia

List of Android applications being targeted Most are very popular in South East Asia

Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...

05.12.2024 08:48 β€” πŸ‘ 12    πŸ” 7    πŸ’¬ 0    πŸ“Œ 2

@thehellu is following 20 prominent accounts