Daniel Lunghi

@[email protected]
263 Followers
109 Following
18 Posts
Threat researcher @Trend Micro focusing on #apt
Twitterhttps://twitter.com/thehellu
Daniel LunghiDec 11
We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html
Daniel LunghiOct 22
We saw Earth Estries, an advanced CN #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html
Daniel LunghiFeb 20, 2025
For incident responders investigating Shadowpad cases, remember to retrieve the volume serial number where #Shadowpad was deployed. The first time the malware is run, it will delete the encoded payload file (<random name>.tmp), and encrypt it in the Windows registry using the volume serial number. Those can also be found in LNK and Prefetch files in case you don't have live access to the host anymore.
You can then use the VolumeID tool from Sysinternals to change the volume serial number of your virtual machine
https://learn.microsoft.com/en-us/sysinternals/downloads/volumeid
VolumeID - Sysinternals

Set Volume ID of FAT or NTFS drives.

Daniel LunghiFeb 20, 2025
We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
#APT
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor
Updated Shadowpad Malware Leads to Ransomware Deployment

In this blog entry, we discuss how Shadowpad is being used to deploy a new undetected ransomware family. Attackers deploy the malware by exploiting weak passwords and bypassing multi-factor authentication.

Trend Micro
Daniel LunghiJan 29, 2025
Intelligence Online links the MOONSHINE framework that we discussed in our Earth Minotaur report (https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html) to a Chinese company https://www.intelligenceonline.com/surveillance--interception/2025/01/29/chinese-firm-behind-hacking-operations-against-uyghurs-and-tibetans-unveiled,110368855-evg (article is free but needs registration to access it). Happy new year UPSEC ! 😘
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks

Trend Micro
Daniel LunghiMar 18, 2024
Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.

Trend Micro
Daniel LunghiNov 9, 2023
Virus Bulletin released my talk on a #Shadowpad sample delivered by a Pakistan governmental application named eOffice. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion https://www.youtube.com/watch?v=i52MH-YFEeo
The slides https://virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf and paper https://virusbulletin.com/uploads/pdf/conference/vb2023/papers/Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf are also available. In addition to what we published in July in our blog, the paper details our failed attempts to attribute this attack based on custom malware families and their links to other advanced threat actors #threatintel
Possible supply chain attack targeting South Asian government delivers Shadowpad - Daniel Lunghi

YouTube
Daniel LunghiJul 21, 2023
We found a possible supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html
It is possible that the MSI installer could have been modified and then redistributed. However, as it was not publicly available at the time of the incident (September 2022), that would imply that the threat actor retrieved it from a PK gov entity before weaponizing it. #APT
Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad

We recently found that an MSI installer built by the National Information Technology Board (NITB), a Pakistani government entity, delivered a Shadowpad sample, suggesting a possible supply-chain attack.

Trend Micro
Daniel LunghiMay 2, 2023
The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my #Botconf talk about #IronTiger TTPs are online. I discuss recent infection vectors (including a supply chain attack), the evolution of their malware toolkit and targeting, and explain how we attributed these campaigns to #IronTiger #APT27 #APT threat actor
Daniel LunghiMar 1, 2023
My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported to Linux, a new communication protocol through DNS TXT requests, a VMProtect certificate compromise, and probable infection vector https://trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Trend Micro