Daniel Lunghi
@thehellu.bsky.social
Threat researcher at Trend Micro mostly focused on APT
There is a typo in the link (remove the extra "7" at the end, will ask for it to be fixed, thanks!).
Regarding your question, this is what we wrote about Salt Typhoon in our third Earth Estries blogpost www.trendmicro.com/en_us/resear...
Regarding your question, this is what we wrote about Salt Typhoon in our third Earth Estries blogpost www.trendmicro.com/en_us/resear...
October 22, 2025 at 4:42 PM
There is a typo in the link (remove the extra "7" at the end, will ask for it to be fixed, thanks!).
Regarding your question, this is what we wrote about Salt Typhoon in our third Earth Estries blogpost www.trendmicro.com/en_us/resear...
Regarding your question, this is what we wrote about Salt Typhoon in our third Earth Estries blogpost www.trendmicro.com/en_us/resear...
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" orangecyberdefense.com/global/blog/.... They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor
orangecyberdefense.com
February 20, 2025 at 9:39 AM
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" orangecyberdefense.com/global/blog/.... They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor
For incident responders, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and Prefetch files in case you don't have live access to the host anymore
February 20, 2025 at 9:39 AM
For incident responders, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and Prefetch files in case you don't have live access to the host anymore