Lancefly

Threat Actor updated 4 months ago (2024-05-04T20:05:38.503Z)
Download STIX
Preview STIX
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectors. These attacks have been carried out using a custom-written malware known as Merdoor, as discovered by researchers at Symantec's Threat Hunter Team. This backdoor malware is believed to have existed since 2018 and has been used in various campaigns, including activities observed in 2020, 2021, and more recently, continuing into the first quarter of 2023. The primary motivation behind these campaigns appears to be intelligence gathering. The recent Lancefly activity is notable not only for its use of the Merdoor backdoor but also for the low prevalence of this backdoor around Russian locations and the highly targeted nature of these attacks. The powerful backdoor, Merdoor, which was initially thought to be connected to Russia, has shown significant activity in Russian places during 2020 and 2021, and continued into the first quarter of 2023. Despite some overlaps and shared tools that might suggest links between Lancefly and other Advanced Persistent Threat (APT) groups, there are no strong enough connections to attribute the development of the Merdoor backdoor to any already-known attack group. This indicates that Lancefly operates independently, making it a unique threat to cybersecurity. It's crucial for organizations, especially those in the targeted sectors, to stay vigilant and implement robust security measures to counter such sophisticated threats.
Description last updated: 2024-05-04T16:35:36.940Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Rootkit
Symantec
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ZxShellUnspecified
5
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
MerdoorUnspecified
5
Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, H
ShadowPadUnspecified
2
ShadowPad is a modular malware that has been utilized by various Chinese threat actors since at least 2017. It's a malicious software designed to infiltrate computer systems, often without the user's knowledge, and can cause significant damage by stealing personal information, disrupting operations,
PlugXUnspecified
2
PlugX is a notorious malware known for its harmful capabilities and stealthy operations. Often used by the Winnti group, it has been linked to various cyber-attacks, leveraging DLL side-loading to remain undetected. This technique allows it to infiltrate systems without raising alarms, making it an
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT41Unspecified
5
APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Lancefly’sUnspecified
2
None
Source Document References
Information about the Lancefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
China-Linked ‘Redfly’ Group Targeted Power Grid
InfoSecurity-magazine
a year ago
Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
CERT-EU
a year ago
安全事件周报 2023-05-15 第20周 - 360CERT
CERT-EU
a year ago
Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
Flashpoint
2 years ago
No title
CERT-EU
a year ago
Lancefly APT Custom Backdoor Targets Government and Aviation Sectors
CERT-EU
a year ago
Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign - GIXtools
CERT-EU
a year ago
Lancefly APT targets government, aviation sector with custom backdoor
CERT-EU
a year ago
Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant, | IT Security News
CERT-EU
a year ago
Merdoor Backdoor Exploits Agencies By The Lancefly APT | IT Security News
Securityaffairs
a year ago
Lancefly uses powerful Merdoor backdoor in attacks on Asian orgs
CERT-EU
a year ago
Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs | IT Security News
CSO Online
a year ago
New APT targets South and Southeast Asia with custom-written backdoor
CERT-EU
a year ago
Lancefly APT Targeting Asian Government Organizations for Years
BankInfoSecurity
a year ago
Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs
CERT-EU
a year ago
Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs | IT Security News
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CERT-EU
a year ago
Sophisticated Merdoor backdoor long used in Lancefly APT attacks
CERT-EU
a year ago
Cyber security week in review: May 19, 2023