Lancefly

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectors. These attacks have been carried out using a custom-written malware known as Merdoor, as discovered by researchers at Symantec's Threat Hunter Team. This backdoor malware is believed to have existed since 2018 and has been used in various campaigns, including activities observed in 2020, 2021, and more recently, continuing into the first quarter of 2023. The primary motivation behind these campaigns appears to be intelligence gathering. The recent Lancefly activity is notable not only for its use of the Merdoor backdoor but also for the low prevalence of this backdoor around Russian locations and the highly targeted nature of these attacks. The powerful backdoor, Merdoor, which was initially thought to be connected to Russia, has shown significant activity in Russian places during 2020 and 2021, and continued into the first quarter of 2023. Despite some overlaps and shared tools that might suggest links between Lancefly and other Advanced Persistent Threat (APT) groups, there are no strong enough connections to attribute the development of the Merdoor backdoor to any already-known attack group. This indicates that Lancefly operates independently, making it a unique threat to cybersecurity. It's crucial for organizations, especially those in the targeted sectors, to stay vigilant and implement robust security measures to counter such sophisticated threats.
What's your take? (Question 1 of 5)
ec2bc3d9-a67e-4982-a057-9e95b9c1330b Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Rootkit
Symantec
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZxShellUnspecified
5
ZXShell is a notorious malware, often associated with other malicious software such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, and STEW. It has been utilized by various Advanced Persistent Threat (APT) groups, including APT27 and APT20, for
MerdoorUnspecified
5
Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, H
ShadowPadUnspecified
2
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utiliti
PlugXUnspecified
2
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
5
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a China-attributed threat actor that has been active since at least 2012. The group has targeted organizations across at least 14 countries, focusing on entities in the South China Sea region. APT41's activi
Lancefly’sUnspecified
2
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Lancefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CSO Online
a year ago
New APT targets South and Southeast Asia with custom-written backdoor
Securityaffairs
a year ago
Lancefly uses powerful Merdoor backdoor in attacks on Asian orgs
CERT-EU
a year ago
Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU
a year ago
Lancefly APT targets government, aviation sector with custom backdoor
CERT-EU
a year ago
Lancefly APT Targeting Asian Government Organizations for Years
BankInfoSecurity
a year ago
Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs
CERT-EU
a year ago
Sophisticated Merdoor backdoor long used in Lancefly APT attacks
CERT-EU
a year ago
Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs | IT Security News
CERT-EU
a year ago
Lancefly APT Custom Backdoor Targets Government and Aviation Sectors
Flashpoint
a year ago
No title
CERT-EU
a year ago
Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs | IT Security News
CERT-EU
a year ago
Merdoor Backdoor Exploits Agencies By The Lancefly APT | IT Security News
CERT-EU
a year ago
Cyber security week in review: May 19, 2023
CERT-EU
a year ago
Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign - GIXtools
CERT-EU
a year ago
Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant, | IT Security News
InfoSecurity-magazine
a year ago
Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
CERT-EU
9 months ago
China-Linked ‘Redfly’ Group Targeted Power Grid
CERT-EU
a year ago
安全事件周报 2023-05-15 第20周 - 360CERT