Lancefly

Threat Actor updated 7 months ago (2024-05-04T20:05:38.503Z)
Download STIX
Preview STIX
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectors. These attacks have been carried out using a custom-written malware known as Merdoor, as discovered by researchers at Symantec's Threat Hunter Team. This backdoor malware is believed to have existed since 2018 and has been used in various campaigns, including activities observed in 2020, 2021, and more recently, continuing into the first quarter of 2023. The primary motivation behind these campaigns appears to be intelligence gathering. The recent Lancefly activity is notable not only for its use of the Merdoor backdoor but also for the low prevalence of this backdoor around Russian locations and the highly targeted nature of these attacks. The powerful backdoor, Merdoor, which was initially thought to be connected to Russia, has shown significant activity in Russian places during 2020 and 2021, and continued into the first quarter of 2023. Despite some overlaps and shared tools that might suggest links between Lancefly and other Advanced Persistent Threat (APT) groups, there are no strong enough connections to attribute the development of the Merdoor backdoor to any already-known attack group. This indicates that Lancefly operates independently, making it a unique threat to cybersecurity. It's crucial for organizations, especially those in the targeted sectors, to stay vigilant and implement robust security measures to counter such sophisticated threats.
Description last updated: 2024-05-04T16:35:36.940Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Rootkit
Symantec
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ZxShell Malware is associated with Lancefly. ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among oUnspecified
5
The Merdoor Malware is associated with Lancefly. Merdoor is a potent malware, identified as a backdoor, that has been in existence since 2018. The malicious software is capable of installing itself as a service, keylogging, listening on a local port for commands, and using various methods to communicate with its command and control (C&C) server suUnspecified
5
The ShadowPad Malware is associated with Lancefly. ShadowPad is a sophisticated malware, known for its modular backdoor capabilities, that has been popular among Chinese threat actors for over seven years. It is designed to infiltrate systems often through suspicious downloads, emails, or websites, and once inside, it can steal personal information,Unspecified
2
The PlugX Malware is associated with Lancefly. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT41 Threat Actor is associated with Lancefly. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
5
The threatActor Lancefly’s is associated with Lancefly. Unspecified
2
Source Document References
Information about the Lancefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Flashpoint
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CSO Online
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago