Lancefly

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectors. These attacks have been carried out using a custom-written malware known as Merdoor, as discovered by researchers at Symantec's Threat Hunter Team. This backdoor malware is believed to have existed since 2018 and has been used in various campaigns, including activities observed in 2020, 2021, and more recently, continuing into the first quarter of 2023. The primary motivation behind these campaigns appears to be intelligence gathering. The recent Lancefly activity is notable not only for its use of the Merdoor backdoor but also for the low prevalence of this backdoor around Russian locations and the highly targeted nature of these attacks. The powerful backdoor, Merdoor, which was initially thought to be connected to Russia, has shown significant activity in Russian places during 2020 and 2021, and continued into the first quarter of 2023. Despite some overlaps and shared tools that might suggest links between Lancefly and other Advanced Persistent Threat (APT) groups, there are no strong enough connections to attribute the development of the Merdoor backdoor to any already-known attack group. This indicates that Lancefly operates independently, making it a unique threat to cybersecurity. It's crucial for organizations, especially those in the targeted sectors, to stay vigilant and implement robust security measures to counter such sophisticated threats.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Backdoor

Rootkit

Symantec

WinRAR

Phishing

exploitation

russian

Linux

Gbhackers

Implant

Rat

Payload

Exploit

Loader

Chinese

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Merdoor	Unspecified	5	Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, H
ZxShell	Unspecified	5	ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
ShadowPad	Unspecified	2	ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
PlugX	Unspecified	2	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT41	Unspecified	5	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Lancefly’s	Unspecified	2	None
Iron Tiger	Unspecified	1	Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
APT17	Unspecified	1	APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.
APT27	Unspecified	1	APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Blackfly	Unspecified	1	Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Lancefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	China-Linked ‘Redfly’ Group Targeted Power Grid
InfoSecurity-magazine	a year ago	Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
CERT-EU	a year ago	安全事件周报 2023-05-15 第20周 - 360CERT
CERT-EU	a year ago	Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
Flashpoint	a year ago	No title
CERT-EU	a year ago	Lancefly APT Custom Backdoor Targets Government and Aviation Sectors
CERT-EU	a year ago	Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign - GIXtools
CERT-EU	a year ago	Lancefly APT targets government, aviation sector with custom backdoor
CERT-EU	a year ago	Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant, \| IT Security News
CERT-EU	a year ago	Merdoor Backdoor Exploits Agencies By The Lancefly APT \| IT Security News
Securityaffairs	a year ago	Lancefly uses powerful Merdoor backdoor in attacks on Asian orgs
CERT-EU	a year ago	Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs \| IT Security News
CSO Online	a year ago	New APT targets South and Southeast Asia with custom-written backdoor
CERT-EU	a year ago	Lancefly APT Targeting Asian Government Organizations for Years
BankInfoSecurity	a year ago	Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs
CERT-EU	a year ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU	a year ago	Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs \| IT Security News
CERT-EU	a year ago	Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CERT-EU	a year ago	Sophisticated Merdoor backdoor long used in Lancefly APT attacks
CERT-EU	a year ago	Cyber security week in review: May 19, 2023