Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Lancefly APT Targeting Asian Government Organizations for Years

A threat actor tracked as Lancefly has been targeting government organizations in South and Southeast Asia for at least three years.

For at least three years, an advanced persistent threat (APT) actor has been targeting government organizations in South and Southeast Asia for intelligence gathering, Symantec reports.

Dubbed Lancefly, the APT has been actively targeting government organizations in the region since 2020, but also hit communications and technology organizations between 2020 and 2021, and entities in the aviation, education, and telecoms sectors since mid-2022.

Since 2020, the group has been relying on the Merdoor backdoor in its attacks, deploying it via phishing, SSH brute forcing, and vulnerable public-facing assets. The observed attacks are highly targeted, suggesting that the group has been focused on remaining under the radar.

Around since at least 2018, Merdoor is injected into legitimate processes using a dropper, which was seen abusing older versions of legitimate applications from McAfee, Sophos, Google, Avast, and Norton for DLL sideloading

On the infected machine, the backdoor installs itself as a service. It includes multiple command-and-control (C&C) communication methods, listens to local ports to receive commands, and has keylogging capabilities.

As part of the analyzed Lancefly attacks, victim credentials were stolen by dumping the memory of a process, the SAM and SYSTEM registry hives, and LSASS memory.

In addition to Merdoor, the APT was also seen using tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, as well as an updated version of the ZXShell rootkit.

Advertisement. Scroll to continue reading.

The rootkit was first detailed in 2014 and its source code has been publicly available for years. Some of the observed rootkit samples, Symantec notes, include an embedded variant of the ZXShell backdoor.

The ZXShell rootkit variant used in Lancefly attacks shows possible links to Chinese threat actors such as APT41 (aka Blackfly/Grayfly), via the signing certificate, and Iron Tiger (aka Budworm/APT27), via files used by a loader component.

Iron Tiger, Symantec explains, used the same files to load the PlugX RAT, which Lancefly relies on as well. Furthermore, the APT also uses the ShadowPad RAT.

According to Symantec, while these links may suggest affiliation to other APTs, they are not conclusive, especially since Chinese threat actors are known to share tools.

“While these overlaps and shared tools may indicate some links between Lancefly activity and activity by other APT groups, none of the overlaps are strong enough to attribute this activity and the development of the Merdoor backdoor to an already-known attack group,” Symantec concludes.

Related: Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks

Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Related: EU Organizations Warned of Chinese APT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.