A new hacking group named Lancefly has been conducting a highly targeted campaign against government, aviation, education, and telecom sectors in South and Southeast Asia since mid-2022.
The group utilizes a powerful backdoor called Merdoor, which has been in use since 2018 and is assessed to be used for intelligence gathering. The attackers also have access to an updated version of the ZXShell rootkit.
The initial intrusion vector used by Lancefly is not clear, but it is suspected to involve phishing lures, SSH brute-forcing, or exploiting internet-exposed servers.
The attack chains lead to the deployment of ZXShell and Merdoor, enabling communication with an actor-controlled server for further commands and keystroke logging. ZXShell, previously linked to Chinese actors, is a rootkit known for harvesting sensitive data.
The ZXShell rootkit used by Lancefly appears to be a smaller-sized version with additional functions, including targeting antivirus software to disable it. The rootkit is signed by the certificate “Wemade Entertainment Co. Ltd,” associated with APT41 (Winnti) in the past. Lancefly’s intrusions also involve the use of PlugX and ShadowPad, modular malware platforms associated with Chinese state-sponsored actors.
Despite the attribution challenges, the Lancefly group has maintained a low-profile approach, selectively deploying the Merdoor backdoor in a small number of targeted attacks. The group’s cautious use of the tool suggests a desire to stay under the radar.
Symantec, tracking the activity, continues to monitor and analyze the campaign to better understand its objectives and potential impact.
