ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Lancefly

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Lancefly

NamesLancefly (Symantec)
MotivationInformation theft and espionage
First seen2018
Description(Symantec) The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years.

Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity under a new group name.

Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018. Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.
ObservedSectors: Aviation, Education, Government, Telecommunications.
Countries: South and Southeast Asia.
Tools usedMerdoor.

Last change to this card: 21 June 2023

Download this actor card in PDF or JSON format

Previous: Kimsuky, Velvet Chollima
Next: Lazarus Group, Hidden Cobra, Labyrinth Chollima

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]