Wednesday, April 30, 2025
HomeCyber AttackLancefly APT Hackers Using Custom Backdoor to Attack Government Orgs

Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at Symantec Threat Labs recently discovered APT hacking group has been utilizing the specialized ‘Merdoor’ backdoor malware to conduct precise and prolonged attacks on the following sectors in South and Southeast Asia since 2018:-

  • Government
  • Aviation
  • Telecommunication

While apart from this, since 2018, Lancefly has been using the Merdoor backdoor malware in specific attacks.

Symantec researchers have observed the usage of this backdoor malware in multiple campaigns, spanning from 2020 to the first quarter of 2023, with the primary aim of spying and gathering intelligence reports.

- Advertisement - Google News

Lancefly APT Hackers Attack Chain

Although Symantec has not identified the precise initial infection method employed by Lancefly, evidence suggests that the group has utilized techniques such as phishing emails, SSH credential brute forcing, and exploiting vulnerabilities in public-facing servers to gain unauthorized access.

The attackers inject the Merdoor backdoor through DLL side-loading into legitimate Windows processes, such as “perfhost.exe” or “svchost.exe,” to help the malware evade detection once it gains a foothold on the target system.

The Merdoor dropper contains three files, and it is a self-extracting RAR (SFX):-

  • A legitimate and signed binary vulnerable to DLL search-order hijacking
  • A malicious loader (Merdoor loader)
  • An encrypted file (.pak) containing the final payload (Merdoor backdoor)

The Merdoor dropper, upon execution, extracts embedded files and leverages older versions of five legitimate applications to facilitate DLL sideloading for loading the Merdoor loader.

After installing itself as a service that persists between reboots, the Merdoor backdoor establishes communication with the C2 server via several supported protocols. It awaits further instructions, enabling Lancefly to maintain access and a foothold on the victim’s system.

Here below, we have mentioned all the supported communication protocols:-

  • HTTP
  • HTTPS
  • DNS
  • UDP
  • TCP

Merdoor functions as a backdoor that can receive commands through local ports and records keystrokes to gather potentially useful information.

To swiftly execute scheduled tasks on remote systems through SMB, Lancefly utilizes Impacket’s ‘Atexec’ feature. At the same time, it does so as a means to propagate through the network or eliminate output files generated by previous commands.

The attackers employ memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool, followed by likely exfiltration using Merdoor to steal credentials and extract sensitive data.

Attack Chain Tools and TTPs

Here below, we have mentioned all the attack chain tools and TTPs:-

  • Impacket Atexec
  • Suspicious SMB activity
  • WinRAR
  • LSSAS Dumper
  • NBTScan
  • Blackloader
  • Prcloader

ZXShell Rootkit

Lancefly attacks incorporate an upgraded ZXShell rootkit, leveraging its advanced capabilities through the “FormDII.dll” loader, which enables the deployment of tailored payloads, execution of shellcode, termination of processes, and additional functionalities based on the host’s system architecture.

Lancefly uses a shared codebase for their tools, as evidenced by the common code between the rootkit’s installation and updating utility and the Merdoor loader, with the former also capable of:-

  • Creating services
  • Modifying the registry
  • Compressing its executable to evade detection

Possible Links

Although the ZXShell rootkit has been used by multiple Chinese APT groups, including APT17 and APT41, the connection to Lancefly is tenuous due to the rootkit’s public availability for years.

The rootkit loader name “formdll.dll” used by Lancefly has been observed in a previous APT27 campaign, but it remains uncertain if this choice intentionally confuses analysts and hinders attribution efforts.

The utilization of commonly employed PlugX and ShadowPad remote access trojans (RATs), shared by multiple Chinese APT groups, provides additional support for the proposition that Lancefly has Chinese origins.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft Telnet Server Flaw Lets Attackers Bypass Guest Login Restrictions

A newly disclosed vulnerability in Microsoft’s Telnet Server component is making headlines after researchers...

Firefox 138 Launches with Patches for Several High-Severity Flaws

Mozilla has officially released Firefox 138, marking a significant update focused on user security....

Anthropic Report Reveals Growing Risks from Misuse of Generative AI Misuse

A recent threat report from Anthropic, titled “Detecting and Countering Malicious Uses of Claude:...

Link11 brings three brands together on one platform with new branding

Link11 has fully integrated DOSarrest and Reblaze to become one of Europe's leading providers...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Microsoft Telnet Server Flaw Lets Attackers Bypass Guest Login Restrictions

A newly disclosed vulnerability in Microsoft’s Telnet Server component is making headlines after researchers...

Firefox 138 Launches with Patches for Several High-Severity Flaws

Mozilla has officially released Firefox 138, marking a significant update focused on user security....

Anthropic Report Reveals Growing Risks from Misuse of Generative AI Misuse

A recent threat report from Anthropic, titled “Detecting and Countering Malicious Uses of Claude:...