office building at night
Image: Carsten Ruthemann via Pexels

‘Lancefly’ espionage group targeting organizations across Asia with custom malware

A government-backed hacking group known as “Lancefly” has been seen using custom-made malware to attack governments, telecoms and other organizations across Asia.

Researchers from Symantec said Lancefly, labeled as an advanced persistent threat (APT), was previously implicated in several 2020 attacks that used phishing lures based on the 37th ASEAN Summit.

The latest campaign — which ran from the middle of 2022 through the first quarter of 2023 — targets organizations in South and Southeast Asia, in sectors including government, aviation, education and telecoms.

The backdoor used by the group, named Merdoor, has been around since 2018 but has been used in a “highly targeted” fashion against “just a handful of networks and a small number of machines over the years,” Symantec said.

The researchers tracked the backdoor’s use in two different campaigns and said the goal of both was intelligence gathering. Merdoor allows hackers to track actions, log keystrokes and communicate directly with an infected device.

“This recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this backdoor and the seemingly highly targeted nature of these attacks. While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar,” the researchers said.

Intelligence gathering appears to be the main motivation, given the tools and the targeted sectors, Symantec said.

“The similarities between this recent activity and earlier activity by Lancefly indicate that the group perhaps did not realize the earlier activity had been discovered, so it was not concerned about links being made between the two,” the researchers said. “Whether or not the exposure of this activity will lead to any alteration in how the group carries out its activity remains to be seen.”

Symantec declined to name the country behind Lancefly or the countries that were targeted, but several other tools used by the group — including malware like PlugX and ShadowPad — are hallmarks of Chinese government hackers.

The researchers said they were not comfortable attributing the campaign to Chinese actors, noting that none of the overlaps in tactics and tools “are strong enough to attribute this activity and the development of the Merdoor backdoor to an already-known attack group.”

While the 2020 and 2021 campaigns used phishing lures based on the ASEAN Summit, Symantec researchers said the group now uses a variety of initial infection vectors, showing that they are “adaptable.”

In addition to malware, the group also used other methods, including legitimate tools from Avast and WinRAR, to help gather data and exfiltrate it.

The researchers noted that one of the tools is signed by the certificate "Wemade Entertainment Co. Ltd," which was previously reported to be associated with APT41, one of China’s most prolific hacking groups.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.