Merdoor Malware Detection: Lancefly APT Uses a Stealthy Backdoor in Long-Running Attacks Against Organizations in South and Southeast Asia

A novel hacking collective tracked as Lacefly APT has been recently observed applying a custom Merdoor backdoor to attack organizations in the government, telecom, and aviation sectors across South and Southeastern Asia. According to the latest reports, these targeted intrusions point to a long-running adversary campaign leveraging Merdoor sample, with the first traces dating back to 2018. 

Detecting Merdoor Backdoor by Lancefly 

Lancefly APT is a novel player on the block who managed to fly under the radar for years, covertly targeting organizations with a custom Merdoor backdoor. To help cyber defenders proactively withstand the potential attacks, SOC Prime’s Detection as Code Platform aggregated a relevant Sigma rule to identify suspicious behavior associated with Merdoor:

Suspicious MERDOOR BackDoor Behaviors Persistence By Detection of Deletion Registry .[via Registry_Event] 

This rule by our keen Threat Bounty developer Phyo Paing Htun is compatible with 21 SIEM, EDR, XDR, and BDP platforms and mapped to MITRE ATT&CK framework v12 addressing Defense Evasion tactics with Modify Registry (T1112) as a corresponding technique. 

Threat Hunters and Detection Engineers who are seeking ways to monetize their professional skills while contributing to a safer tomorrow are more than welcome to bolster the ranks of collective cyber defense by joining SOC Prime’s Threat Bounty Program. Submit your own Sigma rules, get them verified and published to our Threat Detection Marketplace, and receive recurring payouts for your invaluable contribution.

Due to the ever-growing threat posed by APT collectives, security professionals are looking for a reliable source of detection content to identify associated cyber attacks on time. Hit the Explore Detections button below and immediately drill down to the full collection of Sigma rules to detect tools and attack techniques associated with APT groups. All the detection algorithms are accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.

Explore Detections

Medoor Backdoor Analysis

As per inquiry by Symantec Threat Labs, an adversary campaign that has been active in the malicious arena for half a decade but has come to light in May 2023. In these long-running intrusions, a novel APT collective going with the moniker of Lacefly leverages a recently uncovered Merdoor backdoor targeting orgs across multiple industry sectors in Asia. Experts found out that threat actors also applied Merdoor in their adversary toolkit earlier in 2020 and 2021, which points to some similarities with the most recent cyber attacks.

According to the report, Lancefly threat actors largely focus on cyber-espionage activity, striving to collect intelligence from compromised users. The Merdoor malware applied in the sophisticated campaigns has been in the spotlight since at least 2018. The malware is a self-extracting archive capable of installing itself as a service, performing keylogging, and using a broad set of methods for C2 server communication.

In earlier malicious operations, the Lancefly actors took advantage of the phishing attack vector, while in the latest campaign, the initial attack vectors might be SSH brute forcing or a public-facing server. Also, in the latest attacks, threat actors displayed behavior patterns similar to their previous campaigns, using a set of non-malware techniques to dump user creds on the targeted systems, like PowrShell and masqueraded versions of legitimate tools.

The common Merdoor infection starts with the backdoor injection into one of the legit processes (perfhost.exe or svchost.exe), followed by its connection to the C2 server. Further, attackers perform command execution for process injection or to dump LSASS memory, the latter enabling them to steal user credentials and gain extended access to targeted networks. Then adversaries might use a disguised WinRAR archive manager before data exfiltration. Also, Lancefly actors are spotted using Blackloader and Prcloader, which are linked to the notorious PlugX malware. In the latest campaign, the hacking collective has also leveraged an upgraded version of the ZXShell rootkit, which is more advanced than its previous iterations being smaller in size and applying more sophisticated detection evasion techniques. 

Lancefly threat actors might be linked to the APT41 group due to the common ZXShell rootkit certificate; however, the latter, similarly to other Chinese-backed threat actors, is known to share certificates with other adversaries. Also, Lancefly might be affiliated with the adversary activity of the Chinese APT groups due to the use of PlugX and ShadowPad in their campaigns, which are both commonly used in the adversary toolkit of the Chinese state-backed actors. Still, there is not yet enough evidence to link the Lancefly malicious activity to any of the notorious hacking collectives.

With the growing volumes of destructive attacks attributed to nation-backed hacking collectives, including Chinese APT groups causing havoc in the cyber threat arena, cyber defenders are looking for ways to risk-optimize their cybersecurity posture. With SOC Prime, over 900 Sigma rules for APT-related tools and cyber attacks are just a click away! Get 200+ Sigma rules for free or obtain the entire detection stack with On Demand at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts