Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign (May 15, 2023)

Ref# AL2023_40 | Date: May 24th 2023


Government, aviation, education, and telecommunication sectors located in South and Southeast Asia came in contact with a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023. Symantec is tracking the activity under its insect-themed monikerLancefly, with the attacks making use of a “powerful” backdoor called Merdoor. 

Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering. 


The ultimate goal of the campaign, based on the tools and the victimology pattern, is intelligence gathering. The backdoor is used quite selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted.  

The attackers in this campaign also have access to an updated version of the ZXShell rootkit. ZXShell,discoveredby Cisco in October 2014, is a rootkit that comes with various features to harvest sensitive data from infected hosts. The use of ZXShell has been linked to various Chinese actors likeAPT17(Aurora Panda) and APT27(Budworm or Emissary Panda). While the exact initial intrusion vector used is currently unknown, it is suspected to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains ultimately lead to the deployment of ZXShell and Merdoor, a fully-featured malware that can communicate with an actor-controlled server for further commands and log keystrokes. 

The backdoor contains the following functionality: 

  • Installing itself as a service 

  • Keylogging 

  • A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP) 

  • Ability to listen on a local port for commands 

The source code of this rootkit is publicly available so it may be used by multiple different groups,” a statement made by Symantec. The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable. Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate “Wemade Entertainment Co. Ltd,” which waspreviously reportedby Mandiant in August 2019 to be associated withAPT41also known as Winnti. 

Lancefly”s intrusions have also been identified as employingPlugXand its successorShadowPad, the latter of which is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015. That said, it”s also known thatcertificate and tool sharingis prevalent among Chinese state-sponsored groups, making attribution to a specific known attack crew difficult. While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar. 


  1. It is imperative to download the latest operating system updates as this will cover security patches and existing vulnerabilities needed.
  2. Do not download and install from unknown sources nor open email attachments from unknown senders.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Powerful backdoor and implant discovered in year-long campaign.pdf