{ "id": "1d7e0341-0152-40d1-b074-09541eb52415", "created_at": "2026-04-06T00:15:00.164754Z", "updated_at": "2026-04-10T03:25:20.335325Z", "deleted_at": null, "sha1_hash": "2ede79e4e738048d41213c07dec9fb976861b7e8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45847, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:43:53 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Merdoor\r\n Tool: Merdoor\r\nNames Merdoor\r\nCategory Malware\r\nType Backdoor, Keylogger\r\nDescription\r\n(Symantec) Merdoor is a fully-featured backdoor that appears to have been in existence since\r\n2018.\r\nThe backdoor contains the following functionality:\r\n• Installing itself as a service\r\n• Keylogging\r\n• A variety of methods to communicate with its command-and-control (C\u0026C) server (HTTP,\r\nHTTPS, DNS, UDP, TCP)\r\n• Ability to listen on a local port for commands\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.merdoor\u003e\r\nLast change to this tool card: 13 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool Merdoor\r\nChanged Name Country Observed\r\nAPT groups\r\n  Lancefly [Unknown] 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e3a23b2e-3e2f-462f-9d4d-f3b13f8995a9\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e3a23b2e-3e2f-462f-9d4d-f3b13f8995a9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e3a23b2e-3e2f-462f-9d4d-f3b13f8995a9\r\nPage 2 of 2\n\nAPT groups Lancefly [Unknown] 2018\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e3a23b2e-3e2f-462f-9d4d-f3b13f8995a9" ], "report_names": [ "listgroups.cgi?u=e3a23b2e-3e2f-462f-9d4d-f3b13f8995a9" ], "threat_actors": [ { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434500, "ts_updated_at": 1775791520, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2ede79e4e738048d41213c07dec9fb976861b7e8.pdf", "text": "https://archive.orkl.eu/2ede79e4e738048d41213c07dec9fb976861b7e8.txt", "img": "https://archive.orkl.eu/2ede79e4e738048d41213c07dec9fb976861b7e8.jpg" } }