{
	"id": "ca60f53a-dfe3-4252-8860-29889e2da364",
	"created_at": "2026-04-06T01:28:59.374922Z",
	"updated_at": "2026-04-10T03:25:20.339686Z",
	"deleted_at": null,
	"sha1_hash": "7018f2e6148d0ce2465e7cd816099d7d2b157e54",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43176,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:53:44 UTC\r\n APT group: Lancefly\r\nNames Lancefly (Symantec)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Symantec) The Lancefly advanced persistent threat (APT) group is using a custom-written\r\nbackdoor in attacks targeting organizations in South and Southeast Asia, in activity that has\r\nbeen ongoing for several years.\r\nLancefly may have some links to previously known groups, but these are low confidence,\r\nwhich led researchers at Symantec, by Broadcom Software, to classify this activity under a\r\nnew group name.\r\nLancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that\r\nappears to have existed since 2018. Symantec researchers observed it being used in some\r\nactivity in 2020 and 2021, as well as this more recent campaign, which continued into the first\r\nquarter of 2023. The motivation behind both these campaigns is believed to be intelligence\r\ngathering.\r\nObserved\r\nSectors: Aviation, Education, Government, Telecommunications.\r\nCountries: South and Southeast Asia.\r\nTools used Merdoor.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\u003e\r\nLast change to this card: 21 June 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=afabb609-17a9-4c1f-b288-0500ed42ec51\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=afabb609-17a9-4c1f-b288-0500ed42ec51\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=afabb609-17a9-4c1f-b288-0500ed42ec51"
	],
	"report_names": [
		"showcard.cgi?u=afabb609-17a9-4c1f-b288-0500ed42ec51"
	],
	"threat_actors": [
		{
			"id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c",
			"created_at": "2023-06-23T02:04:34.315779Z",
			"updated_at": "2026-04-10T02:00:04.738599Z",
			"deleted_at": null,
			"main_name": "Lancefly",
			"aliases": [],
			"source_name": "ETDA:Lancefly",
			"tools": [
				"Merdoor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3",
			"created_at": "2023-11-04T02:00:07.682997Z",
			"updated_at": "2026-04-10T02:00:03.391958Z",
			"deleted_at": null,
			"main_name": "Lancefly",
			"aliases": [],
			"source_name": "MISPGALAXY:Lancefly",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438939,
	"ts_updated_at": 1775791520,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7018f2e6148d0ce2465e7cd816099d7d2b157e54.pdf",
		"text": "https://archive.orkl.eu/7018f2e6148d0ce2465e7cd816099d7d2b157e54.txt",
		"img": "https://archive.orkl.eu/7018f2e6148d0ce2465e7cd816099d7d2b157e54.jpg"
	}
}