{ "id": "7a734aaa-4708-4451-9602-b9fe20db5f65", "created_at": "2026-04-06T00:22:05.701272Z", "updated_at": "2026-04-10T13:12:46.175083Z", "deleted_at": null, "sha1_hash": "9cf1b38d9ce10a3a2b12c924ee45c66bf7bb861a", "title": "Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106227, "plain_text": "Lancefly: Group Uses Custom Backdoor to Target Orgs in\r\nGovernment, Aviation, Other Sectors\r\nBy About the Author\r\nArchived: 2026-04-02 10:53:25 UTC\r\nThe Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting\r\norganizations in South and Southeast Asia, in activity that has been ongoing for several years.\r\nLancefly may have some links to previously known groups, but these are low confidence, which led researchers at\r\nSymantec, by Broadcom Software, to classify this activity under a new group name.\r\nLancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed\r\nsince 2018. Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more\r\nrecent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is\r\nbelieved to be intelligence gathering.\r\nThe backdoor is used very selectively, appearing on just a handful of networks and a small number of machines\r\nover the years, with its use appearing to be highly targeted. The attackers in this campaign also have access to an\r\nupdated version of the ZXShell rootkit.\r\nThe targets in this most recent activity, which began in mid-2022 and continued into 2023, are based in South and\r\nSoutheast Asia, in sectors including government, aviation, education, and telecoms. Symantec researchers\r\npreviously saw the Merdoor backdoor used in activity that targeted victims in the same geographies in the\r\ngovernment, communications, and technology sectors in 2020 into 2021. Like this recent activity, that activity also\r\nappeared to be highly targeted, with only a small number of machines infected.\r\nMerdoor Backdoor\r\nMerdoor is a fully-featured backdoor that appears to have been in existence since 2018.\r\nThe backdoor contains the following functionality:\r\nInstalling itself as a service\r\nKeylogging\r\nA variety of methods to communicate with its command-and-control (C\u0026C) server (HTTP, HTTPS, DNS,\r\nUDP, TCP)\r\nAbility to listen on a local port for commands\r\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted\r\nconfiguration, which determines:\r\nC\u0026C communication method\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 1 of 14\n\nService details\r\nInstallation directory\r\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.\r\nThe Merdoor dropper is a self-extracting RAR (SFX) that contains three files:\r\nA legitimate and signed binary vulnerable to DLL search-order hijacking\r\nA malicious loader (Merdoor loader)\r\nAn encrypted file (.pak) containing final payload (Merdoor backdoor)\r\nWhen opened, the dropper extracts embedded files and executes a legitimate binary in order to load the Merdoor\r\nloader.\r\nMerdoor dropper variants have been found that abuse older versions of five different legitimate applications for\r\nthe purpose of DLL sideloading:\r\nAttack Chain\r\nEvidence from Lancefly’s earlier campaign that began in 2020 suggested that in that instance the group may have\r\nused a phishing email with a lure based on the 37th ASEAN Summit as an initial infection vector.\r\nIn this more recent activity, the initial infection vector was not entirely clear. We saw some indications of what the\r\ninitial infection vector may have been in two victims, though this was not conclusive.\r\nIn one of the government sector victims, there were indications that the initial infection vector may have\r\nbeen SSH brute forcing. Multiple open-source sources associate one of the IP addresses used by the threat\r\nactors in this activity with SSH brute forcing, indicating that the initial infection vector was possibly SSH\r\nbrute forcing.\r\nIn another victim, a file path (Csidl_program_files\\loadbalancer\\ibm\\edge\\lb\\servers\\bin) indicates a load\r\nbalancer may have been exploited for access, indicating that the initial infection vector may have been an\r\nexposed public-facing server.\r\nWhile evidence for any of these infection vectors is not definitive, it does appear to indicate that Lancefly is\r\nadaptable when it comes to the kind of infection vectors it uses.\r\nCredential theft using non-malware techniques\r\nIn activity that also aligned with their earlier campaign in 2020/2021, the attackers used a number of non-malware\r\ntechniques for credential theft on victim machines:\r\nPowerShell was used to launch rundll32.exe in order to dump the memory of a process using the\r\nMiniDump function of comsvcs.dll. This technique is often used to dump LSASS memory.\r\nReg.exe was used to dump the SAM and SYSTEM registry hives.\r\nA legitimate tool by Avast was installed by the attackers and used to dump LSASS memory.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 2 of 14\n\nThe attackers also used a masqueraded version of the legitimate archiving tool WinRAR to stage and encrypt files\r\nbefore exfiltration.\r\nNotable attack chain tools and TTPs\r\nImpacket Atexec: A dual-use tool that can be used by malicious actors to create and run an immediate\r\nscheduled task on a remote target via SMB in order to execute commands on a target system. It is used by\r\nLancefly for lateral movement across victim networks, also possibly for shellcode execution and evasion. It\r\nmay have been used to delete cmdline output files. \r\nSuspicious SMB activity: Suspicious SMB activity is seen on numerous victim machines. This is likely\r\nrelated to the use of Impacket by the threat actors.\r\nWinRAR: An archive manager that can be used to archive or zip files – for example, prior to exfiltration.\r\nIt is not clear how the attackers exfiltrate the data from victim machines, but it is most likely via Merdoor.\r\nLSSAS Dumper: Allows the attackers to swiftly steal credentials they can then use to gain further access\r\nacross victim networks.\r\nNBTScan: Open-source command-line NetBIOS scanner. This can be used to gather information on a\r\nnetwork.\r\nBlackloader and Prcloader: Loaders used by the group. These loaders were also both used in earlier\r\nMerdoor activity in 2020 and 2021. They have been linked to the delivery of PlugX. Both loaders appear to\r\nbe sideloaded onto victim machines. It is not clear if these loaders are exclusively used by Lancefly or if\r\ntheir use is shared across multiple groups. \r\nA typical Merdoor attack chain, as seen in one of the victims, appears to be:\r\nMerdoor injected into either perfhost.exe or svchost.exe.\r\nSuspicious SMB activity is then normally observed, and the backdoor connects to its C\u0026C server.\r\nThis is often followed by suspicious living-off-the-land activity, such as the execution of commands like\r\nmavinject.exe (which can be used for process injection) and createdump.exe (which can be used to dump a\r\nprocess e.g. LSASS).\r\nA masqueraded WinRAR (wmiprvse.exe) file is then used to stage and encrypt files, presumably prior to\r\nexfiltration. We do not actually see the files being exfiltrated from victim networks, but we presume the\r\nMerdoor backdoor itself is used to exfiltrate them.\r\nZXShell Rootkit Technical Details\r\nThe ZXShell rootkit was first reported on by Cisco in 2014, but the version of the tool used by Lancefly is\r\nupdated, indicating that it continues to be actively developed. The source code of this rootkit is publicly available\r\nso it may be used by multiple different groups. The new version of the rootkit used by Lancefly appears to be\r\nsmaller in size, while it also has additional functions and targets additional antivirus software to disable. \r\nLoader\r\nThe loader for the rootkit is a 32-bit DLL with the export directory name \"FormDll.dll\" (SHA256:\r\n1f09d177c99d429ae440393ac9835183d6fd1f1af596089cc01b68021e2e29a7).\r\nIt has the following exports:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 3 of 14\n\n\"CallDriver\"\r\n\"DoRVA\"\r\n\"KillAvpProcess\"\r\n\"LoadSys\"\r\n\"ProtectDllFile\"\r\nExport \"Loadsys\"\r\nWhenever the export \"LoadSys\" is executed, it drops one of the following files based on the processor\r\narchitecture:\r\n\"[WindowsDirectory]\\system32\\drivers\\TdiProxy.sys\" \r\n\"[WindowsDirectory]\\system64\\drivers\\TdiProxy.sys\" \r\nThese files are a malicious Windows Kernel driver. This is a variant of a driver that was first documented in an\r\nRSA blog several years ago. \r\nIt has the PDB filename: \"c:\\google\\objchk_win7_amd64\\amd64\\Google.pdb\"\r\nThe sample creates the device: \"\\Device\\TdiProxy0\".\r\nIt also creates the symbolic link \"\\DosDevices\\TdiProxy0\", so that it can be controlled using the pathname\r\n“\\\\.\\TdiProxy0”.\r\nAfter this, the loader timestamps the dropped file by copying the timestamps from the file \"\r\n[WindowsDirectory]\\system32\\drivers\\http.sys\".\r\nThen it creates a service with the following parameters:\r\nServiceName = \"TdiProxy0\"\r\nDisplayName = \"TdiProxy0\" (later replaced with \"TdiProxy\")\r\nBinaryPathName = \"[WindowsDirectory]\\system32\\drivers\\TdiProxy.sys\"\r\nExport \"CallDriver\"\r\n\"CallDriver\" opens the following device, which was created by the “\\\\.\\TdiProxy0” malicious kernel driver.\r\nIt communicates with it using the DeviceIoControl API.\r\nThe export expects two arguments. The first argument determines the dwIoControlCode parameter to use when\r\ncalling the DeviceIoControl API and it should be one of the following strings:\r\n\"-init\",\r\n\"-file\",\r\n\"-pack\",\r\n\"-port\",\r\n\"-removetcpview\",\r\n\"-tcpview\",\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 4 of 14\n\n\"-clearall\",\r\n\"-clear\",\r\n\"-transport\",\r\n\"-waitport\",\r\n\"-kill\",\r\n\"-antiscan\",\r\n\"-removeprocessnotify\",\r\n\"-setprocessnotify\",\r\n\"-antiantigp\",\r\n\"-hideproc\",\r\n\"-hidekey\",\r\n\"-hidefile\",\r\n\"-setprotect\",\r\nAny other values result in what looks like a buggy dwIoControlCode value. The second argument is a string to\r\npass as an lpInBuffer parameter when calling the DeviceIoControl API, after conversion using the\r\nMultiByteToWideChar API.\r\nExport \"DoRVA\"\r\nWhenever the export \"DoRVA\" is executed, it reads the following file:\r\n\"[file_directory_of_the_DLL]\\Form.hlp\"\r\nThe file should start with the magic string \"AP32\" and contains shellcode to execute in compressed form.\r\nExport \"KillAvpProcess\"\r\nThis enumerates running processes and for selected processes and calls its own export \"CallDriver\" with the\r\nfollowing parameters:\r\nfirst parameter: \"-kill\"\r\nsecond parameter: \"[ProcessID]\"\r\nThe export expects a single string parameter to compare with the executable file of running processes for\r\nselection.\r\nExport \"ProtectDllFile\"\r\nThis calls its own export \"CallDriver\" with the following parameters:\r\nfirst parameter: \"-file\"\r\nsecond parameter: \"[file_path_of_the_DLL]\"\r\nNext, it sets the following registry value:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 5 of 14\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ptdf\\\"ptdffile\" = \"[file_path_of_the_DLL]\"\r\nLoadpoint\r\nThis is a 32-bit executable with the PDB filename: \"M:\\Project\\database\\10.0.18362\\Form\\Release\\Form.pdb\".\r\n(SHA256: 180970fce4a226de05df6d22339dd4ae03dfd5e451dcf2d464b663e86c824b8e)\r\nWhenever the sample is executed, it loads the following DLL:\r\n\"[file_path_of_the_running_executable]\\FormDll.dll\"\r\nIt also calls its export: \"DoRVA\".\r\nInstallation and Update Utility\r\nThe installation and update utility is a 32-bit PE executable (SHA256:\r\na6020794bd6749e0765966cd65ca6d5511581f47cc2b38e41cb1e7fddaa0b221) that shares small but distinctive\r\nfragments of code with the Merdoor loader, which is what indicates they are part of the same toolset.\r\nWhenever the sample is executed, it attempts to read and delete the following file containing its configuration\r\ndata:\r\n\"[file_directory_of_running_executable]\\res.ini\"\r\nUpdate functionality\r\nNext, it checks that:\r\n\"\\\\.\\TdiProxy0\" device is available, and\r\nThat its own process was started with the command-line parameter \"-up\".\r\nIf both checks pass, the sample attempts to tamper with various antivirus products using the \"\\\\.\\TdiProxy0\"\r\ndevice. For example, it may terminate the processes \"egui.exe\", \"ekrn.exe\", and \"msmpeng.exe\".\r\nNext, it attempts to rename the file \"[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\res.dat\" as one of\r\nthe following (depending on the Windows version):\r\n\"[SystemDrive]\\Users\\All Users\\Windows Defender\\temp.temp\"\r\n\"[WindowsDirectory]\\temp.temp\".\r\nBased on the structure of the code, the above file should start with the magic string \"AP32\" and could contain a\r\nDLL file in compressed form. The sample then decompresses the renamed file \"temp.temp\". When\r\ndecompressing, it may create the temporary file \"temp.temp.pack\" in the same folder.\r\nNext, the sample appends a certain marker followed by the content of \"\r\n[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\res.ini\" (partially transformed using the XOR algorithm\r\nwith the byte key 0x12) at the end of the decompressed file.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 6 of 14\n\nAdditionally, it also creates the following registry value:\r\nHKEY_CLASSES_ROOT\\.udf\\\"BINTYPE\" = [content of \"[file_directory_of_running_executable]\\res.ini\"\r\n(partially transformed using the XOR algorithm with the byte key 0x12)]\r\nThen the sample checks if the following file exists:\r\n\"[SystemDrive]\\Users\\All Users\\Windows Defender\\DefenderSvc.dll\"\r\nIf so, the sample renames the updated \"temp.temp\" file to replace it.\r\nOtherwise, it checks the following registry value for the pathname to replace:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ecdf\\\"ecdffile\"\r\nIf that fails, it uses a default from configuration data.\r\nFinally, it checks the following registry value for a service name:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tudf\\\"tudffile\"\r\nIt restarts the referred service.\r\nInstallation functionality\r\nThe sample attempts to decompress the following file:\r\n\"[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\google64.p\" (64-bit processor architecture), or\r\n\"[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\google32.p\" (32-bit processor architecture)\r\nas:\r\n\"[WindowsDirectory]\\Microsoft.NET\\Framework64\\iesockethlp.dll\" (64-bit processor architecture), or\r\n\"[WindowsDirectory]\\Microsoft.NET\\Framework\\iesockethlp.dll\" (32-bit processor architecture)\r\nThen it may modify one of the following registry values to hijack the corresponding service:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\exfat\\\"ImagePath\" = \"\\??\\\r\n[PATHNAME_OF_FILE_DECOMPRESSED_ABOVE]\", or\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RDPWD\\\"ImagePath\" = \"\\??\\\r\n[PATHNAME_OF_FILE_DECOMPRESSED_ABOVE]\"\r\nNext, it starts the corresponding service and then removes the registry value. It then attempts to tamper with\r\nvarious antivirus products using the \"\\\\.\\TdiProxy0\" device.\r\nIt then creates a service with the following parameters:\r\nServiceName: \"[PER CONFIGURATION DATA]\"\r\nImagePath:\r\n\"%SystemRoot%\\System32\\svchost.exe -k netsvcs\", or\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 7 of 14\n\n\"%SystemRoot%\\System32\\svchost.exe -k ntmssvcs\"\r\nParameters:\r\nServiceDll:\r\n\"C:\\WINDOWS\\Microsoft.NET\\Framework64\\[PER CONFIGURATION DATA]\", or\r\n\"C:\\WINDOWS\\Microsoft.NET\\Framework\\[PER CONFIGURATION DATA]\"\r\nThen it creates the following registry value:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tudf\\\"tudffile\" = [NAME OF CREATED SERVICE]\r\nIt then deletes the following registry values:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ptdf\\\"ptdffile\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ecdf\\\"ecdffile\"\r\nNext, it renames the following file:\r\n\"[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\res.dat\"\r\nas:\r\n\"[WindowsDirectory]\\Microsoft.NET\\Framework64\\[PER CONFIGURATION DATA].back\" (64-bit\r\nprocessor architecture), or\r\n\"[WindowsDirectory]\\Microsoft.NET\\Framework\\[PER CONFIGURATION DATA].back\" (32-bit\r\nprocessor architecture)\r\nBased on the structure of the code, the above file should start with the magic string \"AP32\" and could contain a\r\nDLL file in compressed form (using aPLib for compression).\r\nThe sample then decompresses the renamed \"[PER CONFIGURATION DATA].back\" as \"[PER\r\nCONFIGURATION DATA]\".\r\nNext, the sample appends a certain marker followed by the content of \"\r\n[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\res.ini\" (partially transformed using the XOR algorithm\r\nwith the byte key 0x12) at the end of the decompressed file.\r\nAdditionally, it also creates the following registry value:\r\nHKEY_CLASSES_ROOT\\.udf\\\"BINTYPE\" = [content of \"\r\n[FILE_DIRECTORY_OF_RUNNING_EXECUTABLE]\\res.ini\" (partially transformed using the XOR\r\nalgorithm with the byte key 0x12)]\r\nFinally, when the configuration data includes the option \"OneSelfKey\", it makes a compressed copy of its own\r\nexecutable as (using aPLib for compression):\r\n\"[WindowsDirectory]\\SysWOW64\\nethlp.hlp\" (64-bit processor architecture), or\r\n\"[WindowsDirectory]\\system32\\nethlp.hlp\" (32-bit processor architecture).\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 8 of 14\n\nSome samples include an embedded archive with the final payload:\r\n\"Msrpcsvc.dll\"\r\nThis is a variant of the ZXShell backdoor (SHA256:\r\nd5df686bb202279ab56295252650b2c7c24f350d1a87a8a699f6034a8c0dd849).\r\nPossible Links to Other Groups\r\nThe ZXShell rootkit used by Lancefly is signed by the certificate \"Wemade Entertainment Co. Ltd\", which was\r\npreviously reported to be associated with APT41 (aka Blackfly/Grayfly). However, it is known that Chinese APT\r\ngroups, such as APT41, often share certificates with other APT groups. The ZXShell backdoor has also previously\r\nbeen used by the HiddenLynx/APT17 group, but as the source code of ZXShell is now publicly available this does\r\nnot provide a definitive link between these two groups.\r\nAlso notable is that the ZXShell rootkit loader component has the name \"formdll.dll\" and it has the ability to read\r\nthe file \"Form.hlp\" and execute its contents as shellcode. Those same files were mentioned as being used in a\r\nprevious report detailing activity by the Iron Tiger (aka Budworm/APT27) group. In that case, the attackers used\r\nthese filenames when loading the PlugX backdoor onto victim machines. The prevalence of such files is very low,\r\nwhich may indicate a potential link between that campaign and this more recent activity.\r\nPlugX is also seen being used by Lancefly. PlugX is a remote access Trojan (RAT) with multiple functionalities\r\nincluding backdoor access and data exfiltration. PlugX has existed for well over a decade. It was originally used\r\nby Chinese APT groups, but its use is now very widespread, meaning it is difficult to use it as a way of attributing\r\nactivity.\r\nShadowPad is also used by these attackers. ShadowPad is a modular RAT believed to be exclusively used by\r\nChinese APT groups. Its capabilities are similar to PlugX, and it is often referred to as a successor to that malware.\r\nWhile these overlaps and shared tools may indicate some links between Lancefly activity and activity by other\r\nAPT groups, none of the overlaps are strong enough to attribute this activity and the development of the Merdoor\r\nbackdoor to an already-known attack group.\r\nNoteworthy Backdoor, Targeted Activity\r\nThis recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this\r\nbackdoor and the seemingly highly targeted nature of these attacks. While the Merdoor backdoor appears to have\r\nbeen in existence for several years, it appears to only have been used in a small number of attacks in that time\r\nperiod. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar.\r\nThe tools used and sectors targeted all point to the motivations of this attack campaign being intelligence\r\ngathering. The similarities between this recent activity and earlier activity by Lancefly indicate that the group\r\nperhaps did not realize the earlier activity had been discovered, so it was not concerned about links being made\r\nbetween the two. Whether or not the exposure of this activity will lead to any alteration in how the group carries\r\nout its activity remains to be seen.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 9 of 14\n\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IOCs)\r\nMerdoor Backdoor\r\nSHA256             Filename           Description\r\n13df2d19f6d2719beeff3b882df1d3c9131a292cf097b27a0ffca5f45e139581 – a.exe – Merdoor Dropper\r\n8f64c25ba85f8b77cfba3701bebde119f610afef6d9a5965a3ed51a4a4b9dead – chrome_frame_helper.exe –\r\nMerdoor Dropper\r\n8e98eed2ec14621feda75e07379650c05ce509113ea8d949b7367ce00fc7cd38 – siteadv.exe – Merdoor Dropper\r\n89e503c2db245a3db713661d491807aab3d7621c6aff00766bc6add892411ddc – siteadv.exe – Merdoor Dropper\r\nc840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744 –siteadv.exe –Merdoor Dropper\r\n5f16633dbf4e6ccf0b1d844b8ddfd56258dd6a2d1e4fb4641e2aa508d12a5075 –chrome_frame_helper.dll –\r\nMerdoor Loader\r\nff4c2a91a97859de316b434c8d0cd5a31acb82be8c62b2df6e78c47f85e57740 –chrome_frame_helper.dll – Merdoor\r\nLoader\r\n14edb3de511a6dc896181d3a1bc87d1b5c443e6aea9eeae70dbca042a426fcf3 –chrome_frame_helper.dll – Merdoor\r\nLoader\r\ndb5deded638829654fc1595327400ed2379c4a43e171870cfc0b5f015fad3a03 –chrome_frame_helper.dll –\r\nMerdoor Loader\r\ne244d1ef975fcebb529f0590acf4e7a0a91e7958722a9f2f5c5c05a23dda1d2c –chrome_frame_helper.dll – Merdoor\r\nLoader\r\nf76e001a7ccf30af0706c9639ad3522fd8344ffbdf324307d8e82c5d52d350f2 –chrome_frame_helper.dll – Merdoor\r\nLoader\r\ndc182a0f39c5bb1c3a7ae259f06f338bb3d51a03e5b42903854cdc51d06fced6 – smadhook64c.dll – Merdoor\r\nLoader\r\nfa5f32457d0ac4ec0a7e69464b57144c257a55e6367ff9410cf7d77ac5b20949 – SiteAdv.dll,\r\nchrome_frame_helper.dll –Merdoor Loader\r\nfe7a6954e18feddeeb6fcdaaa8ac9248c8185703c2505d7f249b03d8d8897104 – siteadv.dll – Merdoor Loader\r\n341d8274cc1c53191458c8bbc746f428856295f86a61ab96c56cd97ee8736200 – siteadv.dll – Merdoor Loader\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 10 of 14\n\nf3478ccd0e417f0dc3ba1d7d448be8725193a1e69f884a36a8c97006bf0aa0f4 – siteadv.dll – Merdoor Loader\r\n750b541a5f43b0332ac32ec04329156157bf920f6a992113a140baab15fa4bd3 – mojo_core.dll – Merdoor Loader\r\n9f00cee1360a2035133e5b4568e890642eb556edd7c2e2f5600cf6e0bdcd5774 – libmupdf.dll – Merdoor Loader\r\na9051dc5e6c06a8904bd8c82cdd6e6bd300994544af2eed72fe82df5f3336fc0 – chrome_frame_helper.dll –\r\nMerdoor Loader\r\nd62596889938442c34f9132c9587d1f35329925e011465c48c94aa4657c056c7 – smadhook64c.dll – Merdoor\r\nLoader\r\nf0003e08c34f4f419c3304a2f87f10c514c2ade2c90a830b12fdf31d81b0af57 – SiteAdv.pak – Merdoor encoded\r\npayload\r\n139c39e0dc8f8f4eb9b25b20669b4f30ffcbe2197e3a9f69d0043107d06a2cb4 – SiteAdv.pak – Merdoor encoded\r\npayload\r\n11bb47cb7e51f5b7c42ce26cbff25c2728fa1163420f308a8b2045103978caf5 – SiteAdv.pak – Merdoor encoded\r\npayload\r\n0abc1d12ef612490e37eedb1dd1833450b383349f13ddd3380b45f7aaabc8a75 – SiteAdv.pak – Merdoor encoded\r\npayload\r\neb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b –SiteAdv.exe – Legit McAfee\r\nexecutable\r\n1ab4f52ff4e4f3aa992a77d0d36d52e796999d6fc1a109b9ae092a5d7492b7dd – chrome_frame_helper.exe – Legit\r\nGoogle executable\r\nfae713e25b667f1c42ebbea239f7b1e13ba5dc99b225251a82e65608b3710be7 – SmadavProtect64.exe – Legit\r\nSmadAV executable\r\nFile hashes, simplified list\r\n13df2d19f6d2719beeff3b882df1d3c9131a292cf097b27a0ffca5f45e139581\r\n8f64c25ba85f8b77cfba3701bebde119f610afef6d9a5965a3ed51a4a4b9dead\r\n8e98eed2ec14621feda75e07379650c05ce509113ea8d949b7367ce00fc7cd38\r\n89e503c2db245a3db713661d491807aab3d7621c6aff00766bc6add892411ddc\r\nc840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744\r\n5f16633dbf4e6ccf0b1d844b8ddfd56258dd6a2d1e4fb4641e2aa508d12a5075\r\nff4c2a91a97859de316b434c8d0cd5a31acb82be8c62b2df6e78c47f85e57740\r\n14edb3de511a6dc896181d3a1bc87d1b5c443e6aea9eeae70dbca042a426fcf3\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 11 of 14\n\ndb5deded638829654fc1595327400ed2379c4a43e171870cfc0b5f015fad3a03\r\ne244d1ef975fcebb529f0590acf4e7a0a91e7958722a9f2f5c5c05a23dda1d2c\r\nf76e001a7ccf30af0706c9639ad3522fd8344ffbdf324307d8e82c5d52d350f2\r\ndc182a0f39c5bb1c3a7ae259f06f338bb3d51a03e5b42903854cdc51d06fced6\r\nfa5f32457d0ac4ec0a7e69464b57144c257a55e6367ff9410cf7d77ac5b20949\r\nfe7a6954e18feddeeb6fcdaaa8ac9248c8185703c2505d7f249b03d8d8897104\r\n341d8274cc1c53191458c8bbc746f428856295f86a61ab96c56cd97ee8736200\r\nf3478ccd0e417f0dc3ba1d7d448be8725193a1e69f884a36a8c97006bf0aa0f4\r\n750b541a5f43b0332ac32ec04329156157bf920f6a992113a140baab15fa4bd3\r\n9f00cee1360a2035133e5b4568e890642eb556edd7c2e2f5600cf6e0bdcd5774\r\na9051dc5e6c06a8904bd8c82cdd6e6bd300994544af2eed72fe82df5f3336fc0\r\nd62596889938442c34f9132c9587d1f35329925e011465c48c94aa4657c056c7\r\nf0003e08c34f4f419c3304a2f87f10c514c2ade2c90a830b12fdf31d81b0af57\r\n139c39e0dc8f8f4eb9b25b20669b4f30ffcbe2197e3a9f69d0043107d06a2cb4\r\n11bb47cb7e51f5b7c42ce26cbff25c2728fa1163420f308a8b2045103978caf5\r\n0abc1d12ef612490e37eedb1dd1833450b383349f13ddd3380b45f7aaabc8a75\r\neb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b\r\n1ab4f52ff4e4f3aa992a77d0d36d52e796999d6fc1a109b9ae092a5d7492b7dd\r\nfae713e25b667f1c42ebbea239f7b1e13ba5dc99b225251a82e65608b3710be7\r\n1f09d177c99d429ae440393ac9835183d6fd1f1af596089cc01b68021e2e29a7\r\n180970fce4a226de05df6d22339dd4ae03dfd5e451dcf2d464b663e86c824b8e\r\na6020794bd6749e0765966cd65ca6d5511581f47cc2b38e41cb1e7fddaa0b221\r\n592e237925243cf65d30a0c95c91733db593da64c96281b70917a038da9156ae\r\n929b771eabef5aa9e3fba8b6249a8796146a3a4febfd4e992d99327e533f9798\r\n009d8d1594e9c8bc40a95590287f373776a62dad213963662da8c859a10ef3b4\r\nef08f376128b7afcd7912f67e2a90513626e2081fe9f93146983eb913c50c3a8\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 12 of 14\n\nee486e93f091a7ef98ee7e19562838565f3358caeff8f7d99c29a7e8c0286b28\r\n32d837a4a32618cc9fc1386f0f74ecf526b16b6d9ab6c5f90fb5158012fe2f8c\r\nd5df686bb202279ab56295252650b2c7c24f350d1a87a8a699f6034a8c0dd849\r\na1f9b76ddfdafc47d4a63a04313c577c0c2ffc6202083422b52a00803fd8193d\r\n3ce38a2fc896b75c2f605c135297c4e0cddc9d93fc5b53fe0b92360781b5b94e\r\n210934a2cc59e1f5af39aa5a18aae1d8c5da95d1a8f34c9cfc3ab42ecd37ac92\r\n530c7d705d426ed61c6be85a3b2b49fd7b839e27f3af60eb16c5616827a2a436\r\n5018fe25b7eac7dd7bc30c7747820e3c1649b537f11dbaa9ce6b788b361133bf\r\nefa9e9e5da6fba14cb60cba5dbd3f180cb8f2bd153ca78bbacd03c270aefd894\r\na5a4dacddfc07ec9051fb7914a19f65c58aad44bbd3740d7b2b995262bd0c09e\r\n10b96290a17511ee7a772fcc254077f62a8045753129d73f0804f3da577d2793\r\n0dcfcdf92e85191de192b4478aba039cb1e1041b1ae7764555307e257aa566a7\r\n415f9dc11fe242b7a548be09a51a42a4b5c0f9bc5c32aeffe7a98940b9c7fc04\r\n947f7355aa6068ae38df876b2847d99a6ca458d67652e3f1486b6233db336088\r\n8d77fe4370c864167c1a712d0cc8fe124b10bd9d157ea59db58b42dea5007b63\r\nd8cc2dc0a96126d71ed1fce73017d5b7c91465ccd4cdcff71712381af788c16d\r\ne94a5bd23da1c6b4b8aec43314d4e5346178abe0584a43fa4a204f4a3f7464b9\r\n5655a2981fa4821fe09c997c84839c16d582d65243c782f45e14c96a977c594e\r\n19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169\r\n41d174514ed71267aaff578340ff83ef00dbb07cb644d2b1302a18aa1ca5d2d0\r\n67ebc03e4fbf1854a403ea1a3c6d9b19fd9dc2ae24c7048aafbbff76f1bea675\r\nf92cac1121271c2e55b34d4e493cb64cdb0d4626ee30dc77016eb7021bf63414\r\n859e76b6cda203e84a7b234c5cba169a7a02bf028a5b75e2ca8f1a35c4884065\r\nfcdec9d9b195b8ed827fb46f1530502816fe6a04b1f5e740fda2b126df2d9fd5\r\n9584df964369c1141f9fc234c64253d8baeb9d7e3739b157db5f3607292787f2\r\n711a347708e6d94da01e4ee3b6cdb9bcc96ebd8d95f35a14e1b67def2271b2e9\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 13 of 14\n\nf040a173b954cdeadede3203a2021093b0458ed23727f849fc4c2676c67e25db\r\n90edb2c7c3ba86fecc90e80ac339a42bd89fbaa3f07d96d68835725b2e9de3ba\r\nb0d25b06e59b4cca93e40992fa0c0f36576364fcf1aca99160fd2a1faa5677a2\r\n4c55f48b37f3e4b83b6757109b6ee0a661876b41428345239007882993127397\r\n3e1c8d982b1257471ab1660b40112adf54f762c570091496b8623b0082840e9f\r\n9830f6abec64b276c9f327cf7c6817ad474b66ea61e4adcb8f914b324da46627\r\n79ae300ac4f1bc7636fe44ce2faa7e5556493f7013fc5c0a3863f28df86a2060\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" ], "report_names": [ "lancefly-merdoor-zxshell-custom-backdoor" ], "threat_actors": [ { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434925, "ts_updated_at": 1775826766, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9cf1b38d9ce10a3a2b12c924ee45c66bf7bb861a.pdf", "text": "https://archive.orkl.eu/9cf1b38d9ce10a3a2b12c924ee45c66bf7bb861a.txt", "img": "https://archive.orkl.eu/9cf1b38d9ce10a3a2b12c924ee45c66bf7bb861a.jpg" } }