Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Background: Symantec researchers detected a new cyberespionage campaign by the Lancefly China-sponsored group targeting organizations in South and Southeast Asia. From mid-2022 into 2023 the group has targeted the aviation, government, education, and telecom sectors. Indications of intrusion vectors show that Lancefly has possibly moved from phishing attacks to SSH brute force and exploiting publicly accessible devices such as load balancers. A small number of machines were infected in a highly-targeted fashion to deploy the custom Merdoor backdoor and a modification of the open-source ZXShell rootkit. Lancefly abuses a number of legitimate binaries for DLL side-loading, credential stealing, and other living-off-the-land (LOLBin) activities. Takeaway: Organizations are advised to monitor for suspicious SMB activity and LOLBin activities indicating a possible process injection or LSASS m