Although the identity of the group behind Lancefly remains a mystery, the researchers hinted at a potential Chinese origin. Lancefly utilizes the ZXSHell rootkit, signed with the certificate “Wemade Entertainment Co. Ltd,” which has been associated with Blackfly (also known as APT41), a Chinese threat actor. However, it is worth noting that this certificate has been shared with other threat actors.
