analyst@nohacky:~/threat-actors$
cat/threat-actors/lyceum-hexane
analyst@nohacky:~/lyceum-hexane.html
active threatprofile
typeNation-State
threat_levelCritical
statusActive
originIran — state-linked (MOIS assessed)
last_updated2026-03-27
LY
lyceum-hexane

Lyceum / Hexane

also tracked as: HEXANE (Dragos) SiameseKitten (ClearSky) Spirlin COBALT LYCEUM (Secureworks) Storm-0133 (Microsoft) MITRE G1001

An Iranian espionage group with a focused mandate: telecom carriers and energy sector operators in the Middle East and Africa. The targeting logic is deliberate — compromise an ISP or telecom provider to gain a pivot point into the networks of its government and enterprise clients. The group uses convincing fake job offers impersonating named HR staff from real companies, building phishing websites that mirror legitimate corporate careers pages, then delivering backdoors via lure documents to technology professionals. Lyceum maintains a technically sophisticated toolset emphasizing DNS-based C2 to blend with legitimate network traffic. ESET and Microsoft have identified significant infrastructure and TTP overlap with OilRig / APT34, suggesting a shared operational context within Iran's Ministry of Intelligence and Security (MOIS).

attributed sponsorIran — MOIS (Ministry of Intelligence and Security)
mitre idG1001
first observed2017 (Dragos); 2018 (Secureworks retroactive)
primary motivationState espionage — intelligence collection
primary targetsTelecom, ISPs, Energy (oil & gas), Government MFAs
primary regionsMiddle East, Africa (Israel, Saudi Arabia, Kuwait, Morocco, Tunisia)
oilrig overlapSignificant (ESET, Microsoft — DanBot attributed to APT34)
c2 signatureDNS tunneling; HTTP; DNS hijacking
defining tacticFake job offer phishing — named HR staff impersonation

Overview

Lyceum — named by Secureworks, tracked as Hexane by Dragos, and SiameseKitten by ClearSky — is an Iranian state-linked espionage group that has operated since at least 2017 against a clearly defined set of targets: telecom carriers, ISPs, and energy (oil and gas) companies primarily in the Middle East and Africa, with secondary targeting of Ministries of Foreign Affairs and aviation organizations. The group's sector focus is strategic rather than opportunistic — telecom and ISP operators function as natural collection pivot points because compromising a network services provider often provides inherent access to the communications of its government and enterprise clients.

Attribution to Iran's Ministry of Intelligence and Security (MOIS) is based on the group's operational profile, targeting consistent with Iranian state priorities, and documented coordination with OilRig / APT34 — which is itself assessed as a MOIS capability. ESET's December 2021 research explicitly connected Lyceum to OilRig through "Out to Sea" campaign analysis, arguing the DanBot backdoor originally attributed to Lyceum was actually an OilRig tool whose attribution to a separate actor was a research artifact of when the connection was made. Microsoft confirmed Lyceum's role as DEV-0133 in the 2022 Albania attacks, noting it as closely linked to APT33 and OilRig. The practical implication: Lyceum likely functions as one operational element within the broader MOIS cyber apparatus rather than as a fully independent organization.

The group's initial access methodology — fake job offers using carefully researched company impersonation — is one of its most distinctive tactical signatures. Unlike groups that send generic phishing emails, Lyceum creates fake corporate websites impersonating real companies, researches actual HR personnel (including using former employees as personas), and constructs convincing job offer lures targeting technology professionals in the industries of interest. This social engineering sophistication, combined with technical capabilities including custom DNS-tunneling implants and evolving backdoor malware, marks Lyceum as a mature and patient actor.

Lyceum has adapted its toolset in response to public disclosures across its operational history. After Secureworks disclosed DanBot in 2019, the group retooled with new variants and eventually transitioned to the Shark and Milan backdoors (2021). After those were exposed, the group introduced a new .NET-based DNS backdoor built on a customized version of the open-source DIG.net tool (2022) — deploying DNS hijacking as the C2 mechanism. Accenture's 2021 investigation found that at least two identified compromises remained ongoing despite prior publication of indicators of compromise, demonstrating the group's ability to maintain persistent access through toolset adaptation.

Target Profile

  • Telecommunications Carriers and ISPs: The highest-priority target category. Telecom operators in Saudi Arabia, Israel, Morocco, Tunisia, and Kuwait have been targeted across multiple documented campaigns. ISPs are specifically valued as supply chain access points — compromising an ISP provides a network vantage point into the communications of the ISP's subscriber base, which often includes government agencies and enterprises. In 2021, the group expanded explicit targeting to ISPs as a distinct category from its traditional telecom operator focus.
  • Oil and Gas / Energy: Lyceum's founding target sector. Oil and gas organizations in the Middle East and Africa were the primary targets in the 2018–2019 phase, with Middle East energy company targeting beginning in earnest in May 2019 following a development and testing period. Energy sector access provides intelligence on production capacity, infrastructure vulnerabilities, and economic data of strategic interest to Iran's state planning and intelligence apparatus.
  • Israel: A specific priority target that intensified in 2021 with focused campaigns against IT and communications companies in Israel. ClearSky noted the Israeli campaigns were specifically aimed at facilitating supply chain attacks on the IT companies' clients — using a technology services provider as a pivot point into downstream government and enterprise networks. The strategy mirrors the broader ISP targeting logic applied to the tech sector specifically in Israel.
  • Ministries of Foreign Affairs (MFAs): Government MFAs in the target region are a documented Lyceum target — the group deployed the "ir_drones.docm" malware-laden document specifically for MFA targeting. MFA compromise provides access to diplomatic communications, intelligence on foreign policy positions, and information on sanctions and international negotiations of direct relevance to Iran's diplomatic situation.
  • Aviation: MITRE ATT&CK G1001 lists aviation as a target sector alongside the primary telecom and energy verticals. Aviation infrastructure targeting aligns with the broader critical infrastructure intelligence collection mandate.
  • Albania (HomeLand Justice) — Infrastructure Support: MITRE ATT&CK notes that Hexane probed Albanian victim infrastructure in support of the HomeLand Justice operation — the destructive MOIS-orchestrated campaign against the Albanian government in July and September 2022. Microsoft DART specifically identified DEV-0133 (Lyceum) as having been responsible for testing victim infrastructure in Albania, with initial access attributed to Storm-0861 (linked to OilRig/APT34). Lyceum's role in this operation was reconnaissance and infrastructure probing rather than the destructive payload deployment.

Tactics, Techniques & Procedures

TTPs as documented by Secureworks (2019), ClearSky (2021), Accenture/Prevailion (2021), Kaspersky (2021), Zscaler (2022), and MITRE ATT&CK G1001.

mitre id technique description
T1598.003 / T1566.001 Fake Job Offer Phishing — Named HR Impersonation Lyceum's defining social engineering method. The group builds fake corporate websites impersonating real companies (documented examples include ChipPC, Software AG, and other technology firms), creates fake social media profiles on LinkedIn posing as specific HR personnel — in one documented case, impersonating a former ChipPC employee who had left the company in 2007. Targets receive emails with job offers for HR, project management, and sales roles in Israel, France, and the UK. Victims are directed to the phishing website where lure documents are downloaded, deploying the backdoor payload. The depth of research into the impersonated companies and specific named employees distinguishes this from commodity phishing operations.
T1110.003 / T1078 Password Spraying / Valid Account Initial Access Secureworks documented Lyceum using password spraying and brute-force attacks against targeted organizations as an alternative initial access vector to phishing. Compromised accounts obtained through credential attacks are then used to send spearphishing emails with malicious Excel attachments from trusted internal accounts, increasing the likelihood of successful delivery in corporate environments that might otherwise filter external sender phishing.
T1568.002 / T1071.004 DNS Tunneling / DNS Hijacking C2 DNS-based C2 is Lyceum's most technically distinctive operational signature. DanBot, Shark, and Milan all communicate with C2 servers via custom protocols tunneled over DNS queries — DNS traffic is rarely filtered in enterprise environments, making it an effective covert channel. The 2022 .NET DNS backdoor escalated this approach to DNS hijacking: the attacker-controlled DNS server manipulates responses to DNS queries, resolving them to malicious IP addresses. Unlike cache poisoning, DNS hijacking targets the DNS record itself on the nameserver. Lyceum C2 domains consistently use security or web technology-themed names to blend with legitimate network infrastructure.
T1059.001 / T1059.005 PowerShell / VBA Macro Execution Malicious Excel XLS files with embedded VBA macros (DanDrop) are the primary malware delivery vehicle. The macro extracts and Base64-decodes the DanBot payload, then installs it via a scheduled task for persistence. PowerShell scripts are used post-compromise for credential theft (harvesting browser-stored passwords), keylogging deployment, network reconnaissance, and lateral movement. Kaspersky documented specific PowerShell commands used for credential stealing from browsers within compromised environments.
T1053.005 / T1547.001 Persistence — Scheduled Tasks / Registry DanBot is installed via a scheduled task created by the DanDrop macro. The .NET DNS backdoor (2022) uses a Startup directory PE file drop for persistence. Accenture's 2021 analysis identified beaconing from reconfigured or new Lyceum backdoors from a telecommunications company in Tunisia and an MFA in Africa in late October 2021, indicating the group successfully maintained persistence despite prior public IOC disclosure.
T1056.001 / T1555.003 Keylogging / Credential Theft from Browsers A custom keylogger deployed on targeted machines captures keystrokes from compromised users. A PowerShell script harvests credentials stored in web browsers. Kaspersky documented both capabilities from analysis of compromised Tunisian entities. The Decrypt-RDCMan.ps1 PoshC2 component decrypts passwords stored in Remote Desktop Connection Manager (RDCMan) configuration files — providing the threat actors with pre-stored server credentials and enabling rapid lateral movement through the victim environment.
T1018 / T1069 Network and Domain Reconnaissance Get-LAPSP.ps1 gathers account information from Active Directory via LDAP queries using borrowed code run with invoke-obfuscation. This reconnaissance is typically deployed via DanBot shortly after initial access, providing operators with a complete map of Active Directory accounts and groups for lateral movement planning. Dragos noted that Lyceum primarily focuses on establishing footholds to facilitate continued network activities, with post-compromise actions supporting longer-term persistent access rather than immediate destructive objectives.
T1583.001 Infrastructure Registration Patterns Lyceum registers new domains for individual campaigns, typically using them within a few weeks of registration. Documented registrars: PublicDomainRegistry.com, Web4Africa, Hosting Concepts B.V. C2 domains have a consistent security or web technology theme. Domains appear to be specific to individual campaigns rather than reused across operations. In 2019, DanBot samples contained a characteristic HTTP User-Agent typo — "Accept-Enconding" (extra 'n') — present consistently across all analyzed samples, enabling network-layer detection of HTTP-based C2 traffic.

Known Campaigns

Initial Phase — Africa and Middle East Energy Targeting 2018–2019

Lyceum's first documented activity targeted organizations in South Africa in mid-2018, identified through domain registration analysis by Secureworks. In May 2019, the group launched campaigns against oil and gas companies in the Middle East, following a period of intensive toolkit development and testing against public multi-vendor malware scanning services beginning in February 2019. Initial delivery used malicious Excel XLS documents with VBA macros (DanDrop) deploying the DanBot RAT. Secureworks published this activity in August 2019 under the Lyceum designation — the first public disclosure of the group — which prompted the threat actor to retool with modified DanBot variants in the months following.

Tunisia Targeting — New Backdoor Arsenal Oct 2021

Kaspersky reported Lyceum attacks on two entities in Tunisia using a substantially updated malware arsenal. The group had pivoted from the .NET DanBot payload to a new C++ backdoor and a PowerShell script, alongside a .NET RAT for DNS or HTTP C2 communication. Accenture and Prevailion's November 2021 report documented Lyceum C2 infrastructure and identified at least two ongoing compromises of telecom organizations — including the Tunisia telecom — and an MFA in Africa, noting that beaconing continued from a reconfigured or new Lyceum backdoor in late October 2021, demonstrating the group maintained active footholds despite prior IOC publication.

ISP and Telecom Campaign — Israel, Morocco, Tunisia, Saudi Arabia Jul–Oct 2021

A major multi-country campaign documented by Accenture Cyber Threat Intelligence and Prevailion, believed to have occurred between July and October 2021, targeted ISPs and telecom companies in Israel, Morocco, Tunisia, and Saudi Arabia. The campaign exposed over 20 pieces of Lyceum C2 infrastructure, enabling identification of additional victims and demonstrating the group's expanding scope beyond oil and gas into the ISP sector. Dragos noted Kuwait as another primary target during this period. Accenture assessed that Lyceum would continue using the Shark and Milan backdoors with modifications, and that the group would likely maintain network footholds despite public disclosure.

SiameseKitten — Israeli IT and Telecom Supply Chain Targeting May–Jul 2021

ClearSky documented two waves of Lyceum (SiameseKitten) attacks against Israeli organizations in May and July 2021, targeting IT and communications companies rather than the traditional energy/telecom primary targets. The May 2021 attack targeted an IT company in Israel; the July wave expanded to additional companies. The campaign used the fake job offer methodology — creating fake LinkedIn profiles, corporate impersonation websites for companies including ChipPC and Software AG, and sending job offer lures directing targets to download backdoors. The July wave introduced the updated Shark backdoor (replacing Milan). ClearSky assessed these attacks were intended to facilitate supply chain compromise of the IT companies' government and enterprise clients. The campaign was structurally similar to Lazarus Group's Operation Dream Job and OilRig campaigns from Q1 2021.

DNS Hijacking Backdoor — Middle East Targeting Jun 2022

Zscaler ThreatLabz identified Lyceum deploying a new .NET-based DNS backdoor in Middle East campaigns — a customized version of the open-source DIG.net tool. The new backdoor employed DNS hijacking rather than traditional DNS tunneling: the attacker-controlled DNS server directly manipulates query responses, resolving legitimate domains to malicious infrastructure. The infection chain used macro-enabled Word documents with military-affiliated lure themes. Persistence was established via a PE file dropped to the Startup directory. This represented the group's most technically sophisticated C2 approach documented to date.

Albania — HomeLand Justice Infrastructure Reconnaissance 2021–2022

MITRE ATT&CK G1001 and Microsoft's September 2022 investigation confirmed that Lyceum (DEV-0133) probed Albanian government victim infrastructure in support of the HomeLand Justice destructive operation — the MOIS-directed campaign that compromised Albanian government networks beginning 14 months before the July 2022 destructive attack, periodically exfiltrating email content throughout. Microsoft specifically named DEV-0133 (Lyceum) as responsible for testing victim infrastructure, with initial access to the Albanian networks attributed to Storm-0861 (OilRig/APT34). Lyceum's infrastructure reconnaissance role in the Albania operation provides direct evidence of operational coordination between Lyceum and other MOIS-affiliated actors — consistent with Lyceum functioning as one element within a larger MOIS operational structure.

Tools & Malware

  • DanBot (first-stage RAT — 2018–2021): A .NET-based first-stage RAT providing remote access via DNS and HTTP C2 channels. Commands include arbitrary command execution via cmd.exe, file upload and download. Deployed by the DanDrop VBA macro in malicious Excel XLS files. Contains a characteristic HTTP User-Agent typo in all versions: "Accept-Enconding" (extra 'n') rather than "Accept-Encoding" — documented as a network detection fingerprint. Installed via scheduled task for persistence. ESET's 2021 research attributed DanBot to OilRig/APT34 rather than Lyceum as a separate actor, based on code similarity and shared operational context.
  • DanDrop (VBA macro dropper): An Excel XLS file with an embedded VBA macro that extracts the DanBot payload from the document, Base64-decodes it, and installs it via a scheduled task. DanDrop remained functionally consistent across analyzed samples with incremental obfuscation improvements. The basic form and function of the macro have remained constant across analyzed samples, the threat actors making incremental obfuscation improvements over time.
  • Milan (backdoor — 2020–2021 early): An early-phase backdoor replacing DanBot in Lyceum's toolset during the Israeli campaign phase. Communicates with C2 using DNS and HTTPS. Replaced by Shark as the primary tool in the July 2021 campaign wave. ClearSky documented Milan as the infection delivered to victims via the fake job offer lure documents in the May 2021 SiameseKitten campaigns.
  • Shark (backdoor — 2021+): The upgraded replacement for Milan, introduced in the July 2021 SiameseKitten campaign wave. Maintains DNS and HTTPS C2 communication. ClearSky documented a connection sequence: victim downloads lure file → Milan infects computer → DNS and HTTPS connection to C2 established → DanBot RAT downloaded to infected system. In the July wave, Shark replaced Milan as the first-stage backdoor. Kaspersky assessed Lyceum would continue using Shark with modifications despite prior public disclosure.
  • .NET DNS Backdoor (2022 — DIG.net customization): A custom .NET backdoor developed from the open-source DNS tool DIG.net, deployed in Middle East campaigns from June 2022. Uses DNS hijacking — manipulating attacker-controlled DNS server responses to redirect legitimate queries to malicious infrastructure — rather than traditional DNS tunneling. More sophisticated than prior DNS approaches as it controls the name resolution process itself rather than encoding data in DNS query payloads. Persists via a PE file dropped to the Windows Startup directory.
  • Decrypt-RDCMan.ps1: A component from the PoshC2 penetration testing framework that decrypts passwords stored in the Remote Desktop Connection Manager (RDCMan) configuration file. Deployed via DanBot approximately one hour after initial access. Provides operators with stored server credentials for rapid lateral movement across the victim environment without requiring additional exploitation.
  • Get-LAPSP.ps1: A PowerShell script gathering account information from Active Directory via LDAP. Contains borrowed code run with invoke-obfuscation. Deployed shortly after initial access for network mapping and account enumeration to support lateral movement planning.
  • Custom Keylogger: A custom keylogging tool deployed on some targeted machines to capture user keystrokes, documented by Kaspersky in the Tunisia investigations. Complemented by a PowerShell script harvesting credentials stored in web browsers.

Indicators of Compromise

detection note

Lyceum registers campaign-specific domains used for short periods, making domain-based IOCs high-staleness. The DanBot User-Agent typo ("Accept-Enconding") is a durable network fingerprint valid across all DanBot versions. DNS tunneling detection is the highest-reliability behavioral indicator — monitoring for DNS queries with anomalous query length, frequency, or entropy from corporate endpoints is more durable than static IOC matching. MITRE ATT&CK G1001 and the Secureworks, Accenture, Kaspersky, and Zscaler research papers contain full IOC lists; listed here are the most operationally actionable indicators.

indicators of compromise — technical identifiers
user-agent typo (danbot) "Accept-Enconding" (extra 'n') — consistent across all DanBot HTTP samples; network detection fingerprint
ps hash (kaspersky) 94eac052ea0a196a4600e4ef6bec9de2 — obfuscated/Base64-encoded PowerShell script submitted to VirusTotal Nov 2020, led to Kaspersky investigation
maldoc name (mfa) ir_drones.docm — malicious Word document used in MFA targeting campaigns
domain registrars PublicDomainRegistry.com; Web4Africa; Hosting Concepts B.V. — Lyceum campaign domain registrars
c2 domain theme Security or web technology themed names — consistent pattern in Lyceum C2 domain naming across campaigns
persistence (danbot) Scheduled task created by DanDrop VBA macro — installs DanBot to run at login or system start
persistence (dns bdoor) PE file written to Windows Startup directory — .NET DNS backdoor (2022)
c2 protocols DNS tunneling (DanBot, Shark, Milan); HTTPS; DNS hijacking via attacker-controlled nameserver (.NET backdoor 2022)
lolbin (post-compromise) Decrypt-RDCMan.ps1 (PoshC2 component); Get-LAPSP.ps1 (Active Directory LDAP enumeration) — deployed ~1 hour post-initial-access
danbot typo detection Network rule: HTTP requests containing "Accept-Enconding" header (not "Accept-Encoding") from enterprise endpoints → high-confidence DanBot indicator

Mitigation & Defense

  • DNS Traffic Anomaly Detection — Primary Control: Lyceum's most durable technical signature is DNS-based C2. Implement DNS monitoring specifically tuned for tunneling indicators: high query frequency to a single domain, abnormally long subdomain labels, high entropy in DNS query content, or systematic DNS queries generating unusual volume from specific hosts. Enterprise DNS resolvers should log all queries for SIEM correlation. The shift to DNS hijacking in 2022 means monitoring should also include anomalous DNS resolution results — comparing resolved IPs against threat intelligence feeds to detect hijack-redirected queries.
  • LinkedIn and Social Media Verification for Job-Offer Outreach: Lyceum's job offer phishing is socially sophisticated — fake profiles on LinkedIn impersonate real former employees of real companies. Telecom, ISP, and energy sector employees who receive unsolicited job offers via LinkedIn should verify the recruiter's identity through official company channels (calling the company's main line) before interacting with any provided links or documents. Train technical staff specifically: IT engineers and network administrators are the intended targets given Lyceum's supply chain access objective.
  • Block DanBot User-Agent Pattern at Network Perimeter: The consistent "Accept-Enconding" (extra 'n') User-Agent typo in DanBot HTTP traffic is a high-fidelity detection signature. Implement network inspection rules flagging HTTP requests containing this specific header string. This detection rule has remained valid across all documented DanBot versions and can be implemented in web proxies, firewalls, or IDS/IPS systems without performance impact.
  • Restrict Scheduled Task Creation from Office Applications: DanBot is installed via a scheduled task created by the DanDrop VBA macro in Excel. Application controls should prevent scheduled task creation originating from Office application process trees (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE as parent process). Windows Defender Attack Surface Reduction (ASR) rules include specific controls for Office application child process creation and executable content creation from Office macros.
  • RDCMan Configuration File Protection: The Decrypt-RDCMan.ps1 tool targets the RDCMan configuration file for credential extraction. Organizations that use RDCMan for server management should ensure the .rdg configuration file is encrypted with a strong password and consider using alternative RDP credential management solutions with MFA requirements. Alert on PowerShell accessing RDCMan configuration file paths.
  • ISP and Telecom Network Monitoring — Supply Chain Context: Given Lyceum's explicit strategy of compromising telecom providers and ISPs as pivot points into their clients' networks, telecom operators in the Middle East and Africa should implement network segmentation that prevents a compromise of the operator's own infrastructure from being used for lateral access to customer network management systems. Shared infrastructure access between operator management planes and customer-facing services should be architecturally isolated.
  • Active Directory Enumeration Alerting: Get-LAPSP.ps1 performs LDAP-based Active Directory account enumeration shortly after initial compromise. Alert on LDAP queries against the Active Directory schema from PowerShell processes, particularly when the source process was spawned from an Office application or a non-administrative user context. This is a near-immediate post-compromise activity that, if caught, enables defenders to contain a breach before data exfiltration or lateral movement occurs.
analyst note

The Lyceum / OilRig (APT34) relationship remains one of the more analytically contested questions in Iranian APT tracking. ESET argued in December 2021 that DanBot should be attributed to OilRig rather than treated as a Lyceum-specific tool, based on evidence from the "Out to Sea" campaign. Microsoft confirmed Lyceum's role as DEV-0133 in the Albania infrastructure probing, operating alongside OilRig / Storm-0861. Sekoia's analysis noted perceptible operational activity "takeovers" from OilRig to Hexane, suggesting operators swap between groups associated with MOIS. Whether Lyceum is a distinct team or a capability within OilRig's broader operational structure may be less important for defenders than recognizing that the two groups share infrastructure patterns, C2 approaches (DNS tunneling), and operational contexts — meaning a detection or mitigation effective against one is likely partially effective against the other. The Albania operation demonstrated that Lyceum functions in a reconnaissance and infrastructure testing role in multi-actor MOIS operations, with OilRig handling initial access and more sophisticated post-compromise operations. This division of labor suggests Lyceum may specifically specialize in target pre-access intelligence gathering and network probing rather than the full intrusion lifecycle.

Sources & Further Reading

— end of profile