The Lyceum APT (aka HEXANE, Spirlin) is a cybercriminal group that mainly targets energy organizations and telecommunication in the Middle East. It has expanded on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. It has been active since 2018. This group has been linked to Iran. Lyceum is a politically motivated nation-state actor that is conducting cyber espionage using two malware families dubbed Shark and Milan. For initial backdoor deployment, the group does Domain name system (DNS) tunneling. The malware is delivered via a phishing email, which contains a malicious link and a weaponized word document. The MFA (Ministry of Foreign Affairs) is a soughtafter target of the threat actor. The group has been deploying “ir_drones.docm” maldoc for infiltration as well.
In 2021, the threat actors launched a massive campaign against ISPs and telecom companies in Israel, Morocco, Tunisia, and Saudi Arabia in 2021.
Researchers discovered a new campaign in June 2022 in which the APT group was using a new.NET-based backdoor to target the Middle East. The code for the DNS backdoor was taken from the “DNS hijacking” open-source program DIG.net.
The researchers’ observations of the attack chain begin with spear-phishing emails that use weaponized Word documents presented as news articles about Iranian military matters.