Home/Threat Actor/Hexane / Lyceum (G1001)
Threat Actor

Hexane / Lyceum (G1001)

hexane_lyceum · iran · active since 2017

Hexane / Lyceum (canonical Dragos naming Hexane.

canonical SecureWorks naming Lyceum.

canonical ClearSky naming Siamesekitten.

canonical Accenture naming Spirlin.

MITRE ATT&CK Group G1001) is a suspected Iran-aligned cyber- espionage cluster active publicly since at least 2017- 2018, with primary operational mission objectives of intelligence collection from oil-and-gas industry organizations and telecommunications providers in the Middle East (Kuwait as signature primary operating region per Dragos), Africa, and Central Asia.

operationally distinct from the broader Iran-aligned clusters already curated in this corpus (apt33, apt34, apt35, apt39, muddywater, imperial_kitten_tortoiseshell, agrius) through signature Middle East oil-and-gas-industry primary targeting, distinct custom tooling (DanBot RAT, Shark RAT, James + Kevin loaders, Milan RAT), and signature password- spraying + brute-force initial-access tradecraft.

SecureWorks assesses cluster activity "resembles" Iran-linked COBALT GYPSY (OilRig/APT34) and COBALT TRINITY (Elfin/APT33) but tracks the cluster as separate from these prior clusters due to distinct malware and infrastructure.

Dragos similarly tracks Hexane as distinct from MAGNALLIUM (APT33-related ICS-focused tracking) and CHRYSENE (APT34-related ICS- focused tracking)

signature tradecraft includes password- spraying initial-access, HR-and-IT-account-focused intrusion targeting, DanBot RAT delivery via spearphishing emails with malicious Excel macros, PowerShell-based modular post- compromise tooling (password dumping, lateral movement, keylogging scripts), DNS-tunneling C2 communication, security and web-technology-themed domain registrations, telecommunications-sector targeting "potentially as a stepping stone to network-focused man-in-the-middle and related attacks" per Dragos.

multi-vendor canonical naming under Hexane / Lyceum / Siamesekitten / Spirlin reflects broad industry interest in the cluster and the multi-vendor naming-convention inconsistency of the modern cyber-threat- intelligence ecosystem.

fills the Middle East oil-and-gas- industry + telecommunications-focused Iran-aligned APT cell in the curated corpus complementing broader Iran-aligned coverage.

iran confidence: high 15 aliases MITRE ATT&CK G1001 ↗
Sigma rules200 YARA rules45 Live IOCs15 CVEs exploited3

Profile

Hexane / Lyceum (canonical Dragos naming Hexane for ICS- focused tracking.

canonical SecureWorks naming Lyceum; canonical ClearSky naming Siamesekitten.

canonical Accenture naming Spirlin.

MITRE ATT&CK Group G1001) is a suspected Iran-aligned cyber-espionage cluster active publicly since at least 2017-2018, with primary operational mission objectives of intelligence collection from oil-and-gas industry organizations and telecommunications providers in the Middle East, Africa, and Central Asia. The cluster is one of the operationally most-significant Middle East oil- and-gas industry-focused Iran-aligned clusters in modern cyber-threat-intelligence reporting and is operationally distinct from the broader Iran-aligned clusters already curated in this corpus (apt33_elfin, apt34_oilrig, apt35_charmingkitten, apt39_chafer, muddywater, imperial_kitten_tortoiseshell, agrius). Operational phases of the cluster's longitudinal history: (1) OPERATIONAL EMERGENCE ERA (2017-2018). The cluster's operations have been publicly observed since at least mid- 2018 per Dragos disclosure, with MITRE ATT&CK Group G1001 documenting cluster activity since at least 2017. SecureWorks notes domain registrations indicate Lyceum "may have been active as early as April 2018." Earliest documented operations established the operational pattern that subsequently defined cluster tradecraft: oil-and-gas-industry primary targeting in the Middle East, password-spraying and brute-force initial-access tradecraft, DanBot RAT custom malware deployment, DNS-tunneling-based command-and-control communication.

(2) TOOLKIT DEVELOPMENT AND MIDDLE EAST OIL-AND-GAS CAMPAIGN (February
  • May 2019). SecureWorks documented "a sharp uptick in development and testing of [Lyceum's] toolkit against a public multivendor malware scanning service in February" 2019 immediately preceding the May 2019 Middle East oil-and-gas campaign launch. The May 2019 campaign operationally escalated cluster tempo and established oil- and-gas-industry targeting as signature primary targeting sector. The campaign tempo coincided with broader Middle East regional political-military tensions of mid-2019, operationally consistent with Iran-aligned strategic operational priorities. (3) DRAGOS + SECUREWORKS CANONICAL DISCLOSURE ERA (August 2019). In August 2019, Dragos and SecureWorks separately published canonical industry vendor research-report disclosures of the cluster, Dragos under Hexane naming focusing on ICS-targeted operational characterization, and SecureWorks under Lyceum naming focusing on operational tradecraft including password-spraying and DanBot RAT deployment. The 2019 disclosure period operationally established the multi-vendor canonical naming convention that subsequently defined cluster tracking. (4) CONTINUED OPERATIONS AND CLEARSKY/KASPERSKY/ACCENTURE DISCLOSURE ERA (2021). In August 2021 ClearSky Cyber Security published "New Iranian Espionage Campaign By Siamesekitten.
  • Lyceum" documenting continued cluster operational tempo. Kaspersky GReAT followed with "LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST" in October 2021 documenting additional James and Kevin custom loaders. Accenture published "Who are the Latest Targets of Cyber Group Lyceum?" in November 2021 under Spirlin naming. The 2021 disclosure period operationally documented continued cluster operational evolution with expanded tooling and expanded geographic targeting. (5) CONTINUED OPERATIONS AND MODULAR EVOLUTION (2022- Present). Hexane/Lyceum operations have continued through 2022-2025 with modular evolution of tooling including continued DanBot variants, refined Shark RAT capabilities, James and Kevin loader updates, and Milan RAT operational deployment.
Signature operational tradecraft includes
  • Password-spraying and brute-force initial-access: The cluster's signature initial-access tradecraft is password- spraying and brute-force attacks against organization account credentials. SecureWorks documented: "LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware." The password-spraying initial-access pattern is operationally distinguishable from competing Iran-aligned clusters that more commonly use spearphishing as primary initial-access vector.
  • HR-account and IT-account focused intrusion targeting: SecureWorks documented the cluster's operational focus on compromising HR and IT department accounts within target organizations, HR accounts for enabling additional spearphishing operations within the targeted environment and IT accounts for high-privilege access and infrastructure- understanding documentation access.
  • DanBot RAT signature malware: The cluster's signature custom RAT delivered via spearphishing emails with malicious Excel macro attachments. DanBot subsequently deploys additional PowerShell-based modular tooling for password dumping, lateral movement, and keylogging operations.
  • DNS-tunneling C2 communication: Signature command- and-control communication via DNS tunneling tradecraft operationally evading traditional C2 traffic-detection signatures. The DNS-tunneling tradecraft is operationally consistent with broader Iran-aligned cluster operational patterns and reflects the cluster's investment in sophisticated C2 communication.
  • Security and web-technology-themed domain registrations: SecureWorks documented the cluster's domain registration pattern using PublicDomainRegistry.com, Web4Africa, and Hosting Concepts B.V. registrars with security and web technology themed domain names, operationally consistent with the cluster's apparent operational interest in blending C2 infrastructure with legitimate-appearing security-industry traffic profiles.
  • PowerShell-based modular tooling: signature tradecraft of deploying modular PowerShell scripts for password dumping, lateral movement, and keylogging capabilities after initial DanBot RAT deployment.
  • ICS / OT operational interest: Dragos's ICS-focused tracking of Hexane operationally documented the cluster's ICS-targeted operational interest, "Although we haven't found evidence, yet, that Lyceum is specifically targeting industrial control networks, their tools and techniques are highly consistent with past attacks on OT infrastructure" per CyberX VP Industrial Cybersecurity Phil Neray. The ICS operational interest pattern is operationally consistent with Iran-aligned strategic operational priorities in regional critical-infrastructure intelligence collection and potential follow-on operational- technology disruption capability.
  • Telecommunications-sector targeting for man-in-the- middle capability establishment: Dragos documented the cluster's telecommunications-sector targeting "potentially as a stepping stone to network-focused man-in-the-middle and related attacks", operationally consistent with Iran-aligned strategic interest in establishing regional telecommunications-infrastructure access for broader surveillance and intelligence-collection operations.
  • Operational tempo escalation coinciding with regional political-military tensions: cluster operational tempo has demonstrated escalation patterns coinciding with periods of Middle East regional political-military tension , operationally consistent with Iran-aligned strategic operational priorities.
  • Multi-vendor cluster-naming-convention pattern: the cluster has been independently tracked under Hexane (Dragos), Lyceum (SecureWorks), Siamesekitten (ClearSky), and Spirlin (Accenture) naming conventions, operationally reflecting the broad industry vendor interest in the cluster and the broader naming-convention inconsistency across the modern cyber-threat-intelligence vendor ecosystem. MITRE ATT&CK Group G1001 documents all four naming conventions as referring to the same operational cluster. The cluster fills the Middle East oil-and-gas industry + telecommunications-focused Iran-aligned APT cell in this curated corpus, complementing the broader Iran-aligned cluster coverage (apt33_elfin, apt34_oilrig, apt35_charmingkitten, apt39_chafer, muddywater, imperial_kitten_tortoiseshell, agrius). Hexane/Lyceum is operationally distinct from these adjacent Iran-aligned clusters through (a) signature Middle East oil-and-gas industry primary targeting (with Kuwait as signature primary operating region per Dragos); (b) distinct custom tooling (DanBot RAT signature malware, Shark RAT variants, James and Kevin loaders, Milan RAT); (c) signature password- spraying and brute-force initial-access tradecraft operationally distinguishable from competing Iran-aligned clusters; (d) Industrial Control Systems (ICS) operational interest patterns more distinct than competing Iran-aligned cluster targeting; (e) HR-and-IT-department-account-focused intrusion targeting tradecraft. SecureWorks and Dragos both assess the cluster as operationally distinct from APT33 and APT34 / OilRig despite operational-pattern similarities consistent with Iran-aligned attribution.

Aliases

15
hexanehexane grouplyceumlyceum groupg1001g-1001siamesekittensiamese kittensiamese-kittenspirlinlyceum rebornhexane_lyceumhexane_apthexane lyceumlyceum_apt

Notable Campaigns

10
2022-2025Continued Operations and Modular Evolution (2022-2025)
2021ClearSky Siamesekitten Disclosure, Lyceum Reborn (August 2021)
2021Accenture Spirlin Disclosure (November 9, 2021)
2019Toolkit Development and Testing Surge (February 2019)
2019Middle East Oil and Gas Sector Campaign (May 2019)
2019Kuwait as Primary Operating Region (2019)
2019Dragos Canonical Hexane Disclosure (August 2019)
2019SecureWorks Canonical Lyceum Disclosure (August 27, 2019)
2018South African Targeting Campaign (Mid-2018)
2017-2018Hexane / Lyceum Operational Emergence (Mid-2018)

Attribution & Reporting

Attributed by
DragosSecureWorks Counter Threat UnitClearSky Cyber SecurityAccentureKaspersky GReATMITRE ATT&CKMandiantCrowdStrikeMicrosoft Threat Intelligence CenterRecorded Future Insikt GroupTrend MicroPwC Threat IntelligenceCisco TalosSymantec / Broadcom Threat Hunter TeamCyberX (now part of Microsoft)
Key reporting
reportDragos: HEXANE Activity Group Profile (August 2019), canonical Hexane first-disclosure publication, ICS-focused
reportSecureWorks Counter Threat Unit: LYCEUM Takes Center Stage in Middle East Campaign (August 27, 2019), canonical Lyceum first-disclosure publication
reportClearSky Cyber Security: New Iranian Espionage Campaign By 'Siamesekitten' - Lyceum (August 2021), canonical Siamesekitten third-vendor disclosure
reportKaspersky GReAT (Kayal A. et al.): LYCEUM REBORN, COUNTERINTELLIGENCE IN THE MIDDLE EAST (October 2021), canonical Lyceum Reborn follow-up with James + Kevin loader documentation
reportAccenture: Who are the Latest Targets of Cyber Group Lyceum? (November 9, 2021), canonical Spirlin fourth-vendor disclosure
reportMITRE ATT&CK Group G1001, HEXANE / Lyceum / Siamesekitten / Spirlin
reportMITRE ATT&CK for ICS Group G0005, HEXANE / Lyceum (ICS-focused tracking)
reportMicrosoft Threat Intelligence: Iran-Attributed Cluster Tracking, Hexane/Lyceum Adjacent Activity
reportMandiant: Iran-Attributed Cluster Tracking
reportCrowdStrike Global Threat Report: Iran-Attributed Cluster Tracking
reportRecorded Future Insikt Group: Iran State-Aligned Cyber-Espionage Tracking
reportTrend Micro: Iran-Aligned Middle East Targeting Tracking
reportPwC Threat Intelligence: Iran-Aligned APT Cluster Continued Tracking
reportCisco Talos: Iran-Aligned APT Cluster Documentation
reportSymantec / Broadcom Threat Hunter Team: Iran-Aligned APT Continued Tracking
reportCyberX (now Microsoft): ICS-Focused Lyceum/Hexane Analysis, Phil Neray VP Industrial Cybersecurity Commentary
reportMalpedia Actor Profile: Lyceum

Operational

State sponsor

Suspected Iran-aligned cyber-espionage cluster, with attribution consistent with Islamic Republic of Iran state-aligned operational interests. Neither Dragos (canonical Hexane naming) nor SecureWorks (canonical Lyceum naming) provides formal attribution to the Iranian government in their cluster-disclosure publications, both vendors abstained from linking Hexane/Lyceum to any specific country's cyber- espionage apparatus. However, both vendors and subsequent industry analysis (ClearSky August 2021 Siamesekitten disclosure, Accenture November 2021 Spirlin disclosure, Kaspersky October 2021 "Lyceum Reborn" disclosure) note operational tradecraft and targeting consistent with Iranian- state-aligned operational interests. Specifically: (a) SecureWorks notes Lyceum activity "resembles that of established groups such as Iran-linked COBALT GYPSY (related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33)", though assessing that "the collected malware and infrastructure are not connected" to these prior Iran-attributed clusters.

(b) Dragos notes Hexane "demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE", Dragos's ICS-focused tracking naming for APT33-related and APT34-related ICS activity; (c) targeting focus on oil and gas industry organizations in the Middle East (particularly Kuwait as primary operating region) operationally aligns with Iran-aligned strategic interests in regional energy-industry intelligence collection.

(d) telecommunications-sector targeting in Middle East, Africa, and Central Asia is operationally consistent with Iran-aligned interest in man-in-the-middle capability establishment across regional telecommunications infrastructure ("potentially as a stepping stone to network- focused man-in-the-middle and related attacks" per Dragos); (e) operational tempo escalation coinciding with periods of Middle East regional political-military tension is operationally consistent with Iran-aligned strategic operational priorities. No formal Iranian government attribution has been asserted by any government cyber- security authority. The cluster is operationally distinct from the broader Iran-aligned clusters already curated in this corpus (apt33_elfin, apt34_oilrig, apt35_charmingkitten, apt39_chafer, muddywater, imperial_kitten_tortoiseshell, agrius), operationally distinguished by (a) signature Middle East oil-and-gas industry primary targeting (with Kuwait as signature primary operating region per Dragos); (b) distinct custom tooling (DanBot RAT signature malware, Shark RAT variants, James and Kevin loaders)

(c) signature password-spraying and brute-force initial-access tradecraft operationally distinguishable from competing Iran-aligned clusters.

(d) Industrial Control Systems (ICS) related targeting (per Dragos focus) that is more operationally distinct than competing Iran-aligned cluster targeting patterns.

Motivations
cyber_espionage_intelligence_collection, critical_infrastructure_intelligence_collection, oil_and_gas_industry_intelligence_collection, telecommunications_intelligence_collection, man_in_the_middle_capability_establishment, regional_geopolitical_intelligence, credential_harvesting_for_follow_on_operations
Sectors
oil_and_gas_industryenergy_sectortelecommunicationstelecommunications_providersinternet_service_providersaviationindustrial_control_systems_icsoperational_technology_otcritical_infrastructuregovernment_administrationhr_departments_targetingit_departments_targeting
Regions
kuwaitsaudi_arabiabahrainunited_arab_emiratesomanqatariraqlebanonisraelmoroccotunisiasouth_africamiddle_east_broadlyafrica_broadlycentral_asia_broadly

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1018T1020T1021T1021.001T1021.002T1021.004T1027T1027.001T1027.002T1027.005T1029T1033T1036T1036.004T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1069T1070T1070.004T1071T1071.001T1071.004T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1095T1106T1110T1110.001T1110.003T1110.004T1112T1119T1129T1132T1132.001T1133

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

1 mapped
S0002 · Mimikatz
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERMILAN RATSHARK RAT

CVEs Exploited

3
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2017-8570
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin