Lyceum

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Agrius, and Scarred Manticore. The group has been observed by cybersecurity researchers targeting critical infrastructure organizations undetected for over a year, demonstrating capabilities similar to other threat groups. Notably, Lyceum has developed a .NET based DNS Backdoor, which has been used extensively in their recent campaigns. The Lyceum Group has shown sophistication in its operations, utilizing cloud services such as OneDrive for command and control (C2) and data exfiltration purposes. Further analysis of their backdoor revealed that it can perform three functions depending on the command received from the C2 server. In addition, the group has customized an open source tool, Dig.Net, to develop their .NET based DNS backdoor, as evidenced by comparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output. Recently, Zscaler ThreatLabz observed a new campaign where Lyceum was deploying newly developed and customized .NET-based malware targeting the Middle East. This malware was found to be copying the underlying code from an open source tool. Moreover, the OilRig group, which may be associated with Lyceum, has developed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — in the past year, adding to an already extensive arsenal of custom malware. These actions demonstrate Lyceum's ongoing threat and the need for robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
OilRig	2	OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
POLONIUM	1	Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors
Siamesekitten	1	Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Espionage

Malware

State Sponso...

Phishing

Windows

Net

Beacon

Spearphishing

Eset

Backdoor

Ics

DNS

Apt

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Shark	Unspecified	1	Shark is a type of malware, or malicious software, that was deployed by the cyber group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as highlighted in the T3 2021 issue of the ESET Threat Report. This harmful program can infiltrate s
Milan	Unspecified	1	Milan is a malicious software, or malware, that was notably deployed by the cyber group OilRig in 2021. The group updated its DanBot backdoor and began deploying multiple backdoors including Shark, Milan, and Marlin. These backdoors were mentioned in the T3 2021 issue of the ESET Threat Report. Simi
Sc5k	Unspecified	1	SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for
adobereport.exe	Unspecified	1	None
DanBot	Unspecified	1	DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Scarred Manticore	Unspecified	1	Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly
Crambus	Unspecified	1	The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Samplecheck5000 Sc5k	Unspecified	1	SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c

Source Document References

Information about the Lyceum Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	7 months ago	Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU	9 months ago	Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU	9 months ago	Secondary school in Meppel evacuated over possible threat
CERT-EU	9 months ago	APT trends report Q3 2023
MITRE	a year ago	Exposing POLONIUM activity and infrastructure targeting Israeli organizations - Microsoft Security Blog
MITRE	a year ago	Who are Latest Targets of Cyber Group Lyceum \| Accenture
MITRE	a year ago	Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign
MITRE	a year ago	Lyceum .NET DNS Backdoor \| Zscaler