Lyceum

Threat Actor updated 4 months ago (2024-05-04T20:02:35.101Z)
Download STIX
Preview STIX
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Agrius, and Scarred Manticore. The group has been observed by cybersecurity researchers targeting critical infrastructure organizations undetected for over a year, demonstrating capabilities similar to other threat groups. Notably, Lyceum has developed a .NET based DNS Backdoor, which has been used extensively in their recent campaigns. The Lyceum Group has shown sophistication in its operations, utilizing cloud services such as OneDrive for command and control (C2) and data exfiltration purposes. Further analysis of their backdoor revealed that it can perform three functions depending on the command received from the C2 server. In addition, the group has customized an open source tool, Dig.Net, to develop their .NET based DNS backdoor, as evidenced by comparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output. Recently, Zscaler ThreatLabz observed a new campaign where Lyceum was deploying newly developed and customized .NET-based malware targeting the Middle East. This malware was found to be copying the underlying code from an open source tool. Moreover, the OilRig group, which may be associated with Lyceum, has developed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — in the past year, adding to an already extensive arsenal of custom malware. These actions demonstrate Lyceum's ongoing threat and the need for robust cybersecurity measures.
Description last updated: 2024-05-04T19:42:13.472Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig
2
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Malware
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Lyceum Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
9 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU
10 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU
10 months ago
Secondary school in Meppel evacuated over possible threat
CERT-EU
a year ago
APT trends report Q3 2023
MITRE
2 years ago
Exposing POLONIUM activity and infrastructure targeting Israeli organizations - Microsoft Security Blog
MITRE
2 years ago
Who are Latest Targets of Cyber Group Lyceum | Accenture
MITRE
2 years ago
Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign
MITRE
2 years ago
Lyceum .NET DNS Backdoor | Zscaler