Lyceum

Threat Actor updated 7 months ago (2024-11-29T14:43:32.782Z)
Download STIX
Preview STIX
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Agrius, and Scarred Manticore. The group has been observed by cybersecurity researchers targeting critical infrastructure organizations undetected for over a year, demonstrating capabilities similar to other threat groups. Notably, Lyceum has developed a .NET based DNS Backdoor, which has been used extensively in their recent campaigns. The Lyceum Group has shown sophistication in its operations, utilizing cloud services such as OneDrive for command and control (C2) and data exfiltration purposes. Further analysis of their backdoor revealed that it can perform three functions depending on the command received from the C2 server. In addition, the group has customized an open source tool, Dig.Net, to develop their .NET based DNS backdoor, as evidenced by comparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output. Recently, Zscaler ThreatLabz observed a new campaign where Lyceum was deploying newly developed and customized .NET-based malware targeting the Middle East. This malware was found to be copying the underlying code from an open source tool. Moreover, the OilRig group, which may be associated with Lyceum, has developed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — in the past year, adding to an already extensive arsenal of custom malware. These actions demonstrate Lyceum's ongoing threat and the need for robust cybersecurity measures.
Description last updated: 2024-05-04T19:42:13.472Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
OilRig is a possible alias for Lyceum. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
State Sponso...
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The DanBot Malware is associated with Lyceum. DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malwareUnspecified
2
Source Document References
Information about the Lyceum Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more