article featured image


‘Lyceum’ has been active since 2017 and is also known as Hexane, Siamesekitten, or Spirlin.

The advanced persistent threat (APT) organization has previously been connected to attacks on Middle Eastern oil and gas businesses, but it now appears that its focus has shifted to the IT industry.

What Happened?

Lyceum backdoor malware was noticed in attacks throughout Morocco, Tunisia, and Saudi Arabia.

Lyceum was found deploying two unique malware families, named Shark and Milan, in the most current campaign evaluated in a joint analysis by experts at Accenture and Prevailion.

Shark and Milan

As thoroughly explained by BleepingComputer, the Shark backdoor is a 32-bit program built-in C# and.NET that may be used to run instructions and steal data from affected computers.

Milan is a 32-bit remote access trojan (RAT) that can extract data from a compromised machine and send it to hosts generated using domain creation methods (DGAs).

Both backdoors connect with their command and control servers (C2) through DNS and HTTPS, with Shark additionally employing DNS tunneling.

Lyceum appears to be watching researchers who are researching their malware to upgrade its code and remain ahead of protective systems, according to the technical investigation, which indicated a continuous renewal of the beacons and payloads.

The most current build dates are from October 2021, and at least two of the detected compromises are still active, according to the researchers.

By annexing twenty of the actor’s domains and examining the telemetry data without pulling them down, the analysts were able to map the Lyceum victims.

The resultant study includes a fresh list of indications of compromise (IoCs) as well as different methods for detecting the two backdoors, potentially disrupting Lyceum’s continuing effort.

The hackers in question are thought to be politically motivated and only engaged in cyber espionage rather than disrupting their targets’ operations.

This is why they are concentrating their efforts on ISP network breaches, as compromising high-level service providers is a great method to gather important intelligence on other countries.

It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator. However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north African telecommunication companies. The ACTI/PACT research team therefore assess that the observed Milan activity is likely emanating directly from within the Moroccan telecommunications operator.


How Can Heimdal™ Help?

Heimdal™ Threat Prevention – Network provides unique threat hunting and ultimate visibility over an entire network, therefore offering A to Z protection, regardless of device or operating system.

Let our innovative AI detect and block any infected domains, allowing you to enjoy peace of mind when thinking about your business ecosystem.

If you liked this article follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything about cybersecurity.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo