Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Keylogger
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Aerospace | Verified |
| Sector | Energy | Verified |
| Sector | Oil and Gas | Verified |
| Region | South Africa | High |
| Region | Tunisia | Verified |
| Region | Middle East Countries | High |
Extracted IOCs
- akastatus[.]com
- centosupdatecdn[.]com
- cloudmsn[.]net
- cybersecnet.co[.]za
- defenderlive[.]com
- digitalmarketingnews[.]net
- dmgagency[.]net
- dnscatalog[.]net
- dnscdn[.]org
- dnscloudservice[.]com
- dnsstatus[.]org
- hpesystem[.]com
- livecdn[.]com
- mastertape[.]org
- microsftonline[.]net
- msnnews[.]org
- onlineoutlook[.]net
- opendnscloud[.]com
- securednsservice[.]net
- sysadminnews[.]info
- uctpostgraduate[.]com
- updatecdn[.]net
- webmaster-team[.]com
- web-traffic[.]info
- windowsupdatecdn[.]com
- wsuslink[.]com
- gamerboy1960@protonmail[.]com
- matt2010@protonmail[.]com
- 3e993dfe5ce90dadb0cf0707d260febd
- 888534c600d4c62d144b42e3e92c941b
- 94b0cfa3c654f17562a62541238ff6bb
- 94eac052ea0a196a4600e4ef6bec9de2
- 9ff7eae1fa541e45e3b65e0aaf2ffbdc
- b64b6c2774a059a5fcb2401ecfc1d53d
- b67c8752622d53be9f966d66e960745d
- ca7855f64268a784c9aed477a290fea5
- e65d76b39a7a48fec2f481e64c82f09f
- e8d3aeea7617982bb6e484a9f8307e6b
- fb9ab37dfed2c2c8db82cc0c25e4fa7c
- 0c5e38dd772b86d1841685784c9870cad0f6efa81c666d66c12b4282a149ddd3
- 21ab4357262993a042c28c1cdb52b2dab7195a6c30fa8be723631604dd330b29
- 387a7ab0c67cae5f0675563d686f045268c375ca6059bf0b938d5acd70e1c09f
- 396bf50cea966c044cb596335c6af88775a5bd7e1e7a74674c9459726fe305a7
- 857e2f63a1078d49adc59a03482f7b362563f16fb251f174bdaa7759ed47922a
- 9511df8a93aade046061b1977633cad5d3c0fe16f00faa63e310b143def20b32
- a2754d7995426b58317e437f8ed6770cd7bb7b18d971e23b2b300b75e34fa086
- b54a67062bdcd32dfa9f3d7b69780d2e6e4925777290bc34e8f979a1b4b72ea2
- b766522dd4189fef7775d663e5649ba9d8be8e03022039d20848fcbc3643e5f2
- cbcfc8e5e77e7c1a086bb6c012d3737202efc991cf79d25019dd052dea9c1064
- d3606e2e36db0a0cb1b8168423188ee66332cae24fe59d63f93f5f53ab7c3029
- 185[.]243.115.16
Tip: 51 related IOCs (1 IP, 26 domain, 0 URL, 2 email, 22 file hash) to this threat have been found.
Overlaps
Source: Prevailion - November 2021
Detection (15 cases): akastatus[.]com, centosupdatecdn[.]com, cybersecnet.co[.]za, defenderlive[.]com, dnscatalog[.]net, dnscdn[.]org, dnsstatus[.]org, hpesystem[.]com, securednsservice[.]net, sysadminnews[.]info, uctpostgraduate[.]com, updatecdn[.]net, web-traffic[.]info, windowsupdatecdn[.]com, wsuslink[.]com
Source: ClearSky - August 2021
Detection (five cases): d3606e2e36db0a0cb1b8168423188ee66332cae24fe59d63f93f5f53ab7c3029, akastatus[.]com, defenderlive[.]com, dnsstatus[.]org, wsuslink[.]com
Source: CyberX - January 2020
Detection (two cases): cybersecnet.co[.]za, web-traffic[.]info
Source: Secureworks - August 2019
Detection (four cases): cybersecnet.co[.]za, dnscloudservice[.]com, opendnscloud[.]com, web-traffic[.]info
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.