A new malware campaign was discovered that delivers a reverse shell disguised as a PDF update. It tricks users with a document about drone attacks in Iran.

Who is behind this attack?

The group responsible is SiameseKitten (also known as Lyceum), an Iranian state-linked hacking group known for targeting organizations in the Middle East.

What was the goal of the attack?

The attackers aimed to gain remote control over victims’ systems, likely for surveillance, data theft, or further lateral movement.

Was anyone specifically targeted?

While the exact targets aren't named, the use of drone-related lures and the attack infrastructure suggest targeting of politically or militarily relevant individuals or organizations.

How did the attack work?

Victims were tricked into downloading a file that appeared to be an Adobe update. This file then installed malware and connected to a remote server for instructions.

Why would attackers use drone-related documents?

Such documents create a sense of urgency or curiosity, making recipients more likely to open them. It also ties into regional events that may interest specific high-value targets.

How can I protect myself or my organization?

Avoid opening suspicious attachments, verify digital signatures, and monitor unusual outbound network connections. Use modern endpoint protection and educate users on phishing risks.

Is this a widespread threat?

No, this appears to be a targeted attack, but it uses techniques that could be replicated in broader campaigns. Organizations with geopolitical relevance should be particularly vigilant.

Threats Feed|Lyceum|Last Updated 29/05/2025|AuthorCertfa Radar|Publish Date23/06/2022

Iranian Lyceum Group Deploys Malware Disguised as Adobe Update

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Dropper,Malware,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/Low Probability

Threat Overview

The Iranian SiameseKitten (Lyceum) group deployed new malware masquerading as an Adobe update, communicating with a command and control server. The malware includes a reverse shell and employs fake Microsoft certificates, echoing tactics seen with other Iranian groups like Phosphorus. The attack involved a lure PDF related to drone attacks in Iran, aiming to establish persistence via the Startup folder. The parent file and reverse shell were downloaded from domains registered on June 6th, highlighting the group's continued use of sophisticated detection avoidance techniques.

Reference and Credit: Lyceum suicide drone - June 2022

ClearSky

Detected Targets

Type	Description	Confidence
Region	United Arab Emirates	High

Extracted IOCs

planet-informer[.]me
29b6b195cf0671901b75b7d2ac6814f6
77d5ef3b26138baabf52fd14a0625298
7b4c70526b499e4d7f3d77a47235a67c
b10a50cb12b82bde90124aad3f48180d
2bafc1d8f996b0f26cb70beafd00d5a0482c96bb
6745f60a8bf6a960d2617e6387f6748e03e13f7a
8dbc4d59ba9f5c9b6b49cc9fbdbf8eef8cbdf972
ee2e63037f4a7717da62bb0c2c54b1f618d9df42
50e643e06c1fd6b334668439c1fb734c9d42707f80af2edbcb0e5541513546fe
6d051c8954c7dab8b82f79779c0c630b95a9b8ad80a49658a55e0dfe6e5aba9f
8883bbd14017d0946aefd2c6fbc7b2c9b0b6b2439f96125bf4ae1c3d314a03c7
c41265cdf0425d5023db9b42ad58330c9f0e0d187eab7ce77ca09ccf1b1a9414
89[.]39.149.18
89[.]39.149.19

download

Tip: 15 related IOCs (2 IP, 1 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

Understanding the SiameseKitten Drone-Themed Cyber Attack

: A new malware campaign was discovered that delivers a reverse shell disguised as a PDF update. It tricks users with a document about drone attacks in Iran.
: The group responsible is SiameseKitten (also known as Lyceum), an Iranian state-linked hacking group known for targeting organizations in the Middle East.
: The attackers aimed to gain remote control over victims’ systems, likely for surveillance, data theft, or further lateral movement.
: While the exact targets aren't named, the use of drone-related lures and the attack infrastructure suggest targeting of politically or militarily relevant individuals or organizations.
: Victims were tricked into downloading a file that appeared to be an Adobe update. This file then installed malware and connected to a remote server for instructions.
: Such documents create a sense of urgency or curiosity, making recipients more likely to open them. It also ties into regional events that may interest specific high-value targets.
: Avoid opening suspicious attachments, verify digital signatures, and monitor unusual outbound network connections. Use modern endpoint protection and educate users on phishing risks.
: No, this appears to be a targeted attack, but it uses techniques that could be replicated in broader campaigns. Organizations with geopolitical relevance should be particularly vigilant.

About Affiliation

Lyceum

Associate threats