Threats Feed|SiameseKitten|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date17/08/2021

Siamesekitten APT Targets Israeli IT Firms with Supply Chain Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The Iranian APT group Siamesekitten (Lyceum/Hexane) launched targeted cyberattacks on Israeli IT and technology firms in 2021 using advanced social engineering and supply chain tactics. The campaign impersonated HR personnel and organizations via phishing websites and LinkedIn profiles to distribute malware such as Milan and its successor Shark. Victims were infected with DanBot RAT through DNS tunneling and HTTPS C2 communication. The group also exploited legitimate tools like UltraVNC for remote access. Known for prior attacks on oil, gas, and telecom sectors in the Middle East and Africa, Siamesekitten’s recent focus highlights its shift to Israeli targets for espionage and data theft.

Reference and Credit: ClearSky - August 2021

New Iranian Espionage Campaign By “Siamesekitten” – Lyceum

Detected Targets

TypeDescriptionConfidence
CaseChip PC Technologies
Chip PC Technologies is a developer and manufacturer of thin client solutions and management software for server-based computing; where in a network architecture applications are deployed, managed and can be fully executed on the server. Chip PC Technologies has been targeted by SiameseKitten with abusive purposes.
Verified
CaseSoftware AG
Software AG is a German multinational software corporation that develops enterprise software for business process management, integration, and big data analytics. Founded in 1969, the company is headquartered in Darmstadt, Germany, and has offices worldwide. Software AG has been targeted by SiameseKitten with abusive purposes.
Verified
SectorInformation Technology
Verified
SectorOil and Gas
Medium
RegionIsrael
Verified
RegionMiddle East Countries
Verified

Extracted IOCs

  • akastatus[.]com
  • defenderlive[.]com
  • defenderstatus[.]com
  • dnsstatus[.]org
  • jobschippc[.]com
  • softwareagjobs[.]com
  • wsuslink[.]com
  • zonestatistic[.]com
  • jackbezos@protonmail[.]com
  • josephpritchett50@outlook[.]com
  • scottescobedo@protonmail[.]com
  • shannon.crawford@protonmail[.]com
  • 3a3d600ad9c9615f18003620a1bf5f28
  • 49b002fc6729f346f8114770ea991510
  • a4185f95c61076590ca2eb96e4697c73
  • d30bcd249fc066e341997e2abc0878da
  • e80c5a18c5a3a5cf2764535f8795bb81
  • fd3e147521114d6ebc8924ce6cd5e253
  • 08261ed40e21140eb438f16af0233217c701d9b022dce0a45b6e3e1ee2467739
  • 4f1b8c9209fa2684aa3777353222ad1c7716910dbb615d96ffc7882eb81dd248
  • d3606e2e36db0a0cb1b8168423188ee66332cae24fe59d63f93f5f53ab7c3029
  • 185[.]243.112.120
  • 185[.]244.213.73
  • 198[.]23.239.140
  • 23[.]94.22.145
  • 23[.]95.218.240
  • 23[.]95.9.100
  • 51[.]79.62.98
  • 98[.]117.103.32
download

Tip: 29 related IOCs (8 IP, 8 domain, 0 URL, 4 email, 9 file hash) to this threat have been found.

Overlaps

LyceumLyceum's Cyber Espionage Campaign Targets Telecoms and ISPs in the Middle East and Africa

Source: Prevailion - November 2021

Detection (six cases): akastatus[.]com, defenderlive[.]com, defenderstatus[.]com, dnsstatus[.]org, wsuslink[.]com, zonestatistic[.]com

LyceumLyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors

Source: Virus Bulletin - October 2021

Detection (five cases): d3606e2e36db0a0cb1b8168423188ee66332cae24fe59d63f93f5f53ab7c3029, akastatus[.]com, defenderlive[.]com, dnsstatus[.]org, wsuslink[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
SiameseKitten
View SiameseKitten's Insights