LYCEUM  (Back to overview)

aka: COBALT LYCEUM, Chrono Kitten, HEXANE, MYSTICDOME, Spirlin, Storm-0133, UNC1530, siamesekitten

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.

Associated Families
win.lyceum_dns_backdoor_dotnet win.lyceum_http_backdoor_dotnet win.lyceum_http_backdoor_golang

2022-06-09ZscalerAvinash Kumar, Niraj Shivtarkar
Lyceum .NET DNS Backdoor
Lyceum .NET DNS Backdoor
2022-03-31Check Point Research
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
Loki RAT El Machete APT Backdoor Dropper Lyceum .NET DNS Backdoor Lyceum .NET TCP Backdoor Lyceum Golang HTTP Backdoor
2021-11-09PrevailionAccenture Cyber Threat Intelligence, Prevailion
Who are latest targets of cyber group Lyceum?
Milan Shark LYCEUM
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky Research Team
New Iranian Espionage Campaign By “Siamesekitten” – Lyceum
danbot RGDoor LYCEUM
2019-08-27SecureworksCTU Research Team
LYCEUM Takes Center Stage in Middle East Campaign

Credits: MISP Project