HEXANE: Persistent Espionage Targeting Critical Infrastructure
- Suspected Origin
- Iran
- Motivation
- Espionage, Information Theft
- Aliases
- Lyceum, Siamesekitten, Spirlin
- Target Sectors
- Oil & Gas, Telecommunications, Aviation, Internet Service Providers, Critical Infrastructure, Government
- Associated Malware
- DanBot, DanDrop, kl.ps1, Decrypt-RDCMan.ps1, Get-LAPSP.ps1, Milan, Shark, James, Kevin
Overview
HEXANE, tracked by MITRE ATT&CK as G1001, is a sophisticated cyber espionage threat group that has been actively targeting organizations in the Middle East and Africa since at least 2017. Known by aliases such as Lyceum, Siamesekitten, and Spirlin, this group primarily focuses on the oil and gas, telecommunications, aviation, and internet service provider (ISP) sectors. While HEXANE’s tactics and techniques bear similarities to other notable Iranian groups like APT33 (Elfin, Cobalt Trinity) and OilRig (APT34, Cobalt Gypsy), differences in their victimology and toolset warrant its tracking as a distinct entity.
Attribution analysis, notably by security firms like ClearSky and Secureworks, strongly links HEXANE to Iran, assessing it as an Iranian advanced persistent threat (APT) group. Their primary motivation is cyber espionage and the theft of sensitive information, rather than disruptive or destructive attacks. The group’s activities have notably intensified during periods of escalating geopolitical tensions in the Middle East, suggesting a state-sponsored agenda aimed at furthering political, economic, and national security goals through intelligence gathering. They frequently target high-value individuals within victim organizations, including executives, human resources staff, and IT personnel, to gain initial access and establish persistent footholds.
Tactics & Techniques
HEXANE employs a blend of established and custom tactics and techniques, often initiating their attacks through social engineering. A prevalent initial access vector involves password spraying and brute-force attacks to compromise email accounts. Once valid credentials are obtained, they leverage these compromised accounts to deliver highly targeted spear-phishing emails. These emails typically contain malicious attachments, often weaponized Excel documents or other Office files, designed to drop their initial malware payload. In some campaigns, they have also established fraudulent LinkedIn accounts impersonating HR department employees to lure potential victims with fake job offers. More recently, HEXANE has adapted its lures to capitalize on current events, such as the Russia-Ukraine war, using war-themed documents or fake news articles to entice victims.
For persistence, HEXANE has been observed using various methods, including scheduled tasks to run keyloggers and WMI event subscriptions. They are adept at reconnaissance, using tools like whoami, netstat, net localgroup, net view, ping, and tracert for host and network discovery. Lateral movement often involves the use of remote desktop sessions. Data exfiltration commonly occurs over web services, with cloud platforms like OneDrive being utilized for this purpose. The group has also shown a capability for DNS tunneling in their command and control (C2) communications, making their malicious activity harder to detect. They register and operate domains for their campaigns, often with themes related to security or web technology, and have been known to impersonate targeted organizations.
Notable Campaigns
HEXANE’s operations trace back to at least 2017, with activity accelerating in early to mid-2019, coinciding with heightened geopolitical tensions in the Middle East. Early campaigns primarily targeted industrial control systems (ICS)-related entities within the oil and gas and telecommunications sectors in the Middle East, particularly in Kuwait. Their focus on telecommunication providers sometimes serves as a stepping stone for supply chain attacks, allowing them to gain access to industrial organizations through third-party connections.
In a notable shift, a second wave of attacks was observed in July 2021, particularly against companies in Israel, where the group upgraded its backdoor malware. Further activity between July and October 2021 saw Lyceum (HEXANE) targeting ISPs and telecom organizations across Israel, Morocco, Tunisia, and Saudi Arabia, alongside a campaign against an African ministry of foreign affairs. In March 2022, HEXANE leveraged the Russia-Ukraine conflict as a lure, sending spear-phishing emails to an Israeli energy company, impersonating news reports and employing their updated malware and infrastructure. This shows their ability to quickly adapt their social engineering tactics to current global events.
Associated Malware & Tools
HEXANE utilizes a mix of custom-developed malware and legitimate or open-source tools, often customized for their operations.
Key malware families and tools include:
- DanBot: A custom-developed .NET-based Remote Access Trojan (RAT) that serves as a first-stage backdoor. It communicates with C2 servers using DNS and HTTP-based channels and provides basic capabilities like command execution and file upload/download.
- DanDrop: A VBA macro, often embedded in malicious Excel files, used to drop and install DanBot onto compromised systems.
- kl.ps1: A PowerShell-based keylogger used to capture window titles and keystrokes, storing gathered data in Base64-encoded format.
- Decrypt-RDCMan.ps1: A PowerShell script from the PoshC2 penetration testing framework, used to decrypt passwords stored in Remote Desktop Connection Manager (RDCMan) configuration files.
- Get-LAPSP.ps1: A PowerView-based script from the PowerShell Empire framework, employed to gather account information from Active Directory via LDAP.
- Milan: An older version of their backdoor malware, typically a 32-bit Remote Access Trojan, used for data retrieval and communicating with C2 over DNS queries.
- Shark: An upgraded version of their backdoor, observed replacing Milan in campaigns since July 2021. This 32-bit executable, written in C# and .NET, generates configuration files for DNS tunneling or HTTP C2 communications.
- James/Kevin: Kaspersky researchers identified these as new malware variants, written in C++ (a shift from their earlier .NET tools), designed to communicate with C2 over secure DNS and HTTP tunneling. These also include a PowerShell script for browser credential theft and a custom keylogger.
- Custom .NET DNS Backdoor: More recently, in 2022, HEXANE has been observed using a novel .NET-based DNS backdoor, a customized version of the open-source tool ‘DIG.net’, leveraging DNS hijacking for C2 communication.
The group also leverages legitimate tools like BITSAdmin for internet connectivity tests, and cmdkey to identify stored credentials. They have used Mimikatz-based tools and PowerShell scripts to steal passwords from browsers like Google Chrome.
Current Status
HEXANE remains an active threat actor. While details on specific campaigns in late 2025 and 2026 are not broadly publicized in open-source reporting beyond market trend discussions related to the chemical Hexane, the group was observed to be active throughout 2021 and 2022, demonstrating an evolving toolset and adapting its tactics. Their continued development of new malware variants (like James and Kevin) and customized backdoors (such as the .NET DNS backdoor) indicates ongoing operations and a persistent commitment to cyber espionage. The group’s consistent targeting of critical infrastructure sectors in the Middle East and Africa, coupled with their ability to adapt lures to current geopolitical events, suggests they continue to pose a significant and evolving risk to these regions and industries. Organizations in these sectors should remain vigilant and implement robust defensive strategies against the TTPs outlined in this profile.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call