HEXANE
Aliases: Lyceum, Siamesekitten, Spirlin
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.
Open interactive actor investigation
ATT&CK techniques
T1016
System Network Configuration DiscoveryT1555
Credentials from Password StoresT1027.010
Command ObfuscationT1589
Gather Victim Identity InformationT1082
System Information DiscoveryT1583.001
DomainsT1110
Brute ForceT1053.005
Scheduled TaskT1204.002
Malicious FileT1567.002
Exfiltration to Cloud StorageT1585.001
Social Media AccountsT1016.001
Internet Connection DiscoveryT1546.003
Windows Management Instrumentation Event SubscriptionT1069.001
Local GroupsT1018
Remote System DiscoveryT1021.001
Remote Desktop ProtocolT1586.002
Email AccountsT1110.003
Password SprayingT1102.002
Bidirectional CommunicationT1588.002
ToolT1555.003
Credentials from Web BrowsersT1059.001
PowerShellT1608.001
Upload MalwareT1589.002
Email AddressesT1585.002
Email AccountsT1033
System Owner/User DiscoveryT1105
Ingress Tool TransferT1049
System Network Connections DiscoveryT1057
Process DiscoveryT1056.001
KeyloggingT1518
Software DiscoveryT1059.005
Visual BasicT1010
Application Window DiscoveryT1591.004
Identify RolesT1583.002
DNS ServerT1534
Internal Spearphishing
System Network Configuration DiscoveryT1555
Credentials from Password StoresT1027.010
Command ObfuscationT1589
Gather Victim Identity InformationT1082
System Information DiscoveryT1583.001
DomainsT1110
Brute ForceT1053.005
Scheduled TaskT1204.002
Malicious FileT1567.002
Exfiltration to Cloud StorageT1585.001
Social Media AccountsT1016.001
Internet Connection DiscoveryT1546.003
Windows Management Instrumentation Event SubscriptionT1069.001
Local GroupsT1018
Remote System DiscoveryT1021.001
Remote Desktop ProtocolT1586.002
Email AccountsT1110.003
Password SprayingT1102.002
Bidirectional CommunicationT1588.002
ToolT1555.003
Credentials from Web BrowsersT1059.001
PowerShellT1608.001
Upload MalwareT1589.002
Email AddressesT1585.002
Email AccountsT1033
System Owner/User DiscoveryT1105
Ingress Tool TransferT1049
System Network Connections DiscoveryT1057
Process DiscoveryT1056.001
KeyloggingT1518
Software DiscoveryT1059.005
Visual BasicT1010
Application Window DiscoveryT1591.004
Identify RolesT1583.002
DNS ServerT1534
Internal Spearphishing
Correlated CTI and IR reports
HEXANE G1001
MITRE ATT&CK · direct source mapping1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionPay2Kitten: Iranian Operations Against Israeli Companies
ClearSky Cyber Security · actor context
MITRE ATT&CK · direct source mapping1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionPay2Kitten: Iranian Operations Against Israeli Companies
ClearSky Cyber Security · actor context