{ "Event": { "analysis": "1", "date": "2019-08-27", "extends_uuid": "", "info": "[Threat Intel] LYCEUM Takes Center Stage in Middle East Campaign", "protected": false, "publish_timestamp": "1772418852", "published": true, "threat_level_id": "2", "timestamp": "1772418850", "uuid": "57a2dddf-e055-4a7d-924f-2add789ff07f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Sophos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Lyceum .NET DNS Backdoor\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Lyceum .NET TCP Backdoor\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"HEXANE\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"danbot\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772245777", "to_ids": false, "type": "link", "uuid": "48611817-3d48-4020-983e-e069ae7a9991", "value": "https://www.sophos.com/en-us/blog/lyceum-takes-center-stage-in-middle-east-campaign" }, { "category": "Network activity", "comment": "Suspected DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338856", "to_ids": true, "type": "domain", "uuid": "ddc807a1-d5eb-4c74-8220-087adc6d6568", "value": "bsolutions-cloude.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338877", "to_ids": true, "type": "hostname", "uuid": "a6c97895-a376-4876-9012-93d78279eaa8", "value": "cybersecnet.co.za", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338898", "to_ids": true, "type": "domain", "uuid": "72b2afab-0b4f-483b-9183-2e1fe230a519", "value": "cybersecnet.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338920", "to_ids": true, "type": "domain", "uuid": "d55bcc22-d8d4-45ec-8e56-6f67d95da2ff", "value": "excsrvcdn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338941", "to_ids": true, "type": "domain", "uuid": "2f4c1498-e65f-48ea-a46d-491585f7e621", "value": "online-analytic.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338962", "to_ids": true, "type": "domain", "uuid": "8054310a-6210-427d-847b-14321d6b720d", "value": "web-traffic.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772338984", "to_ids": true, "type": "domain", "uuid": "245fa0e3-f548-4a5a-8d06-147df3d0c92d", "value": "web-statistics.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339005", "to_ids": true, "type": "domain", "uuid": "185e9e04-2e12-436d-a4c9-765d317ab8c5", "value": "dnscachecloud.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339026", "to_ids": true, "type": "domain", "uuid": "eb982fdc-7070-494c-a605-bfa77fd12827", "value": "dnscloudservice.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DanBot C2 server operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339048", "to_ids": true, "type": "domain", "uuid": "72d23bd4-6d24-43a6-9a6c-53ec5f6c1d1a", "value": "opendnscloud.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted multiple DanBot C2 domains operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339070", "to_ids": true, "type": "ip-dst", "uuid": "d3e5ba9c-9b33-4f2f-a2d4-03d70fda4677", "value": "164.132.181.82", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted multiple DanBot C2 domains operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339092", "to_ids": true, "type": "ip-dst", "uuid": "ccca74b1-e07e-4931-b12a-163ef9530000", "value": "198.50.152.162", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted multiple DanBot C2 domains operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339113", "to_ids": true, "type": "ip-dst", "uuid": "3cad9303-b375-4321-88f0-aa5fbac23d63", "value": "158.69.187.171", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted multiple DanBot C2 domains operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339134", "to_ids": true, "type": "ip-dst", "uuid": "0741e6ab-4ef6-4509-850b-1b7c7455522f", "value": "104.149.37.44", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted DanBot C2 domain operated by LYCEUM (dnscloudservice.com)", "deleted": false, "disable_correlation": false, "timestamp": "1772339155", "to_ids": true, "type": "ip-dst", "uuid": "fc5a3190-85b9-4109-986f-a6617abc19a1", "value": "62.113.196.37", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted DanBot C2 domain operated by LYCEUM (dnscloudservice.com)", "deleted": false, "disable_correlation": false, "timestamp": "1772339178", "to_ids": true, "type": "ip-dst", "uuid": "a8a33116-9eb3-45db-9474-138c1713ce1b", "value": "75.87.185.45", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted DanBot C2 domain operated by LYCEUM (dnscloudservice.com)", "deleted": false, "disable_correlation": false, "timestamp": "1772339199", "to_ids": true, "type": "ip-dst", "uuid": "100b3a40-a8be-4b25-958b-cf7731ac0319", "value": "144.217.149.61", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted suspected LYCEUM domain (opendnscloud.com)", "deleted": false, "disable_correlation": false, "timestamp": "1772339220", "to_ids": true, "type": "ip-dst", "uuid": "b7c0fa9b-9b97-4d36-aed2-26d8716442bc", "value": "62.113.207.181", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hosted multiple DanBot C2 domains operated by LYCEUM", "deleted": false, "disable_correlation": false, "timestamp": "1772339241", "to_ids": true, "type": "ip-dst", "uuid": "33b5b446-7754-4727-9f42-0b3412abacf1", "value": "144.217.156.94", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772339263", "uuid": "c84596d6-b047-42f3-913d-00f28aaa2754", "Attribute": [ { "category": "Payload delivery", "comment": "DanBot variant (AdobeReport.exe) operated by LYCEUM", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772339263", "to_ids": true, "type": "md5", "uuid": "847cf61d-8eef-496a-80d1-cc8dfdee958a", "value": "9df776b9933fbf95e3d462e04729d074", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DanBot variant (AdobeReport.exe) operated by LYCEUM", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772338853", "to_ids": true, "type": "sha1", "uuid": "71bdbd83-9475-4a4e-a3fa-0de5c1727ea0", "value": "a8f68c928f82edd8a28c0fd25e207929a7dbce23", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DanBot variant (AdobeReport.exe) operated by LYCEUM", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772338853", "to_ids": true, "type": "sha256", "uuid": "f78930f4-b48f-4f88-8058-a2ad1ab2c9bc", "value": "10d0d53f5e5f34c424431492fa4ee95eb2fa4fe6327455384cf508c586dd2851", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772338826", "to_ids": true, "type": "ssdeep", "uuid": "01e21937-bd91-40c7-8897-83133f8bacf2", "value": "768:FxPNisK3tsgNvWW2o46EI7O7d2DrL1rsiDISZCiOW4sAfP2qfcYrIFpw9OhTC/7k:FaR9EI7O7udkSZ9x+lupwE2S8MaXk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772338826", "to_ids": false, "type": "size-in-bytes", "uuid": "078ca1d0-c336-4611-92d9-e74b6dd72bff", "value": "61440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772338826", "to_ids": true, "type": "vhash", "uuid": "c75655f1-792a-451c-81b4-3371ba857614", "value": "264036551512308d49315138" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772338826", "to_ids": true, "type": "filename", "uuid": "574f198a-1886-4740-b282-b760ba869ea2", "value": "AdobeReport.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 25/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772338826", "to_ids": false, "type": "text", "uuid": "17618015-ed9f-4bcc-b35f-1d592477930e", "value": "DanBot variant (AdobeReport.exe) operated by LYCEUM\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Danabot.L!dha\nVT Total Detection:46/72\nFirst Submission:2019-05-22T10:44:10.000000+00:00\nLast Submission:2022-01-20T12:19:08.000000+00:00" } ] } ] } }