3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
HEXANE

HEXANE

ID: e6ea19f150a5ce15ecdae0c9b4a974c188409
Cybercrime Cybercriminal Malware Dev State-Sponsored
Threat types: Intrusion, Exploit, Cyber espionage
Unknown ISR, KWT, MAR, SAU, TUN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 57% Completeness: 60% Freshness: 50%
Operation zone: Israel, Kuwait, Morocco, Saudi Arabia, Tunisia
Aliases Limited alias preview
Lyceum Siamesekitten Sp*****
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

HEXANE (a.k.a. Lyceum/Siamesekitten/Spirlin) — espionage actor since 2017 targeting oil & gas, telecom, aviation, and ISPs in MENA; techniques span SharePoint exploitation (CVE-2019-0604), Exchange mailbox targeting, PowerShell/WMI, DNS TXT C2, and in the HomeLand Justice campaign, ROADSWEEP ransomware and ZeroCleare wiping.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2021-05 — HomeLand Justice campaign: initial access via SharePoint CVE-2019-0604. · ref
T1134.001 Token Impersonation/Theft TA0004 TA0005
  • 2021-2022 — Token impersonation (ImpersonateLoggedOnUser/SetThreadToken) to assume identities. · ref
T1098.002 Additional Email Delegate Permissions TA0003 TA0004
  • 2021-2022 — Added ApplicationImpersonation role for Exchange to take mailbox ownership. · ref
T1059.001 PowerShell TA0002
  • 2019-2024 — PowerShell for discovery, collection, keylogging (kl.ps1). · ref
T1583.002 DNS Server TA0042
  • 2019-2024 — Custom DNS servers for TXT-based command channels. · ref
T1562.001 Disable or Modify Tools TA0005
  • 2021-2022 — Modified/disabled EDR components (e.g., Microsoft Defender AV). · ref
T1486 Data Encrypted for Impact TA0040
  • 2021-2022 — Deployed ROADSWEEP ransomware for impact. · ref
T1561.002 Disk Structure Wipe TA0040
  • 2021-2022 — Used ZeroCleare to wipe disk structures. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T23:34:05+00:00
HEXANE — Oil & Gas–Focused Espionage

CLASSIFICATION: Unclassified / Open Source


Executive Summary

HEXANE is a cyber-espionage actor active since at least 2017, repeatedly targeting oil & gas, telecommunications, aviation, and ISP organizations across the Middle East and North Africa (Israel, Saudi Arabia, Kuwait, Morocco, Tunisia). While its TTPs partially resemble APT33 and OilRig, HEXANE’s victimology and tooling justify tracking it as a distinct cluster. Recent activity mapped by MITRE includes email account takeover in Microsoft Exchange, token impersonation, SharePoint exploitation (CVE-2019-0604), PowerShell/VBScript tooling, DNS-based C2, EDR tampering, and in the HomeLand Justice campaign, ROADSWEEP ransomware and ZeroCleare wiping for impact. Confidence: high on targeting/TTPs; medium on any one-to-one overlap with other Iran-nexus sets.


Open sources and sector targeting strongly suggest an Iran-aligned intelligence objective set (energy/telecom situational awareness). However, vendors separate HEXANE from APT33/OilRig due to differences in toolchains and targets. INFERENCE (state nexus: medium confidence).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.