The Iranian state-supported APT known as 'Lyceum' (Hexane, Spilrin) targeted ISPs and telecommunication service providers in the Middle East and Africa between July and October 2021.
Apart from Israel, which is permanently in the crosshairs of Iranian hackers, researchers have spotted Lyceum backdoor malware attacks in Morocco, Tunisia, and Saudi Arabia.
In the most recent campaign analyzed in a joint report between researchers at Accenture and Prevailion, Lyceum is seen using two distinct malware families, dubbed Shark and Milan.
The Shark backdoor is a 32-bit executable written in C# and .NET used to execute commands and exfiltrate data from infected systems.
Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs).
Both backdoors communicate via DNS and HTTPS with their command and control servers (C2), with Shark also using DNS tunneling.