HEXANE
G10011 reportsaliases · HEXANE · Lyceum · Siamesekitten · Spirlin
1
Reports
5
Techniques
5
Tactics
3
Countries
80%
Hunt coverage
4
Aliases
Analyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1069.001 (Local Groups), T1589.001 (Credentials).
- Primary targeting: IL, IR, US.
- Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 5 new technique(s), 26 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 80% of 5 observed techniques (1 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-06 · last 2026-07-06
0
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1588.006T1069.001T1589.001T1027.003T1001.002Targeting gained
ILIRUSNew infrastructure
37e123bd7998af4eae32718ce254776f36365a8092cae0ad7f98f51a14bcc0ee05e372ebdc29ea965dc08bda6919a57a85e5f38b857985fa71529ca3a4aa217def4c38f4ecacdf47b1cd687f60cc74c1b630c96d3763182533d4fb9b614134382bd644cb8e9425c0b46eeb516610ae913d13f2b3f44a02300a3663648a46771a5a5423ad01e91a4e7ba825595394d3b220de4695f731647e3a70545f951a891230cb4679c4b8599eeb3d63a551716475c6332bdc2cb1ad3b22db8e3666ea138fee88034a87a87cf47d586fb7f94182a8e2a0e53c7e4deb898066da02541b1f417b9e42078c3355693a8a492b6a760488Overview
Analyst triage
Intelligence summary
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1588.006 · Vulnerabilitiesconf 601
- T1069.001 · Local Groupsconf 601
- T1589.001 · Credentialsconf 601
- T1027.003 · Steganographyconf 601
- T1001.002 · Steganographyconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|