ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Volatile Cedar

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Volatile Cedar

NamesVolatile Cedar (Check Point)
Dancing Salome (Kaspersky)
CountryLebanon Lebanon
SponsorState-sponsored, Hezbollah
MotivationInformation theft and espionage
First seen2012
Description(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware.

We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
ObservedSectors: Education, Government and Hosting.
Countries: Canada, Egypt, Israel, Jordan, Lebanon, Russia, Saudi Arabia, UAE, UK, USA and Palestinian Authority.
Tools usedAdminer, ASPXSpy, Caterpillar, DirBuster, Explosive, GoBuster, JuicyPotato, RottenPotato, SharPyShell.
Operations performedJun 2015After going public with our findings, we were provided with a new configuration belonging to a newly discovered sample we have never seen before.
<https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/>
Early 2020In early 2020, suspicious network activities and hacking tools were found in a range of companies.
<https://www.clearskysec.com/cedar/>
Information<https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf>
<https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/>

Last change to this card: 18 April 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key