Home > List all groups > Volatile Cedar

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Volatile Cedar

NamesVolatile Cedar (Check Point)
Dancing Salome (Kaspersky)
CountryLebanon Lebanon
MotivationInformation theft and espionage
First seen2012
Description(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware.

We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
ObservedSectors: Education, Government and Hosting.
Countries: Canada, Israel, Lebanon, Russia, Saudi Arabia, UK, USA.
Tools usedExplosive.
Operations performedJun 2015After going public with our findings, we were provided with a new configuration belonging to a newly discovered sample we have never seen before.

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Vicious Panda
Next: Wassonite

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key