Home/ Threat Actors/ HEXANE

🌐HEXANE

🌐 HEXANE is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 36 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1001) ↗

14Use cases

0Articles

36Techniques

0IOCs

About this actor (MITRE)

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dr

Known aliases

HEXANELyceumSiamesekittenSpirlin

Top techniques

T1010 · Application Window Discovery T1016 · System Network Configuration Discovery T1016.001 · Internet Connection Discovery

All other tracked techniques

T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1027.010 · Command Obfuscation T1033 · System Owner/User Discovery T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1056.001 · Keylogging T1057 · Process Discovery T1059.001 · PowerShell T1059.005 · Visual Basic T1069.001 · Local Groups T1082 · System Information Discovery T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1110 · Brute Force T1110.003 · Password Spraying T1204.002 · Malicious File T1518 · Software Discovery T1534 · Internal Spearphishing T1546.003 · Windows Management Instrumentation Event Subscription T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1567.002 · Exfiltration to Cloud Storage T1583.001 · Domains T1583.002 · DNS Server T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1586.002 · Email Accounts T1588.002 · Tool T1589 · Gather Victim Identity Information T1589.002 · Email Addresses T1591.004 · Identify Roles T1608.001 · Upload Malware

Detection use cases (14)

HEXANE (Lyceum) RDCMan credential theft via decrypt-rdcman.ps1 AI · profile SΣ HEXANE (Siamesekitten) password spray against M365/Exchange via legacy auth from ME/Africa origin AI · profile S 1Password failed sign-in burst MITRE match 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match