The APT, which targets Middle-Eastern energy firms & telecoms, has been relatively quiet since its exposure but not entirely silent. It’s kept up attacks through 2021 and is working on retooling its arsenal yet again.
The Lyceum threat group has resurfaced, this time with a weird variant of a remote-access trojan (RAT) that doesn’t have a way to talk to a command-and-control (C2) server and might instead be a new way to proxy traffic between internal network clusters.
Kaspersky’s Mark Lechtik – senior security researcher at the company’s Global Research & Analysis Team (GReAT) – said in a Monday post that the team has identified a new cluster of Lyceum activity that’s focused on two entities in Tunisia.
In a paper (PDF) presented earlier this month at the Virus Bulletin conference, Lechtik and fellow Kaspersky researchers Aseel Kayal and Paul Rascagneres wrote that the threat actor has attacked high-profile Tunisian organizations, such as telecoms or aviation companies.
That fits into the group’s target list. Lyceum has been active since as early as April 2018, when it attacked telecoms, and critical infrastructure in Middle Eastern oil-and-gas organizations. Lyceum treads lightly but carries a big stick: “All the