{
	"id": "0b60c58b-c612-4d74-9aa6-e48d6a755efc",
	"created_at": "2026-04-06T00:12:28.491812Z",
	"updated_at": "2026-04-10T03:31:32.847281Z",
	"deleted_at": null,
	"sha1_hash": "0a7a6f5177ff43508248dac64e1dbb01eef05840",
	"title": "New Data: Volatile Cedar Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67947,
	"plain_text": "New Data: Volatile Cedar Malware Campaign\r\nBy bferrite\r\nPublished: 2015-06-09 · Archived: 2026-04-02 11:29:12 UTC\r\nAt the end of March, we published a blog post and a whitepaper about a cyber-espionage campaign dubbed\r\n“Volatile Cedar.” This campaign has successfully penetrated targets world-wide, using a variety of attack\r\ntechniques, in particular, a custom-made malware implant codenamed Explosive.\r\nLet’s recap what we know:\r\nThe Campaign:\r\nThe Volatile Cedar operation has been active since 2012 and has evaded detection by the majority of AV\r\nproducts. Volatile Cedar constantly monitors its victims’ actions and rapidly responds to detection\r\nincidents.\r\nExplosive is a specially crafted Trojan type of malware, implanted in targets and used to harvest\r\ninformation. New and custom versions are developed, compiled and deployed for specific targets.\r\nThe primary goal of the attackers appears to be data collection, not to cause harm to targets/use their\r\nresources or steal financial assets.\r\nThe Targets:\r\nOnly a small number (hundreds as opposed to thousands) of targets have been identified to date. We would\r\nnormally expect that a cyber-crime campaign targeting financial institutions would result in much higher\r\nnumbers of victims. The limited number of targets may be part of an attempt to avoid unnecessary\r\nexposure.\r\nIdentified targets are organizations in the fields of telecommunications, media, web hosting, academia,\r\ndefense contractors and civil services.\r\nAll of these points indicate a highly crafted operation directed at specific and carefully selected targets.\r\nSomething Old, Something New\r\nAfter going public with our findings, we were provided with a new configuration belonging to a newly discovered\r\nsample we have never seen before.\r\nThe sample itself is the same Explosive v3.0 implant, but it differs in the following aspects:\r\nA different DGA seed is used (flashplayergetadobe) to create new C2 servers. The only one we have noted\r\nso far is registered by the operators as “getadobeflashplayer[.]net”\r\nAll of the victims of this thread are Saudi Arabia-based.\r\nAttribution\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 1 of 7\n\nWe want to present our attribution case with stronger evidence to back up our claims and provide a more detailed\r\nexplanation.\r\nThere were many questions raised by our colleagues and customers as to how and why we came to the conclusion\r\nthat this operation originated in Lebanon.\r\nThrough careful analysis of the operation, both previously known victims and C2 servers as well as targets\r\ninfected with the sample containing the newly discovered configuration, we were able to create a heat map of the\r\ninfections.\r\nLooking at the target map of the operation we see the following:\r\nAlthough there are infections all over the world, the highest concentration of infections is in the Middle East –\r\nspecifically in Israel, Lebanon and Saudi Arabia.\r\nSo why do we still say that the group behind Volatile Cedar is Lebanese?\r\nIf we take a closer look at the targets, we see the distribution of the victims themselves based on industry vertical:\r\nIf we dig deeper and look into the distribution of the hacked websites on the hosting services, we notice the\r\nfollowing two interesting facts:\r\n1. The victim sites on the compromised web services were primarily Middle Eastern web sites. This is true\r\nnot only for the majority of the infections in Israel, Lebanon and Saudi Arabia, but all over the world as\r\nwell.\r\n2. The majority of the victimized sites themselves belong to different companies that work with national and\r\ndefense companies.\r\nThese observations about the victims allow us to assume that the operators behind this activity maintain high\r\ninterest in the region and its politics.\r\nOther indications we found about the operators:\r\nThe strings inside the binary code in Arabic:\r\nThe PE resources inside the malware files are in Lebanese Arabic\r\nCompilation times – The time stamps correlate to the working hours of the Lebanese time zone (GMT+ 2).\r\nSome of the C2 servers are hosted in Lebanon (true for the first Explosive version).\r\nSome of the domains used in the campaign were at some point registered to Lebanese addresses – a fact that was\r\nlater changed by the operators.\r\nA few words on the attackers’ modus operandi\r\nDisclaimer: Any assumptions made or conclusions drawn are based solely on our analysis of data from a limited\r\ngroup of targeted systems. As our sample size is admittedly restricted, it is possible that the attackers may also\r\nexhibit other behaviors that we have not encountered to date.\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 2 of 7\n\nIn the cases in which we have analyzed victim data, we saw the following interesting information:\r\nOne site to rule them all\r\nLooking at victim data from the hosting companies, we noticed that the compromise of a single website led to the\r\ncompromise of almost all the sites hosted by this service.\r\nOne is enough\r\nPreviously, we described that a typical attack begins with a vulnerability scan followed by a web shell injection to\r\nthe compromised site. Based on analyzed victim data, we found that only one of the compromised sites per\r\nhosting service contained a web shell. The rest of the sites were most likely accessed using stolen admin\r\ncredentials.\r\nContinuous deployment\r\nWhen we reviewed the logs of different victims, we found that version upgrades were almost always automated\r\nand occurred within seconds of each other.\r\nOP-SEC? NOP-SEC!\r\nIn such a highly targeted operation, you would expect the operators to try and cover their tracks as much as\r\npossible. However, they left hints about their identity at almost every step of the way (see our earlier case for\r\nattribution). In the midst of our investigation of the infected machines, we discovered old tools or old key logging\r\ndata collected by the malware was not removed, thereby exposing the operation to greater possibilities of\r\ndiscovery.\r\nHide in plain “site”\r\nDealing with an operation of this scope, with such carefully chosen targets, we would have expected a higher\r\nquality of malware development. These days, even the simplest malwares are packed to avoid detection, do not\r\ncontain useless functions and code, or use obfuscated strings – all things we have noted to be poorly executed in\r\nExplosive and the other tools used in this campaign.\r\nAppendix – Indicators\r\nExplosive Hashes:\r\na00cd6d4d40cd0634c2d301f023b49c477bf9324640c8346a8596f4fceddd5aa\r\naf5490785da0a859c5046791cf28fa5ad617122c21a99687db66356d1f8aefef\r\n22d9e9193a341a617b30f3f9e50634dee0a03760badbeddf5cb34dda85192816\r\nad7422d6ffa43d4eea1b27d6a4842e69968bd1dde1c741afeba8a3271f9c5656\r\nb74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c\r\n08c0f0e6dadfc8f6a824e20d9de7fdd3e17f8ea115094379833c23834bbf9e79\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 3 of 7\n\na177b3a3add8acea3150de93be9f876c4ad8ba606bac5f88f20d682d2a89df57\r\n37f4e9d0153221d9a236f299151c9f6911a6f78fff54c91b94ea64d1f3a8872b\r\nd0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821\r\ncc83382c823c15abd96cc3fd518f672ac0a6757142aac91a40dcdf1311f27ef9\r\na98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9\r\ne5b68ab68b12c3eaff612ada09eb2d4c403f923cdec8a5c8fe253c6773208baf\r\n0008065861f5b09195e51add72dacd3c4bbce6444711320ad349c7dab5bb97fb\r\nea335556fecaf983f6f26b9788b286fbf5bd85ff403bb4a1db604496d011be29\r\nbed0bec3d123e7611dc3d722813eeb197a2b8048396cef4414f29f24af3a29c4\r\nb275c8978d18832bd3da9975d0f43cbc90e09a99718f4efaf1be7b43db46cf95\r\n41dd95533d85a0fd099ee79fbb4c8699ae6f9299b74034b8bafa3b0ea4a1fb3a\r\n97ab07c8020aead6ce0d9196e03d3917045e65e8c65e52a16ec6ef660dd96968\r\nbd039bb73f297062ab65f695dd6defafd146f6f233c451e5ac967a720b41fc14\r\n30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb\r\n52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f\r\nbc12d7052e6cfce8f16625ca8b88803cd4e58356eb32fe62667336d4dee708a3\r\nfc085d9be18f3d8d7ca68fbe1d9e29abbe53e7582453f61a9cd65da06961f751\r\n5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe\r\nd8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726\r\n50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985\r\n3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5\r\n1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8\r\nba168c69866ba2e370c9bfbfe06d5863af0e4b387ce05084928710af3c7c43ce\r\nb74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c\r\n03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0\r\nef47aaf4e964e1e1b7787c480e60a744550de847618510d2bf54bbc5bda57470\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 4 of 7\n\n1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908\r\ndea53e331d3b9f21354147f60902f6e132f06183ed2f4a28e67816f9cb140a90\r\n973fbccbc6d917883d502c88cb7fadfc1a5657adbec377c7a4ed77292ebaeda9\r\n5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb\r\n37f4e9d0153221d9a236f299151c9f6911a6f78fff54c91b94ea64d1f3a8872b\r\nd0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821\r\n5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19\r\n388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff\r\nbdef2ddcd8d4d66a42c9cbafd5cf7d86c4c0e3ed8c45cc734742c5da2fb573f7\r\nbfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488\r\n07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5\r\nd30f306d4d866a07372b94f7657a7a2b0500137fe7ef51678d0ef4249895c2c5\r\n6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63\r\ne2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747\r\nf46ca3838f1843961a95274afc403300ba8c9cc7562f9fc1316f88f9453d3ec7\r\ne463fdd4f769ea2d12cbe5a362edfba75fb251fe1b69c7437514a0f9863ee998\r\n88cac72f0c754cca4f110e518476722497cb49465e69b10a030cd3f1b1b969c0\r\n3becda7d601cf482d7ef236da6342239684694ed141a911601f321616440f6fa\r\n35dcb7e62bac287e4e3f1fdcefdbf71e5dfe539208c36537ca1bbdce6749e612\r\nf5c68a3ee7cc9ef8126687f035f9e46cdb90f03b4d3e10aaee38ad0793ee661a\r\na177b3a3add8acea3150de93be9f876c4ad8ba606bac5f88f20d682d2a89df57\r\n47f45532108686fa535dbc32b5356f2005dc13c90f399170fa880ebd530f4645\r\naf5490785da0a859c5046791cf28fa5ad617122c21a99687db66356d1f8aefef\r\n487d8841582cb01231379fbffd7df87d4253c5dd3c26b06756490000d1ee1e82\r\nad7422d6ffa43d4eea1b27d6a4842e69968bd1dde1c741afeba8a3271f9c5656\r\n08c0f0e6dadfc8f6a824e20d9de7fdd3e17f8ea115094379833c23834bbf9e79\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 5 of 7\n\nWeb shell hashes\r\n5953c9bf800c67b67f1a3d9691119488d3a1d6e6c6691f8a15d28436cd7122a7\r\nd7cb6fc59d81e935764653f99dd2cbf38aff7b1bf2a423e3846dcb17c52d871e\r\n493007afc73a3d6573b2b53457d6c82e24e16591807565d6caf3e5b6b5d407a2\r\ne33118afd512762c79d840b782dd5cfa2472c97613103e60f8d5427a0a26beb3\r\nb64d6e0e09b6daab209d14f2e684d819433605763208fbfc901a9ab7fd62ce05\r\na616c039b0ffa2682f001a6978c5edfaac2c3f828b6b18de6bc91f4abaa2d9bb\r\nc103c3c0a1d7983ca1951a72800346fad32a67b4be013a97361a3d85e0e8cd98\r\nd1299a5c75882de2407f50b47c8a111349d4660e5b3fb7fdedfc4cfc2ef98a91\r\n2f2e794064e28a4cd6eb0c0e10d929453367c4b01a55fadf15037817c55e9cdb\r\ne584e0ae44a507d71cf97b490ea6a7ba9ce23b99f5c8bc6875ce60efa6bdf3df\r\n4de07466f24a26311fe011f92c8b04e7c2c3ef4df8f5853bde523404ac06c34f\r\n1dc13fe7f576f5c5ccac4230bdf2122d8351dd50266d0b712291ce59d1c788ae\r\n709137152c150345578348529485afcfc711ba3cf1f55943f963809d3597adf7\r\nOther tools hashes\r\n22d9e9193a341a617b30f3f9e50634dee0a03760badbeddf5cb34dda85192816\r\n26e64f95ee23a6ec3b9fb8f937bed8e6ea247379b1f0b2e95ef071dc113b420c\r\nC\u0026C servers\r\n69[.]64[.]90[.]94\r\n50[.]60[.]129[.]74\r\n85[.]25[.]20[.]27\r\n213[.]204[.]122[.]130\r\n213[.]204[.]122[.]133\r\n184[.]107[.]97[.]188\r\n69[.]94[.]157[.]80\r\nStatic and Dynamic C\u0026C updater servers\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 6 of 7\n\nsaveweb[.]wink[.]wk\r\ncarima2012[.]site90[.]com\r\nexplorerdotnt[.]info\r\ndotnetexplorer[.]info\r\ndotntexplorere[.]info\r\nxploreredotnet[.]info\r\nerdotntexplore[.]info\r\ngetadobeflashplayer[.]net\r\nSource: https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nhttps://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/"
	],
	"report_names": [
		"new-data-volatile-cedar"
	],
	"threat_actors": [
		{
			"id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2",
			"created_at": "2022-10-25T15:50:23.658256Z",
			"updated_at": "2026-04-10T02:00:05.38013Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Volatile Cedar",
				"Lebanese Cedar"
			],
			"source_name": "MITRE:Volatile Cedar",
			"tools": [
				"Caterpillar WebShell"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17b152bc-6f7e-463c-8b4c-a4844caea6df",
			"created_at": "2023-01-06T13:46:38.498795Z",
			"updated_at": "2026-04-10T02:00:03.000373Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Lebanese Cedar",
				"DeftTorero"
			],
			"source_name": "MISPGALAXY:Volatile Cedar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e7c75c6-097f-4d80-8c98-73485fe2a729",
			"created_at": "2022-10-25T16:07:24.386715Z",
			"updated_at": "2026-04-10T02:00:04.970172Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Amethyst Rain",
				"Dancing Salome",
				"DeftTorero",
				"G0123",
				"VolcanicTimber"
			],
			"source_name": "ETDA:Volatile Cedar",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Adminer",
				"DirBuster",
				"GoBuster",
				"JuicyPotato",
				"RottenPotato",
				"SharPyShell"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775791892,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a7a6f5177ff43508248dac64e1dbb01eef05840.pdf",
		"text": "https://archive.orkl.eu/0a7a6f5177ff43508248dac64e1dbb01eef05840.txt",
		"img": "https://archive.orkl.eu/0a7a6f5177ff43508248dac64e1dbb01eef05840.jpg"
	}
}