{
	"id": "9d70d89f-3c68-49e8-878c-58e553a82968",
	"created_at": "2026-04-06T00:17:55.068897Z",
	"updated_at": "2026-04-10T03:33:49.494805Z",
	"deleted_at": null,
	"sha1_hash": "7f863ec50d60196e3d7f6edb23699a1c94cd5fb5",
	"title": "Sinkholing Volatile Cedar DGA Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102831,
	"plain_text": "Sinkholing Volatile Cedar DGA Infrastructure\r\nBy Kurt Baumgartner\r\nPublished: 2015-03-31 · Archived: 2026-04-05 14:41:24 UTC\r\nThere is currently some buzz about the Volatile Cedar APT activity in the Middle East, a group that deploys not\r\nonly custom built RATs, but USB propagation components, as reported by Check Point [pdf]. If you are interested\r\nin learning more about this APT, we recommend checking their paper first.\r\nOne interesting feature of the backdoors used by this group is their ability to first connect to a set of static updater\r\ncommand and control (C2) servers, which then redirect to other C2. When they cannot connect to their hardcoded\r\nstatic C2, they fall back to a DGA algorithm, and cycle through other domains to connect with.\r\nStatistics:\r\nThis particular actor’s true impact seemed interesting, so we sinkholed some of their\r\ndynamically generated command and control infrastructure. These victim statistics present a somewhat surprising\r\nprofile. Almost all of these victims are geolocated in Lebanon.\r\nVictims checking in to DGA c2\r\nClearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon.\r\nAnd most of the other checkins appear to be research related. Almost all of the backdoors communicating with\r\nhttps://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nPage 1 of 5\n\nsinkholed domains are the main “explosion” backdoor. But, some of the victim systems in Lebanon\r\ncommunicating with our sinkhole are running the very rare “micro” backdoor written up by our colleagues\r\nfrom Checkpoint in their paper: “Micro is a rare Explosive version. It can best be described as a completely\r\ndifferent version of the Trojan, with similarities to the rest of Explosive “family” (such as configuration and code\r\nbase). We believe that Micro is actually an old ancestor of Explosive, from which all other versions were\r\ndeveloped. As in other versions, this version is also dependent on a self-developed DLL named “wnhelp.dll.” They\r\ncheck in to edortntexplore[.]info with the URI “/micro/data/index.php?micro=4” over port 443.\r\nWhile Volatile Cedar certainly does not have a high level of technological prowess, it appears that they have been\r\neffective at spreading their malware, much like the Madi APT we reported on mid-2012. Because the group is not\r\nknown for spearphishing, IT administrators should be aware of their own publicly exposed attack surface like web\r\napplications, ftp servers, ssh servers, etc, and ensure they are not vulnerable to SQLi, SSI attacks, and other server\r\nside offensive activity.\r\nKaspersky Verdicts and MD5s:\r\nTrojan.Win32.Explosion.a\r\n981234d969a4c5e6edea50df009efedd\r\nTrojan.Win32.Explosion.b\r\n7031426fb851e93965a72902842b7c2c\r\nTrojan.Win32.Explosion.c\r\n6f11a67803e1299a22c77c8e24072b82\r\nhttps://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nPage 2 of 5\n\nTrojan.Win32.Explosion.d\r\neb7042ad32f41c0e577b5b504c7558ea\r\nTrojan.Win32.Explosion.e\r\n61b11b9e6baae4f764722a808119ed0c\r\nTrojan.Win32.Explosion.f\r\nc7ac6193245b76cc8cebc2835ee13532\r\n184320a057e455555e3be22e67663722\r\nTrojan.Win32.Explosion.g\r\n5d437eb2a22ec8f37139788f2087d45d\r\nTrojan.Win32.Explosion.i\r\n7dbc46559efafe8ec8446b836129598c\r\nTrojan.Win32.Explosion.j\r\nc898aed0ab4173cc3ac7d4849d06e7fa\r\nTrojan.Win32.Explosion.k\r\n9a5a99def615966ea05e3067057d6b37\r\nTrojan.Win32.Explosion.l\r\n1dcac3178a1b85d5179ce75eace04d10\r\nTrojan.Win32.Explosion.m\r\n22872f40f5aad3354bbf641fe90f2fd6\r\nTrojan.Win32.Explosion.n\r\n2b9106e8df3aa98c3654a4e0733d83e7\r\nTrojan.Win32.Explosion.o\r\n08c988d6cebdd55f3b123f2d9d5507a6\r\nTrojan.Win32.Explosion.p\r\n1d4b0fc476b7d20f1ef590bcaa78dc5d\r\nTrojan.Win32.Explosion.q\r\nc9a4317f1002fefcc7a250c3d76d4b01\r\nTrojan.Win32.Explosion.r\r\n4f8b989bc424a39649805b5b93318295\r\nTrojan.Win32.Explosion.s\r\n3f35c97e9e87472030b84ae1bc932ffc\r\nTrojan.Win32.Explosion.t\r\n7cd87c4976f1b34a0b060a23faddbd19\r\nhttps://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nPage 3 of 5\n\nTrojan.Win32.Explosion.u\r\nea53e618432ca0c823fafc06dc60b726\r\nTrojan.Win32.Explosion.v\r\n034e4c62965f8d5dd5d5a2ce34a53ba9\r\nTrojan.Win32.Explosion.w\r\n5ca3ac2949022e5c77335f7e228db1d8\r\nTrojan.Win32.Explosion.x\r\nab3d0c748ced69557f78b7071879e50a\r\nTrojan.Win32.Explosion.y\r\n5b505d0286378efcca4df38ed4a26c90\r\nTrojan.Win32.Explosion.z\r\ne6f874b7629b11a2f5ed3cc2c123f8b6\r\nTrojan.Win32.Explosion.aa\r\n306d243745ba53d09353b3b722d471b8\r\nTrojan.Win32.Explosion.ab\r\n740c47c663f5205365ae9fb08adfb127\r\nTrojan.Win32.Explosion.ac\r\nc19e91a91a2fa55e869c42a70da9a506\r\nTrojan.Win32.Explosion.ad\r\nedaca6fb1896a120237b2ce13f6bc3e6\r\nTrojan.Win32.Explosion.ae\r\nd2074d6273f41c34e8ba370aa9af46ad\r\nTrojan.Win32.Explosion.af\r\n66e2adf710261e925db588b5fac98ad8\r\n29eca6286a01c0b684f7d5f0bfe0c0e6\r\n2783cee3aac144175fef308fc768ea63\r\nf58f03121eed899290ed70f4d19af307\r\nTrojan.Win32.Agent.adsct\r\n826b772c81f41505f96fc18e666b1acd\r\nTrojan-Dropper.Win32.Dycler.vhp\r\n44b5a3af895f31e22f6bc4eb66bd3eb7\r\n??\r\n96b1221ba725f1aaeaaa63f63cf04092\r\nhttps://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nPage 4 of 5\n\nReferences:\r\nVolatile Cedar – Analysis of a Global Cyber Espionage Campaign (Checkpoint)\r\nSource: https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nhttps://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/"
	],
	"report_names": [
		"69421"
	],
	"threat_actors": [
		{
			"id": "322a0ef1-136b-400e-89d0-0d62ee2bd319",
			"created_at": "2023-01-06T13:46:38.662109Z",
			"updated_at": "2026-04-10T02:00:03.05924Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [],
			"source_name": "MISPGALAXY:Madi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2",
			"created_at": "2022-10-25T15:50:23.658256Z",
			"updated_at": "2026-04-10T02:00:05.38013Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Volatile Cedar",
				"Lebanese Cedar"
			],
			"source_name": "MITRE:Volatile Cedar",
			"tools": [
				"Caterpillar WebShell"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17b152bc-6f7e-463c-8b4c-a4844caea6df",
			"created_at": "2023-01-06T13:46:38.498795Z",
			"updated_at": "2026-04-10T02:00:03.000373Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Lebanese Cedar",
				"DeftTorero"
			],
			"source_name": "MISPGALAXY:Volatile Cedar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e7c75c6-097f-4d80-8c98-73485fe2a729",
			"created_at": "2022-10-25T16:07:24.386715Z",
			"updated_at": "2026-04-10T02:00:04.970172Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Amethyst Rain",
				"Dancing Salome",
				"DeftTorero",
				"G0123",
				"VolcanicTimber"
			],
			"source_name": "ETDA:Volatile Cedar",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Adminer",
				"DirBuster",
				"GoBuster",
				"JuicyPotato",
				"RottenPotato",
				"SharPyShell"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2",
			"created_at": "2022-10-25T16:07:23.826594Z",
			"updated_at": "2026-04-10T02:00:04.760416Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [
				"Mahdi"
			],
			"source_name": "ETDA:Madi",
			"tools": [
				"Madi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434675,
	"ts_updated_at": 1775792029,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f863ec50d60196e3d7f6edb23699a1c94cd5fb5.pdf",
		"text": "https://archive.orkl.eu/7f863ec50d60196e3d7f6edb23699a1c94cd5fb5.txt",
		"img": "https://archive.orkl.eu/7f863ec50d60196e3d7f6edb23699a1c94cd5fb5.jpg"
	}
}