{ "id": "323d3f96-fd97-4a73-99aa-07b261e1c499", "created_at": "2026-04-06T00:09:41.650008Z", "updated_at": "2026-04-10T03:37:04.084821Z", "deleted_at": null, "sha1_hash": "8b9908dc89d904a95d7e5bc0b22b7b48210552c4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61596, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:47:06 UTC\r\nHome \u003e List all groups \u003e Volatile Cedar\r\n APT group: Volatile Cedar\r\nNames\r\nVolatile Cedar (Check Point)\r\nDancing Salome (Kaspersky)\r\nDeftTorero (Kaspersky)\r\nVolcanicTimber (?)\r\nAmethyst Rain (Microsoft)\r\nG0123 (MITRE)\r\nCountry Lebanon\r\nSponsor State-sponsored, Hezbollah\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\n(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we\r\ncall Volatile Cedar has been targeting individuals, companies and institutions\r\nworldwide. This campaign, led by a persistent attacker group, has successfully\r\npenetrated a large number of targets using various attack techniques, and\r\nspecifically, a custom-made malware implant codenamed Explosive. This report\r\nprovides an extended technical analysis of Volatile Cedar and the Explosive\r\nmalware.\r\nWe have seen clear evidence that Volatile Cedar has been active for almost 3 years.\r\nWhile many of the technical aspects of the threat are not considered “cutting edge”,\r\nthe campaign has been continually and successfully operational throughout this\r\nentire timeline, evading detection by the majority of AV products. This success is\r\ndue to a well-planned and carefully managed operation that constantly monitors its\r\nvictims’ actions and rapidly responds to detection incidents.\r\nObserved\r\nSectors: Education, Government and Hosting.\r\nCountries: Canada, Egypt, Israel, Jordan, Lebanon, Russia, Saudi Arabia, UAE, UK,\r\nUSA and Palestinian Authority.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=238acb51-8489-43d7-83b2-9ea4db18ddb6\r\nPage 1 of 2\n\nTools used\nAdminer, ASPXSpy, Caterpillar, DirBuster, Explosive, GoBuster, JuicyPotato,\nRottenPotato, SharPyShell.\nOperations performed\nJun 2015\nAfter going public with our findings, we were provided with a new\nconfiguration belonging to a newly discovered sample we have\nnever seen before.\nEarly 2020\nIn early 2020, suspicious network activities and hacking tools were\nfound in a range of companies.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=238acb51-8489-43d7-83b2-9ea4db18ddb6\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=238acb51-8489-43d7-83b2-9ea4db18ddb6\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=238acb51-8489-43d7-83b2-9ea4db18ddb6" ], "report_names": [ "showcard.cgi?u=238acb51-8489-43d7-83b2-9ea4db18ddb6" ], "threat_actors": [ { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "8b61d214-62b2-455b-8eb4-fb0594763787", "created_at": "2023-01-06T13:46:38.502064Z", "updated_at": "2026-04-10T02:00:03.002552Z", "deleted_at": null, "main_name": "Dancing Salome", "aliases": [], "source_name": "MISPGALAXY:Dancing Salome", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434181, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b9908dc89d904a95d7e5bc0b22b7b48210552c4.pdf", "text": "https://archive.orkl.eu/8b9908dc89d904a95d7e5bc0b22b7b48210552c4.txt", "img": "https://archive.orkl.eu/8b9908dc89d904a95d7e5bc0b22b7b48210552c4.jpg" } }