{
	"id": "498fc27f-333d-4e0a-bb01-ba6243ab6cd8",
	"created_at": "2026-04-06T00:10:10.815296Z",
	"updated_at": "2026-04-10T03:31:32.81901Z",
	"deleted_at": null,
	"sha1_hash": "e2750b83cc54d02e59db208cb51418c504cdb07c",
	"title": "‘Lebanese Cedar’ APT – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46534,
	"plain_text": "‘Lebanese Cedar’ APT – ClearSky Cyber Security\r\nPublished: 2021-01-28 · Archived: 2026-04-05 23:10:29 UTC\r\nIn early 2020, suspicious network activities and hacking tools were found in a range of companies.\r\nComprehensive forensic research of the infected systems revealed a strong connection to a threat actor we call\r\n‘Lebanese Cedar’, ‘Lebanese Cedar’ APT has been operating since 2012. These operations were first discovered\r\nby Check-Point researchers and Kaspersky labs in 2015. Since 2015 Lebanese Cedar APT – also referred to as\r\n“Volatile Cedar” – maintained a low profile and operated under the radar.\r\nRead the full report: “Lebanese Cedar” APT – Global Lebanese Espionage Campaign Leveraging Web\r\nServers\r\nIn the comprehensive forensic research, a new version of the “Explosive” V4 RAT (Remote Access Tool) or\r\n“Caterpillar” V2 WebShell was found within the victim’s networks.\r\nLebanese Cedar Timeline\r\nBased on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into\r\nthe victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar. This file was\r\ninstalled in vulnerable Atlassian (JIRA) and Oracle 10g servers. In order to install the JSP in the vulnerable server,\r\nLebanese Cedar exploit 1-day publicly known vulnerabilities such as CVE-2012-3152.\r\nOur report reveals a partial list of the companies that the group has attacked. The target companies are from many\r\ncountries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel, and the Palestinian\r\nAuthority. We assess that there are many more companies that have been hacked and that valuable information\r\nwas stolen from these companies over periods of months and years.\r\nhttps://www.clearskysec.com/cedar/\r\nPage 1 of 2\n\nModified JSP File Browser – Scanned world-wide\r\nAccording to Check-Point’s report, the group is motivated by political and Ideological interests, targeting\r\nindividuals, companies, and institutions worldwide. We endorse Check Point’s strong case attributing Lebanese\r\nCedar APT to the Lebanese government or a political group in Lebanon. Moreover, there are several indications\r\nthat link Lebanese Cedar APT to the Hezbollah Cyber Unit.\r\n“Caterpillar WebShell” was found in most of the victims we investigated, in many of the systems we also found\r\ntraces of “Explosive” RAT. We identified the specific open-source JSP file browser that was modified for the\r\nhackers’ purposes. We found that Lebanese Cedar deployed the payload of Explosive RAT into the victims’\r\nnetwork. Lebanese Cedar is the only known threat actor that uses this code.\r\nLebanese Cedar Modus Operandi\r\nSource: https://www.clearskysec.com/cedar/\r\nhttps://www.clearskysec.com/cedar/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.clearskysec.com/cedar/"
	],
	"report_names": [
		"cedar"
	],
	"threat_actors": [
		{
			"id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2",
			"created_at": "2022-10-25T15:50:23.658256Z",
			"updated_at": "2026-04-10T02:00:05.38013Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Volatile Cedar",
				"Lebanese Cedar"
			],
			"source_name": "MITRE:Volatile Cedar",
			"tools": [
				"Caterpillar WebShell"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17b152bc-6f7e-463c-8b4c-a4844caea6df",
			"created_at": "2023-01-06T13:46:38.498795Z",
			"updated_at": "2026-04-10T02:00:03.000373Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Lebanese Cedar",
				"DeftTorero"
			],
			"source_name": "MISPGALAXY:Volatile Cedar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e7c75c6-097f-4d80-8c98-73485fe2a729",
			"created_at": "2022-10-25T16:07:24.386715Z",
			"updated_at": "2026-04-10T02:00:04.970172Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Amethyst Rain",
				"Dancing Salome",
				"DeftTorero",
				"G0123",
				"VolcanicTimber"
			],
			"source_name": "ETDA:Volatile Cedar",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Adminer",
				"DirBuster",
				"GoBuster",
				"JuicyPotato",
				"RottenPotato",
				"SharPyShell"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791892,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2750b83cc54d02e59db208cb51418c504cdb07c.pdf",
		"text": "https://archive.orkl.eu/e2750b83cc54d02e59db208cb51418c504cdb07c.txt",
		"img": "https://archive.orkl.eu/e2750b83cc54d02e59db208cb51418c504cdb07c.jpg"
	}
}