HEXANE
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 43 attack patterns (mitre), 5 malware, 7 indicators, 7 tool, 1 campaign
Aliases
Lyceum Siamesekitten Spirlin
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (43)
-
T1053.005 usesScheduled Task
-
T1589 usesGather Victim Identity Information
-
T1547 usesBoot or Logon Autostart Execution
-
Email Accounts usesT1585.002
-
T1567.002 usesExfiltration to Cloud Storage
-
T1110 usesBrute Force
-
T1555 usesCredentials from Password Stores
-
T1546.003
-
T1105 usesIngress Tool Transfer
-
T1127 usesTrusted Developer Utilities Proxy Execution
-
T1059.005 usesVisual Basic
-
T1056.001 usesKeylogging
-
T1585.001 usesSocial Media Accounts
-
T1021.001 usesRemote Desktop Protocol
-
T1069.001 usesLocal Groups
-
T1049 usesSystem Network Connections Discovery
-
T1562 usesImpair Defenses
-
T1586.002 usesEmail Accounts
-
T1106 usesNative API
-
Command Obfuscation uses
-
T1518 usesSoftware Discovery
-
DNS Server usesT1583.002
-
T1555.003 usesCredentials from Web Browsers
-
T1583.001 usesDomains
-
T1588.002 usesTool
-
T1055 usesProcess Injection
-
T1016 usesSystem Network Configuration Discovery
-
T1102.002 usesBidirectional Communication
-
T1033 usesSystem Owner/User Discovery
-
T1057 usesProcess Discovery
-
T1059 usesCommand and Scripting Interpreter
-
T1082 usesSystem Information Discovery
-
T1204.002 usesMalicious File
-
T1018 usesRemote System Discovery
-
Password Spraying usesT1110.003
-
T1534 usesInternal Spearphishing
-
T1016.001
-
Identify Roles uses
-
T1059.001 usesPowerShell
-
T1589.002 usesEmail Addresses
-
T1608.001 usesUpload Malware
-
T1010 usesApplication Window Discovery
-
T1071 usesApplication Layer Protocol
Malware (5)
- Milan
- Kevin
- Shark
- DanBot
- DnsSystem
Indicators (7)
-
http://news-spot.live/Reports/1/45/DnsSystem.exeindicates -
ba73116c7cf6faf3aa97b497cf7472b2a115a3b5ad7ad85f7919ff81a1ff2b9aindicates -
http://news-spot.live/Reports/1/?id=1111&pid=a40indicates -
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292indicates -
http://news-spot.live/Reports/1/?id=1111&pid=a52indicates -
http://news-spot.live/Reports/1/?id=1111&pid=a28indicates -
cyberclub.oneindicates
Tool (7)
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
Published 18/04/2018 19:59 · Modified 27/03/2026 01:07 -
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …
Published 11/03/2019 15:13 · Modified 27/03/2026 01:07 -
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while …
Published 23/04/2019 14:31 · Modified 27/03/2026 01:07
Campaign (1)
- HomeLand Justice attributed-to