HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low1.6
Low signal strength
Mentions2
Sources1
High conf.2
Last seenMay 2026
First observed
2018-10-17
Last active
—
Origin
Iran
Aliases
4
Techniques
36
Campaigns
0
Iran
Attribution signals
2 mentions · 1 source#1attribute tohigh
Malware
eset
May 2026
"Tools that we attribute to Lyceum include DanBot, Shark, Milan, Marlin, Solar, Mango, OilForceGTX"
#2identifiedhigh
TTP match
eset
May 2026
"ESET Research identified an operational overlap between MuddyWater and Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage group"
Hedge terms observed
attribute toidentified