Volatile Cedar
Description
(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware.
We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
Names
| Name | Name-Giver |
|---|---|
| Volatile Cedar | Check Point |
| Dancing Salome | Kaspersky |
| DeftTorero | Kaspersky |
| VolcanicTimber | ? |
| Amethyst Rain | Microsoft |
Country
Sponsor
State-sponsored, Hezbollah
Motivation
- Information theft and espionage
First Seen
2012
Observed Sectors
Observed Countries
Tools
Operations
- 2015-06: After going public with our findings, we were provided with a new configuration belonging to a newly discovered sample we have never seen before. https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/
- 2020 Early: In early 2020, suspicious network activities and hacking tools were found in a range of companies. https://www.clearskysec.com/cedar/
Information
- https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf
- https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
Mitre Attack
Other Information
Uuid
238acb51-8489-43d7-83b2-9ea4db18ddb6
Last Card Change
2025-06-28