Skip to main content
Mallory
Back to threat actors
Lebanon5 malware familiesExploits CVEs in the wild

Volatile Cedar

Also known asAmethyst RainLebanese CedarVolatile CedarVolcanicTimber

Volatile Cedar, also referred to as Lebanese Cedar, is a Lebanese threat group reportedly active since 2012 and motivated by political and ideological interests. The group has targeted individuals, companies, and institutions worldwide, with reported intrusions across Lebanon, Israel, Palestine, Egypt, the United States, and the United Kingdom. The content associates Lebanese Cedar with the Lebanese Shiite militant group Hezbollah and notes possible coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS). Known aliases in the provided content include Amethyst Rain, Lebanese Cedar, Volatile Cedar, and VolcanicTimber. The group has targeted publicly facing web servers, using both automatic and manual vulnerability discovery and performing vulnerability scans of target servers. It has compromised victim web servers through n-day vulnerabilities and deployed web shells including ASPXSpy, devilzshell, and Caterpillar. The content also states that Volatile Cedar can deploy additional tools, has used Meterpreter, and has used a custom malware family called Explosive RAT to maintain access and steal legitimate network credentials for espionage. Techniques directly mentioned in the content include Exploit Public-Facing Application (T1190), Web Shell (T1505.003), IIS Components (T1505.004), Command and Scripting Interpreter (T1059), Ingress Tool Transfer (T1105), Upload Malware (T1608.001), and Upload Tool (T1608.002).

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics31 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595×2
Active Scanning
T1595.001
Scanning IP Blocks
T1595.002×2
Vulnerability Scanning
TA0042
Resource Development
1 technique
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133×8
External Remote Services
T1190×42
Exploit Public-Facing Application
TA0002
Execution
2 techniques
T1059×3
Command and Scripting Interpreter
T1059.001
PowerShell
T1204
User Execution
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1133×8
External Remote Services
T1505
Server Software Component
T1505.003×9
Web Shell
T1505.004
IIS Components
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1078
Valid Accounts
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1210
Exploitation of Remote Services
TA0009
Collection
1 technique
T1005
Data from Local System
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1105×16
Ingress Tool Transfer
T1571
Non-Standard Port
T1573
Encrypted Channel
T1573.002
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ASPXSpyInitial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar.1Jun 14, 2026
CaterpillarInitial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar.1Jun 14, 2026
devilzshellInitial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar.1Jun 14, 2026
Explosive RATFurther use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.1Jun 14, 2026
MeterpreterFurther use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.1Jun 14, 2026
WEAPONIZED

Associated vulnerabilities

8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell Autodiscover SSRF in Microsoft Exchange ServerIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

3 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Metasploit Confluence Plugin Execution | Splunk Security Content

Listed as a threat actor associated with the detection for Metasploit-based Atlassian Confluence exploitation activity.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Potential Web Shell Creation For VMware Workspace ONE | Splunk Security Content

Listed as a threat actor associated with web shell persistence activity in the context of this VMware Workspace ONE web shell detection.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Unusual File Creation in Confluence Directory | Splunk Security Content

Listed as a threat actor associated with exploitation of public-facing applications and malware/tool upload activity relevant to Confluence exploitation detection.

Read more
+97 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs8

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.