Researchers have tracked a new attack campaign by the Iran-based Siamesekitten group that makes use of a fake Adobe PDF document.


  • The Iran-based Siamesekitten, aka Lyceum/Hexane group, was first spotted launching attacks against an Israeli organization in May 2021.
  • The group is active in the Middle East and Africa and is known for launching supply chain attacks.
  • Over several months, the gang has managed to establish a large infrastructure that enabled it to impersonate the target company and HR personnel.

Latest update

  • In the latest attack campaign, researchers from ClearSky discovered that the group is using a new modular malware that is capable of infecting Windows systems.
  • While there is not much detail about the malware, researchers explained that the attackers used a reverse shell attack to impersonate an Adobe PDF document. The fake PDF file is signed with a fake Microsoft certificate to make it look convincing.
  • Researchers indicate that the attack method is similar to the previous drone attacks launched against Iranians.  


The relatively new Siamesekitten is yet another Iranian threat actor group that is building ground to expand its attack campaigns. The cybercrime group primarily relies on phishing emails to launch attacks. Therefore, organizations must implement the best email filtering systems and educate their employees on detecting phishing emails.

Cyware Publisher