The Iran-linked Lyceum APT group, aka Hexane or Spilrin, used a new .NET-based DNS backdoor in a campaign aimed at companies in the energy and telecommunication sectors, ZScaler researchers warn. The activity of the Lyceum APT group was first documented earlier in August 2019 by researchers at ICS security firm Dragos which tracked it as Hexane. The malware leverages a DNS attack technique called “DNS Hijacking” in which an attacker- controlled DNS server manipulates the response of DNS queries and resolve them as per their malicious requirements.” reads the analysis published ZScaler. “The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection.