Threat Actor Profile
High APT
Description

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

Confidence Score
90%
Known Aliases
Volatile Cedar Lebanese Cedar
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (5)
T1105 - Ingress Tool Transfer
Command and Control
T1190 - Exploit Public-Facing Application
Initial Access
T1505.003 - Web Shell
Persistence
T1595.002 - Vulnerability Scanning
Reconnaissance
T1595.003 - Wordlist Scanning
Reconnaissance
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Volatile Cedar', 'Lebanese Cedar'],
 'created': '2021-02-08T20:30:30.578Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a '
                'Lebanese threat group that has targeted individuals, '
                'companies, and institutions worldwide. [Volatile '
                'Cedar](https://attack.mitre.org/groups/G0123) has been '
                'operating since 2012 and is motivated by political and '
                'ideological interests.(Citation: CheckPoint Volatile Cedar '
                'March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)',
 'external_references': [{'external_id': 'G0123',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0123'},
                         {'description': '(Citation: CheckPoint Volatile Cedar '
                                         'March 2015)',
                          'source_name': 'Volatile Cedar'},
                         {'description': '(Citation: ClearSky Lebanese Cedar '
                                         'Jan 2021)',
                          'source_name': 'Lebanese Cedar'},
                         {'description': 'ClearSky Cyber Security. (2021, '
                                         'January). “Lebanese Cedar” APT '
                                         'Global Lebanese Espionage Campaign '
                                         'Leveraging Web Servers. Retrieved '
                                         'February 10, 2021.',
                          'source_name': 'ClearSky Lebanese Cedar Jan 2021',
                          'url': 'https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf'},
                         {'description': 'Threat Intelligence and Research. '
                                         '(2015, March 30). VOLATILE CEDAR. '
                                         'Retrieved February 8, 2021.',
                          'source_name': 'CheckPoint Volatile Cedar March 2015',
                          'url': 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf'}],
 'id': 'intrusion-set--b2e34388-6938-4c59-a702-80dc219e15e3',
 'modified': '2025-04-16T20:37:38.546Z',
 'name': 'Volatile Cedar',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (5)
Ingress Tool Transfer
Command and Control
Exploit Public-Facing Applica…
Initial Access
Web Shell
Persistence
Vulnerability Scanning
Reconnaissance
Wordlist Scanning
Reconnaissance
Back to Threat Actors
Dashboard Home