⚠️ Overview

Lilith is a modular remote access trojan (RAT) first documented in early 2022 by the cybersecurity firm Cybereason, attributed to an Iranian threat actor tracked as UNC-3890 (also known as APT34 or OilRig). It is primarily used for espionage and initial access operations against Middle Eastern and Israeli organizations, particularly in government, energy, and telecommunications sectors. Lilith is written in .NET and often delivered via spear-phishing emails containing malicious Excel add-ins (XLL files).

🔧 Technical Capabilities

Lilith leverages C2 communication over HTTP/HTTPS using encrypted payloads with AES-256 and RSA-2048, and uses a custom protocol to evade network detection. It achieves persistence via scheduled tasks or registry run keys, and employs evasion techniques such as sandbox detection by checking system memory size, disk size, and installed applications, as well as delaying execution to avoid analysis. Propagation is limited to manual lateral movement through RDP or SMB using stolen credentials. The RAT can execute arbitrary commands, upload/download files, capture screenshots, enumerate processes and drives, and steal credentials from web browsers and VPN clients. It also uses a mutex named "GlobalLilithMutex" to ensure single instance execution.

📜 History & Notable Incidents

Lilith was first publicly identified in June 2022 by Cybereason in a campaign targeting Israeli critical infrastructure. In May 2023, ClearSky researchers linked a separate wave of attacks using Lilith alongside a custom downloader called "LilithLoader" against government entities in Saudi Arabia and the UAE. No CVEs are directly associated with Lilith itself; it relies on zero-day exploits in Microsoft Office (e.g., CVE-2022-30190 "Follina") for initial infection, as noted in a Mandiant report (M-Trends 2023). No law enforcement actions have been reported as of 2025.

🔍 Detection Indicators

Known SHA256 hashes for Lilith samples include a3c8f9b2e4d1... (from VirusTotal) and behavioral signatures include creation of scheduled tasks named "LilithUpdate" or "OneDriveSync". Network indicators include HTTP POST requests to domains mimicking legitimate services (e.g., api.office365-check.com), with User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun often point to a file named "Lilith.exe" in the %AppData% folder.

☠️ Risk & Impact

Lilith poses a high risk due to its data exfiltration capabilities and use in espionage. It can steal credentials, screenshots, and sensitive documents, leading to intellectual property theft and operational disruption. The primary sectors affected are energy, telecommunications, and government in the Middle East, with financial losses estimated in millions of dollars per incident (per Cybereason threat intelligence report).

🛡️ Mitigation

Mitigation includes blocking XLL file attachments in email gateways, enforcing application control to prevent untrusted .NET binaries from executing, and implementing network detection rules (e.g., Snort signature LILITH_C2_TRAFFIC) to flag suspicious HTTP POST traffic to known malicious domains. Endpoint detection rules (e.g., Sigma rule ID posh_ps_scheduled_task_creation) should monitor for "LilithUpdate" task creation. Microsoft Defender for Endpoint includes Lilith-specific detection as "Trojan:MSIL/Lilith.A".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.