S0569: Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[1][2]
Analyst context for executives and security teams
Explosive is a Windows remote access tool associated in ATT&CK with Volatile Cedar. Its practical significance is not just “malware exists,” but that the mapped behaviors cover the parts of an intrusion that often determine business risk: discovery of the host and user, collection from clipboard/removable media, keylogging for credential capture, registry and hidden-file changes for persistence or evasion, and web-protocol command-and-control with encrypted content.
Executive priority
Treat this as a validation case for endpoint, identity, and egress-monitoring readiness on Windows systems. Leaders should ask whether the organization can prove it collects enough evidence to investigate a RAT that blends into normal web traffic, modifies the registry, captures user input or clipboard data, and stages additional tools. This supports budget and audit discussions around EDR coverage, privileged access control, removable media governance, incident response evidence retention, and network egress visibility.
Technical view
ATT&CK provides no official detection text for Explosive, so defenders should validate coverage through the related techniques rather than a single signature. SOC and IR teams should test whether Windows telemetry can correlate discovery activity, registry modification, hidden file creation, clipboard/keylogging-like collection, removable media access, inbound tool transfer, and HTTP/S-based command-and-control. Because several behaviors overlap with legitimate administration and user activity, detections should emphasize sequencing, unusual parent/child process context, uncommon destinations, persistence-related registry paths, and activity from systems or users that do not normally perform these actions.
Likely telemetry
- Windows endpoint/EDR process execution and command-line telemetry
- Windows Registry modification events
- File creation/modification metadata, including hidden attributes or hidden directories
- Clipboard access indicators where available from endpoint tooling
- Keyboard input monitoring or suspicious API-use indicators where available
Detection direction
- Do not rely on a single Explosive-specific detection; ATT&CK does not provide one for this object.
- Correlate discovery behaviors such as network configuration, user, and system information collection with later collection, registry, hidden-file, or C2 activity.
- Tune for false positives from legitimate administrators, help desk tools, software installers, and normal web browsing.
- Validate visibility into web-protocol C2, recognizing that symmetric encryption may limit content inspection and increase reliance on metadata, destination reputation, timing, and endpoint correlation.
- Monitor registry modifications and hidden-file behavior in the context of newly observed binaries or remote-access-like activity.
Mitigation priorities
- Ensure Windows endpoints have active prevention and detection controls with retained telemetry for process, registry, file, and network activity.
- Restrict unnecessary administrative privileges that enable registry persistence or defense-impairing changes.
- Apply egress controls and logging for outbound web traffic, including proxy/DNS/firewall visibility for unusual destinations.
- Govern removable media use with policy, monitoring, and technical restrictions where appropriate.
- Strengthen credential protection and user activity monitoring because keylogging and clipboard collection can undermine password-based controls.
Analyst notes and limits
The malware object is specifically listed for Windows, while some related ATT&CK techniques have broader platform lists. This take treats Windows as the supported platform for Explosive and uses the related techniques to frame defensive validation. The relationship to Volatile Cedar is official ATT&CK context, but local attribution should require independent evidence.
Official ATT&CK fields provide a short description and relationships but no malware-specific detection guidance, aliases, labels, or object-level tactics. The external references are cited by ATT&CK, but this summary does not add details beyond the supplied fields. Local telemetry quality, asset roles, and business processes are required to determine actual exposure or coverage.
Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Explosive has collected the MAC address from the victim's machine.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1112 | Modify Registry | Explosive has a function to write itself to Registry values.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1025 | Data from Removable Media | Explosive can scan all .exe files located in the USB drive.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.CitationCheckPoint Volatile Cedar March 2015CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Explosive has collected the username from the infected host.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Explosive has encrypted communications with the RC4 method.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Explosive has a function to download a file to the infected system.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Explosive has used HTTP for communication.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1106 | Native API | Explosive has a function to call the OpenClipboard wrapper.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1115 | Clipboard Data | Explosive has a function to use the OpenClipboard wrapper.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1082 | System Information Discovery | Explosive has collected the computer name from the infected host.CitationCheckPoint Volatile Cedar March 2015 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Explosive has commonly set file and path attributes to hidden.CitationCheckPoint Volatile Cedar March 2015 |
Groups, software, and campaigns
G0123: Volatile Cedar
Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 231afe54dfc5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint Volatile Cedar March 2015
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
Open source URL -
[2]
ClearSky Lebanese Cedar Jan 2021
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
Open source URL -
[3]
Explosive
(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)
-
[4]
mitre-attack S0569Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.