Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts
July 7, 2026
Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
July 7, 2026
Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
July 7, 2026
Home/Threats/Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
Threats

Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment

Key Takeaways A new Iranian-backed threat group, Cavern Manticore, is actively targeting Israeli organizations, including government entities and IT service providers. The group leverages legitimate...

Sarah simpson
Sarah simpson
July 7, 2026 5 Min Read
4 0

Key Takeaways

  • A new Iranian-backed threat group, Cavern Manticore, is actively targeting Israeli organizations, including government entities and IT service providers.
  • The group leverages legitimate IT tools like SysAid Remote Monitoring and Management (RMM) and WinDirStat to deploy its modular malware, “Cavern,” through DLL sideloading.
  • Cavern is a sophisticated, multi-stage command-and-control (C2) framework designed for stealth, data exfiltration, and network reconnaissance, featuring anti-forensic capabilities.
  • The campaign highlights a growing trend of attackers abusing trusted software and supply chain vectors to bypass traditional security defenses.

A newly identified Iranian-linked hacking collective, dubbed Cavern Manticore by researchers, has been observed in a campaign exploiting common IT administration tools to infiltrate Israeli networks. This sophisticated group demonstrates a preference for subtle tactics, leveraging trusted software to conceal its malicious activities rather than relying on overt exploits.

Table Of Content

  • Key Takeaways
  • Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading
  • Who Cavern Manticore Is Targeting
  • What You Should Do
  • Indicators of Compromise (IoCs)

The core of Cavern Manticore’s strategy involves transforming legitimate software into a delivery mechanism for its espionage tools. This approach allows the attackers to operate under the radar, blending in with normal network traffic and operations.

Security researchers at Check Point unearthed the campaign during an investigation into suspicious activities originating from IT service providers in Israel. The group exhibited a calculated, multi-stage attack methodology, initially compromising an IT provider, then pivoting to a secondary organization before ultimately reaching its intended high-value target.

In a report shared with Cyber Security News (CSN), Check Point detailed the malware, named Cavern, as a highly modular command-and-control (C2) framework. This modular design enables the attackers to dynamically swap components based on their objectives, making the framework highly adaptable.

Cavern’s modules are engineered for diverse functions, ranging from fundamental communication protocols to advanced capabilities like file exfiltration, database querying, and network scanning. This architecture allows the threat group to customize each attack, deploying only the necessary tools without needing to re-engineer the entire payload.

A significant challenge in detecting and analyzing Cavern stems from its use of three distinct compilation methods for the same codebase. Each version requires a unique analytical toolset, deliberately slowing down defensive efforts to understand the malware’s full capabilities. This, coupled with observed links to other Iranian state-sponsored groups such as MuddyWater and Lyceum, points to a well-resourced and patient adversary.

Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading

The infection chain initiated by Cavern Manticore exploits the software update functionality within SysAid, a widely used remote monitoring and management platform. Through this vector, the attackers deliver a package of files disguised as a legitimate update for WinDirStat, a disk usage statistics viewer.

When the authentic WinDirStat application is executed, it inadvertently loads a malicious version of uxtheme.dll, a standard Windows system file. This trojanized DLL is, in fact, the Cavern backdoor, injected through a technique known as DLL sideloading. You can find a detailed analysis of this execution chain in the Check Point report.

Once activated, the Cavern backdoor establishes encrypted communication with its C2 server, making its traffic difficult to detect. It then dynamically fetches additional modules as needed, granting the attackers capabilities such as file browsing, database querying, directory enumeration, and network tunneling for deeper penetration.

A key characteristic of Cavern’s design is its anti-forensic capabilities. Each module operates within an isolated environment and is purged from memory upon completion, hindering post-compromise analysis. Furthermore, the malware meticulously cleans its working directory, deleting most temporary files to obscure its presence and frustrate incident responders attempting to reconstruct the attack timeline.

Who Cavern Manticore Is Targeting

Cavern Manticore’s primary targets are Israeli organizations, with a particular focus on government entities and IT service providers. The strategic targeting of IT providers is deliberate, as these companies often possess privileged access to numerous client networks, serving as an ideal pivot point for reaching higher-value targets.

Forensic analysis has traced the group’s infrastructure to a domain registered through an Iranian hosting provider, bolstering the assessment of state-sponsored activity. The observed tactical overlaps with threat groups like MuddyWater and Lyceum, both known to be affiliated with Iran’s intelligence services, further reinforces this attribution. Detailed indicators of compromise (IoCs) are provided in the table below.

This campaign underscores the critical importance for organizations to scrutinize how their remote management tools are utilized. Attackers are increasingly opting to infiltrate through trusted administrative channels rather than attempting to breach obvious vulnerabilities. The methodical approach employed by Cavern Manticore, from exploiting supply chain trust to implementing custom evasion techniques, demands a patient and robust defensive posture from organizations.

What You Should Do

  • Review RMM Logs: Regularly audit logs and activity associated with remote monitoring and management (RMM) software like SysAid for any unusual update deployments or executions.
  • Monitor DLL Activity: Implement robust monitoring for suspicious file activity involving system DLLs, particularly uxtheme.dll, and pay close attention to unexpected DLL placements in application directories.
  • Enhance Access Controls: Implement strict access controls and multi-factor authentication for RMM platforms. Limit remote session durations and enforce least privilege principles.
  • Behavioral Detection: Focus on behavioral detection mechanisms rather than relying solely on static indicators of compromise, as Cavern’s polymorphic nature makes signature-based detection less effective. Look for unusual process behavior, network connections, and file system modifications.
  • Network Segmentation: Segment networks to limit lateral movement in case of a compromise, especially between IT service provider networks and client environments.
  • Threat Intelligence: Stay informed on the latest threat intelligence regarding Iranian state-sponsored groups and their evolving tactics, techniques, and procedures (TTPs).

Indicators of Compromise (IoCs)

Type Indicator Description
SHA-256 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406 uxtheme.dll (build 02) — Cavern Agent
SHA-256 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603 uxtheme.dll (build 04) — Cavern Agent
SHA-256 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b1 uxtheme.dll (oldest build) — Cavern Agent
SHA-256 a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf4 n-HTCommp.dll — Communication module
SHA-256 b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e8 n-HTCommp.dll — Communication module
SHA-256 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a613 mhm.dll — File manager module
SHA-256 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc mhm.dll (older variant) — File manager module
SHA-256 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4 db.dll — SQL browser module
SHA-256 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a1 ode.dll — LDAP/Directory module
SHA-256 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b n-ten.dll — Network reconnaissance module
SHA-256 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255 n-sws.dll — SOCKS5/WebSocket tunnel module
SHA-256 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819c Older Cav3rn-era, non-modular agent sample
SHA-256 bcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc Older Cav3rn-era, non-modular agent sample
SHA-256 bccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e347 Older CAV3RNHttpModule sample
Domain hospitalinstallation.com Parent domain used for C2 infrastructure
Domain auth.hospitalinstallation.com C2 domain used by older Cavern agent builds
Domain google.com.hospitalinstallation.com C2 domain used by newer Cavern agent builds
Domain adserviceupdate.com C2 domain invoked by older Cav3rn HTTP module
Domain hygienehistory.com C2 domain invoked by older Cav3rn HTTP module
URL https://adserviceupdate.com/cac.aspx Operator deployed ASP.NET C2 handler
URL https://hygienehistory.com/cac.aspx Operator deployed ASP.NET C2 handler
File/Artifact uxtheme.dll Trojanized DLL sideloaded via WinDirStat.exe
File/Artifact n-HTCommp.dll Native communication module used for C2 traffic
File/Artifact config.txt Agent configuration file (keys: i, xd, int)
File/Artifact Cvn.cfg / Cvn.cfg.A / Cvn.cfg.U Legacy alive-time configuration files
File/Artifact .CvnC.png / .CvnA.png / .CvnR.png Steganographic command, API, and result files (older Cav3rn variant)
File/Artifact cac.aspx Operator-deployed ASP.NET handler path
Directory inpt / outpt Command and result drop directories used by older Cav3rn agent
Mutex MYMUTEX123HELLP, MYMUTEX123HELLP02, MYMUTEX123HELLP04 Mutex names used across Cavern agent builds

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory

Next Post

Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
July 7, 2026
Windows Device ID Used to Apprehend Scattered Spider Cybercriminal
July 7, 2026
Critical fast-mcp-telegram CVE-2023-4589 lets attackers access sensitive files
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us