Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
Key Takeaways A new Iranian-backed threat group, Cavern Manticore, is actively targeting Israeli organizations, including government entities and IT service providers. The group leverages legitimate...
Key Takeaways
- A new Iranian-backed threat group, Cavern Manticore, is actively targeting Israeli organizations, including government entities and IT service providers.
- The group leverages legitimate IT tools like SysAid Remote Monitoring and Management (RMM) and WinDirStat to deploy its modular malware, “Cavern,” through DLL sideloading.
- Cavern is a sophisticated, multi-stage command-and-control (C2) framework designed for stealth, data exfiltration, and network reconnaissance, featuring anti-forensic capabilities.
- The campaign highlights a growing trend of attackers abusing trusted software and supply chain vectors to bypass traditional security defenses.
A newly identified Iranian-linked hacking collective, dubbed Cavern Manticore by researchers, has been observed in a campaign exploiting common IT administration tools to infiltrate Israeli networks. This sophisticated group demonstrates a preference for subtle tactics, leveraging trusted software to conceal its malicious activities rather than relying on overt exploits.
Table Of Content
The core of Cavern Manticore’s strategy involves transforming legitimate software into a delivery mechanism for its espionage tools. This approach allows the attackers to operate under the radar, blending in with normal network traffic and operations.
Security researchers at Check Point unearthed the campaign during an investigation into suspicious activities originating from IT service providers in Israel. The group exhibited a calculated, multi-stage attack methodology, initially compromising an IT provider, then pivoting to a secondary organization before ultimately reaching its intended high-value target.
In a report shared with Cyber Security News (CSN), Check Point detailed the malware, named Cavern, as a highly modular command-and-control (C2) framework. This modular design enables the attackers to dynamically swap components based on their objectives, making the framework highly adaptable.
Cavern’s modules are engineered for diverse functions, ranging from fundamental communication protocols to advanced capabilities like file exfiltration, database querying, and network scanning. This architecture allows the threat group to customize each attack, deploying only the necessary tools without needing to re-engineer the entire payload.
A significant challenge in detecting and analyzing Cavern stems from its use of three distinct compilation methods for the same codebase. Each version requires a unique analytical toolset, deliberately slowing down defensive efforts to understand the malware’s full capabilities. This, coupled with observed links to other Iranian state-sponsored groups such as MuddyWater and Lyceum, points to a well-resourced and patient adversary.
Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading
The infection chain initiated by Cavern Manticore exploits the software update functionality within SysAid, a widely used remote monitoring and management platform. Through this vector, the attackers deliver a package of files disguised as a legitimate update for WinDirStat, a disk usage statistics viewer.
When the authentic WinDirStat application is executed, it inadvertently loads a malicious version of uxtheme.dll, a standard Windows system file. This trojanized DLL is, in fact, the Cavern backdoor, injected through a technique known as DLL sideloading. You can find a detailed analysis of this execution chain in the Check Point report.
Once activated, the Cavern backdoor establishes encrypted communication with its C2 server, making its traffic difficult to detect. It then dynamically fetches additional modules as needed, granting the attackers capabilities such as file browsing, database querying, directory enumeration, and network tunneling for deeper penetration.
A key characteristic of Cavern’s design is its anti-forensic capabilities. Each module operates within an isolated environment and is purged from memory upon completion, hindering post-compromise analysis. Furthermore, the malware meticulously cleans its working directory, deleting most temporary files to obscure its presence and frustrate incident responders attempting to reconstruct the attack timeline.
Who Cavern Manticore Is Targeting
Cavern Manticore’s primary targets are Israeli organizations, with a particular focus on government entities and IT service providers. The strategic targeting of IT providers is deliberate, as these companies often possess privileged access to numerous client networks, serving as an ideal pivot point for reaching higher-value targets.
Forensic analysis has traced the group’s infrastructure to a domain registered through an Iranian hosting provider, bolstering the assessment of state-sponsored activity. The observed tactical overlaps with threat groups like MuddyWater and Lyceum, both known to be affiliated with Iran’s intelligence services, further reinforces this attribution. Detailed indicators of compromise (IoCs) are provided in the table below.
This campaign underscores the critical importance for organizations to scrutinize how their remote management tools are utilized. Attackers are increasingly opting to infiltrate through trusted administrative channels rather than attempting to breach obvious vulnerabilities. The methodical approach employed by Cavern Manticore, from exploiting supply chain trust to implementing custom evasion techniques, demands a patient and robust defensive posture from organizations.
What You Should Do
- Review RMM Logs: Regularly audit logs and activity associated with remote monitoring and management (RMM) software like SysAid for any unusual update deployments or executions.
- Monitor DLL Activity: Implement robust monitoring for suspicious file activity involving system DLLs, particularly
uxtheme.dll, and pay close attention to unexpected DLL placements in application directories. - Enhance Access Controls: Implement strict access controls and multi-factor authentication for RMM platforms. Limit remote session durations and enforce least privilege principles.
- Behavioral Detection: Focus on behavioral detection mechanisms rather than relying solely on static indicators of compromise, as Cavern’s polymorphic nature makes signature-based detection less effective. Look for unusual process behavior, network connections, and file system modifications.
- Network Segmentation: Segment networks to limit lateral movement in case of a compromise, especially between IT service provider networks and client environments.
- Threat Intelligence: Stay informed on the latest threat intelligence regarding Iranian state-sponsored groups and their evolving tactics, techniques, and procedures (TTPs).
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406 | uxtheme.dll (build 02) — Cavern Agent |
| SHA-256 | 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603 | uxtheme.dll (build 04) — Cavern Agent |
| SHA-256 | 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b1 | uxtheme.dll (oldest build) — Cavern Agent |
| SHA-256 | a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf4 | n-HTCommp.dll — Communication module |
| SHA-256 | b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e8 | n-HTCommp.dll — Communication module |
| SHA-256 | 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a613 | mhm.dll — File manager module |
| SHA-256 | 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc | mhm.dll (older variant) — File manager module |
| SHA-256 | 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4 | db.dll — SQL browser module |
| SHA-256 | 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a1 | ode.dll — LDAP/Directory module |
| SHA-256 | 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b | n-ten.dll — Network reconnaissance module |
| SHA-256 | 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255 | n-sws.dll — SOCKS5/WebSocket tunnel module |
| SHA-256 | 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819c | Older Cav3rn-era, non-modular agent sample |
| SHA-256 | bcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc | Older Cav3rn-era, non-modular agent sample |
| SHA-256 | bccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e347 | Older CAV3RNHttpModule sample |
| Domain | hospitalinstallation.com | Parent domain used for C2 infrastructure |
| Domain | auth.hospitalinstallation.com | C2 domain used by older Cavern agent builds |
| Domain | google.com.hospitalinstallation.com | C2 domain used by newer Cavern agent builds |
| Domain | adserviceupdate.com | C2 domain invoked by older Cav3rn HTTP module |
| Domain | hygienehistory.com | C2 domain invoked by older Cav3rn HTTP module |
| URL | https://adserviceupdate.com/cac.aspx | Operator deployed ASP.NET C2 handler |
| URL | https://hygienehistory.com/cac.aspx | Operator deployed ASP.NET C2 handler |
| File/Artifact | uxtheme.dll | Trojanized DLL sideloaded via WinDirStat.exe |
| File/Artifact | n-HTCommp.dll | Native communication module used for C2 traffic |
| File/Artifact | config.txt | Agent configuration file (keys: i, xd, int) |
| File/Artifact | Cvn.cfg / Cvn.cfg.A / Cvn.cfg.U | Legacy alive-time configuration files |
| File/Artifact | .CvnC.png / .CvnA.png / .CvnR.png | Steganographic command, API, and result files (older Cav3rn variant) |
| File/Artifact | cac.aspx | Operator-deployed ASP.NET handler path |
| Directory | inpt / outpt | Command and result drop directories used by older Cav3rn agent |
| Mutex | MYMUTEX123HELLP, MYMUTEX123HELLP02, MYMUTEX123HELLP04 | Mutex names used across Cavern agent builds |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.