Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Check Point Research tracked Cavern Manticore, an Iran-nexus threat actor targeting Israeli government and IT organizations using a modular .NET C2 framework with strong anti-analysis features and RMM abuse for initial access. The report also details related infrastructure, legacy Cav3rn samples, and multiple post-exploitation modules for reconnaissance, file access, LDAP, SQL, networking, and tunneling. #CavernManticore #MuddyWater #Lyceum #SysAid #uxtheme.dll #n-HTCommp.dll

Keypoints

  • Cavern Manticore is tracked as an Iran-nexus threat actor focused on Israeli government and IT-sector targets.
  • The framework is a modular .NET C2 platform split into agents and mission-specific modules, with separate components for communication and post-exploitation.
  • Cavern uses three compilation formats — .NET Framework, Mixed-Mode C++/CLI, and NativeAOT — as an anti-analysis layer rather than relying on traditional packing or obfuscation.
  • Initial access in multiple intrusions was achieved through abuse of existing RMM software in victim organizations, including a SysAid-based delivery chain.
  • The communication module n-HTCommp.dll supports HTTP and WebSocket operations with XOR and Base64 handling, fixed headers, and hidden command grammar.
  • Post-exploitation modules provide capabilities such as file browsing, database querying, LDAP/AD reconnaissance, network scanning, SMB brute-force, and SOCKS5/WebSocket tunneling.
  • Older Cav3rn samples show strong continuity with the modern framework, including shared command structure, legacy infrastructure, and operator-deployed webshell-style C2 handling.

MITRE Techniques

  • [T1071.001] Web Protocols – The framework uses HTTP and WebSocket for C2 communication and tunneling through modules like n-HTCommp.dll and n-sws.dll (‘direct HTTPS / WebSocket’, ‘WebSocket/WSS tunnel’).
  • [T1573.001] Symmetric Cryptography – Traffic is encoded with XOR key 0x48 before transmission on C2-bound paths (‘XORed with key 0x48’, ‘traffic-encoding layer’).
  • [T1027] Obfuscated Files or Information – The framework hides behavior through compilation format choices and packed runtime data, making static analysis difficult (‘the compilation format itself becomes the anti-analysis layer’, ‘packed verb constants’).
  • [T1218.011] Rundll32 – DLL Side-Loading – The initial execution chain abuses legitimate software loading a trojanized DLL, specifically WinDirStat loading uxtheme.dll (‘WinDirStat DLL sideloading package’, ‘loads the trojanized uxtheme.dll’).
  • [T1562.001] Disable or Modify Tools – The framework reduces analyst visibility through anti-analysis and anti-forensics mechanisms such as AppDomain isolation and cleanup (‘loaded modules can be cleanly removed from memory’, ‘aggressive directory cleanup’).
  • [T1070.004] File Deletion – New agent builds delete files and subdirectories in the working directory after startup (‘delete everything except the Communication Module, config.txt, and log files’).
  • [T1135] Network Share Discovery – The network module enumerates shares and mapped drives (‘share enumeration’, ‘list shares on a host’).
  • [T1046] Network Service Discovery – The network module performs network reconnaissance and TCP port scanning (‘port scan’, ‘TCP port scan’).
  • [T1087.002] Domain Account Discovery – LDAP and network modules enumerate users, groups, and local accounts (‘enumerate all users’, ‘local group members’).
  • [T1018] Remote System Discovery – The network module discovers computers in the domain and performs netstat/ARP-style discovery (‘list computers in domain’, ‘ARP table’).
  • [T1083] File and Directory Discovery – File module functions list drives, folders, files, and search content (‘drive/file/directory enumeration’, ‘search files’).
  • [T1005] Data from Local System – The file module collects host information and browses local files and databases (‘host information collection’, ‘database browsing’).
  • [T1555.004] Credentials from Password Stores – The file manager module decrypts DPAPI-protected blobs with the current user context (‘DPAPI decryption’, ‘decrypt any DPAPI-protected secret’).
  • [T1021.002] SMB/Windows Admin Shares – The network module maps/unmaps drives and brute-forces SMB access using WNetAddConnection2 (‘SMB-based credential spraying primitive’).
  • [T1078] Valid Accounts – The actor abuses legitimate RMM access and operator-supplied credentials for LDAP/SQL/network operations (‘abuse of existing Remote Monitoring and Management software’, ‘operator-supplied credential pairs’).
  • [T1190] Exploit Public-Facing Application – The initial foothold is described as starting from abused management software and SysAid server functionality (‘SysAid’s software update feature’, ‘deploy a WinDirStat DLL sideloading package’).

Indicators of Compromise

  • [SHA-256 hashes] malware samples and modules – 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066, 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b, and other 10 hashes
  • [Domains] C2 infrastructure and legacy transport endpoints – auth[.]hospitalinstallation[.]com, google[.]com[.]hospitalinstallation[.]com, and other 2 domains
  • [File names] agent and module binaries – uxtheme.dll, n-HTCommp.dll, and other 5 module names
  • [Configuration / artifact names] host artifacts and legacy names – config.txt, MYMUTEX123HELLP04, and other 6 artifacts
  • [Paths] developer and build artifacts – C:UsersrickDesktopModulescavern, C:ProgramDataWinDirWinDirStat.exe, and other 2 paths
  • [Web handler / endpoint] older C2 handler used by the legacy toolset – cac.aspx, /index.htm, and other 1 endpoint


Read more: https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/