Check Point Research tracked Cavern Manticore, an Iran-nexus threat actor targeting Israeli government and IT organizations using a modular .NET C2 framework with strong anti-analysis features and RMM abuse for initial access. The report also details related infrastructure, legacy Cav3rn samples, and multiple post-exploitation modules for reconnaissance, file access, LDAP, SQL, networking, and tunneling. #CavernManticore #MuddyWater #Lyceum #SysAid #uxtheme.dll #n-HTCommp.dll
Keypoints
- Cavern Manticore is tracked as an Iran-nexus threat actor focused on Israeli government and IT-sector targets.
- The framework is a modular .NET C2 platform split into agents and mission-specific modules, with separate components for communication and post-exploitation.
- Cavern uses three compilation formats â .NET Framework, Mixed-Mode C++/CLI, and NativeAOT â as an anti-analysis layer rather than relying on traditional packing or obfuscation.
- Initial access in multiple intrusions was achieved through abuse of existing RMM software in victim organizations, including a SysAid-based delivery chain.
- The communication module n-HTCommp.dll supports HTTP and WebSocket operations with XOR and Base64 handling, fixed headers, and hidden command grammar.
- Post-exploitation modules provide capabilities such as file browsing, database querying, LDAP/AD reconnaissance, network scanning, SMB brute-force, and SOCKS5/WebSocket tunneling.
- Older Cav3rn samples show strong continuity with the modern framework, including shared command structure, legacy infrastructure, and operator-deployed webshell-style C2 handling.
MITRE Techniques
- [T1071.001] Web Protocols â The framework uses HTTP and WebSocket for C2 communication and tunneling through modules like n-HTCommp.dll and n-sws.dll (âdirect HTTPS / WebSocketâ, âWebSocket/WSS tunnelâ).
- [T1573.001] Symmetric Cryptography â Traffic is encoded with XOR key 0x48 before transmission on C2-bound paths (âXORed with key 0x48â, âtraffic-encoding layerâ).
- [T1027] Obfuscated Files or Information â The framework hides behavior through compilation format choices and packed runtime data, making static analysis difficult (âthe compilation format itself becomes the anti-analysis layerâ, âpacked verb constantsâ).
- [T1218.011] Rundll32 â DLL Side-Loading â The initial execution chain abuses legitimate software loading a trojanized DLL, specifically WinDirStat loading uxtheme.dll (âWinDirStat DLL sideloading packageâ, âloads the trojanized uxtheme.dllâ).
- [T1562.001] Disable or Modify Tools â The framework reduces analyst visibility through anti-analysis and anti-forensics mechanisms such as AppDomain isolation and cleanup (âloaded modules can be cleanly removed from memoryâ, âaggressive directory cleanupâ).
- [T1070.004] File Deletion â New agent builds delete files and subdirectories in the working directory after startup (âdelete everything except the Communication Module, config.txt, and log filesâ).
- [T1135] Network Share Discovery â The network module enumerates shares and mapped drives (âshare enumerationâ, âlist shares on a hostâ).
- [T1046] Network Service Discovery â The network module performs network reconnaissance and TCP port scanning (âport scanâ, âTCP port scanâ).
- [T1087.002] Domain Account Discovery â LDAP and network modules enumerate users, groups, and local accounts (âenumerate all usersâ, âlocal group membersâ).
- [T1018] Remote System Discovery â The network module discovers computers in the domain and performs netstat/ARP-style discovery (âlist computers in domainâ, âARP tableâ).
- [T1083] File and Directory Discovery â File module functions list drives, folders, files, and search content (âdrive/file/directory enumerationâ, âsearch filesâ).
- [T1005] Data from Local System â The file module collects host information and browses local files and databases (âhost information collectionâ, âdatabase browsingâ).
- [T1555.004] Credentials from Password Stores â The file manager module decrypts DPAPI-protected blobs with the current user context (âDPAPI decryptionâ, âdecrypt any DPAPI-protected secretâ).
- [T1021.002] SMB/Windows Admin Shares â The network module maps/unmaps drives and brute-forces SMB access using WNetAddConnection2 (âSMB-based credential spraying primitiveâ).
- [T1078] Valid Accounts â The actor abuses legitimate RMM access and operator-supplied credentials for LDAP/SQL/network operations (âabuse of existing Remote Monitoring and Management softwareâ, âoperator-supplied credential pairsâ).
- [T1190] Exploit Public-Facing Application â The initial foothold is described as starting from abused management software and SysAid server functionality (âSysAidâs software update featureâ, âdeploy a WinDirStat DLL sideloading packageâ).
Indicators of Compromise
- [SHA-256 hashes] malware samples and modules â 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066, 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b, and other 10 hashes
- [Domains] C2 infrastructure and legacy transport endpoints â auth[.]hospitalinstallation[.]com, google[.]com[.]hospitalinstallation[.]com, and other 2 domains
- [File names] agent and module binaries â uxtheme.dll, n-HTCommp.dll, and other 5 module names
- [Configuration / artifact names] host artifacts and legacy names â config.txt, MYMUTEX123HELLP04, and other 6 artifacts
- [Paths] developer and build artifacts â C:UsersrickDesktopModulescavern, C:ProgramDataWinDirWinDirStat.exe, and other 2 paths
- [Web handler / endpoint] older C2 handler used by the legacy toolset â cac.aspx, /index.htm, and other 1 endpoint
Read more: https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/