2026-07-09 · view entry permalink →
Check Point: Iran MOIS-linked "Cavern Manticore" ships a modular .NET C2 that uses three compilation formats as an anti-analysis layer, delivered via SysAid RMM abuse
Check Point Research documented Cavern Manticore, an Iran MOIS-linked APT it assesses shares technical and infrastructure overlap with MuddyWater and OilRig's Lyceum subgroup, targeting Israeli government and IT-sector organisations (Check Point Research, 2026-07-06). Its namesake framework, Cavern, is a modular post-exploitation .NET C2 whose components are deliberately compiled into three different binary formats: pure IL-only .NET (the mhm.dll file-ops/DPAPI-decrypt module, db.dll SQL browser, ode.dll LDAP/AD-recon module), Mixed-Mode C++/CLI IL+native (the uxtheme.dll Cavern Agent core), and .NET 8 NativeAOT native-only (n-HTCommp.dll HTTPS/WebSocket transport, n-ten.dll network recon/SMB brute-force, n-sws.dll SOCKS5/WSS tunnel). The compilation-format diversity is itself the anti-analysis layer: each format demands a different reverse-engineering toolchain, and NativeAOT strips framework symbols and resolves security-sensitive P/Invoke calls (WNetAddConnection2, NetShareEnum, NetLocalGroupGetMembers) through runtime descriptor tables rather than the PE import table, hiding capability from import-based triage (Check Point Research, 2026-07-06).
Delivery is the transferable part: the actor abused SysAid's legitimate software-update/deployment feature — not a SysAid vulnerability — to push a WinDirStat DLL-sideloading package that loads the trojanized uxtheme.dll as the Cavern Agent, which exports 83 functions mimicking the real Windows theming library (82 empty stubs; the one live export, EnableThemeDialogTexture, is the C2 entry point) — a sandbox trap for automated analysis that only invokes default exports. Each loaded module is isolated in its own .NET AppDomain via a MarshalByRefObject proxy so modules can be unloaded cleanly after use, leaving minimal forensic residue; most samples score zero or near-zero on VirusTotal. ATT&CK: T1574.002 DLL Side-Loading, T1027 Obfuscated Files or Information (via compilation-format diversity), T1620 Reflective Code Loading (AppDomain-isolated modules), T1219 Remote Access Software (SysAid deployment abuse).
Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum
the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain
SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature