ctipilot.ch

Cavern

tool · tool:cavern-c2-framework single-source

Modular post-exploitation .NET C2 framework used by Cavern Manticore, deliberately compiled across three .NET formats (IL-only, Mixed-Mode C++/CLI, .NET 8 NativeAOT) as an anti-analysis layer, with per-module AppDomain isolation and DLL-sideload delivery (trojanized uxtheme.dll) via RMM software-update-feature abuse (Check Point Research, 2026-07-06).

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-07-09Check Point: Iran MOIS-linked "Cavern Manticore" ships a modular .NET C2 that uses three compilation formats as an anti-analysis layer, delivered via SysAid RMM abuse
    active-threatsCavern Manticore's C2 splits across IL, Mixed-Mode and NativeAOT binaries to break RE toolchains — pushed through SysAid's legitimate deployment feature

Where this entity is cited

  • active-threats1

Source distribution

  • research.checkpoint.com1 (100%)

Related entities

Entries about Cavern (1)

2026-07-09 · view entry permalink →

NOTABLE

Check Point: Iran MOIS-linked "Cavern Manticore" ships a modular .NET C2 that uses three compilation formats as an anti-analysis layer, delivered via SysAid RMM abuse

Check Point Research documented Cavern Manticore, an Iran MOIS-linked APT it assesses shares technical and infrastructure overlap with MuddyWater and OilRig's Lyceum subgroup, targeting Israeli government and IT-sector organisations (Check Point Research, 2026-07-06). Its namesake framework, Cavern, is a modular post-exploitation .NET C2 whose components are deliberately compiled into three different binary formats: pure IL-only .NET (the mhm.dll file-ops/DPAPI-decrypt module, db.dll SQL browser, ode.dll LDAP/AD-recon module), Mixed-Mode C++/CLI IL+native (the uxtheme.dll Cavern Agent core), and .NET 8 NativeAOT native-only (n-HTCommp.dll HTTPS/WebSocket transport, n-ten.dll network recon/SMB brute-force, n-sws.dll SOCKS5/WSS tunnel). The compilation-format diversity is itself the anti-analysis layer: each format demands a different reverse-engineering toolchain, and NativeAOT strips framework symbols and resolves security-sensitive P/Invoke calls (WNetAddConnection2, NetShareEnum, NetLocalGroupGetMembers) through runtime descriptor tables rather than the PE import table, hiding capability from import-based triage (Check Point Research, 2026-07-06).

Delivery is the transferable part: the actor abused SysAid's legitimate software-update/deployment feature — not a SysAid vulnerability — to push a WinDirStat DLL-sideloading package that loads the trojanized uxtheme.dll as the Cavern Agent, which exports 83 functions mimicking the real Windows theming library (82 empty stubs; the one live export, EnableThemeDialogTexture, is the C2 entry point) — a sandbox trap for automated analysis that only invokes default exports. Each loaded module is isolated in its own .NET AppDomain via a MarshalByRefObject proxy so modules can be unloaded cleanly after use, leaving minimal forensic residue; most samples score zero or near-zero on VirusTotal. ATT&CK: T1574.002 DLL Side-Loading, T1027 Obfuscated Files or Information (via compilation-format diversity), T1620 Reflective Code Loading (AppDomain-isolated modules), T1219 Remote Access Software (SysAid deployment abuse).

Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum

the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain

SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature

Check Point Research 2026-07-06
threat09 Jul 04:32Zsingle-sourceOpen finding ↗