ctipilot.ch
← Back to the live brief
NOTABLEthreatNATOB3

Check Point: Iran MOIS-linked "Cavern Manticore" ships a modular .NET C2 that uses three compilation formats as an anti-analysis layer, delivered via SysAid RMM abuse

discovered 2026-07-09 04:32 UTCrun 2026-07-09T0409Z-intel1 sourcesingle-source

Check Point Research documented Cavern Manticore, an Iran MOIS-linked APT it assesses shares technical and infrastructure overlap with MuddyWater and OilRig's Lyceum subgroup, targeting Israeli government and IT-sector organisations (Check Point Research, 2026-07-06). Its namesake framework, Cavern, is a modular post-exploitation .NET C2 whose components are deliberately compiled into three different binary formats: pure IL-only .NET (the mhm.dll file-ops/DPAPI-decrypt module, db.dll SQL browser, ode.dll LDAP/AD-recon module), Mixed-Mode C++/CLI IL+native (the uxtheme.dll Cavern Agent core), and .NET 8 NativeAOT native-only (n-HTCommp.dll HTTPS/WebSocket transport, n-ten.dll network recon/SMB brute-force, n-sws.dll SOCKS5/WSS tunnel). The compilation-format diversity is itself the anti-analysis layer: each format demands a different reverse-engineering toolchain, and NativeAOT strips framework symbols and resolves security-sensitive P/Invoke calls (WNetAddConnection2, NetShareEnum, NetLocalGroupGetMembers) through runtime descriptor tables rather than the PE import table, hiding capability from import-based triage (Check Point Research, 2026-07-06).

Delivery is the transferable part: the actor abused SysAid's legitimate software-update/deployment feature — not a SysAid vulnerability — to push a WinDirStat DLL-sideloading package that loads the trojanized uxtheme.dll as the Cavern Agent, which exports 83 functions mimicking the real Windows theming library (82 empty stubs; the one live export, EnableThemeDialogTexture, is the C2 entry point) — a sandbox trap for automated analysis that only invokes default exports. Each loaded module is isolated in its own .NET AppDomain via a MarshalByRefObject proxy so modules can be unloaded cleanly after use, leaving minimal forensic residue; most samples score zero or near-zero on VirusTotal. ATT&CK: T1574.002 DLL Side-Loading, T1027 Obfuscated Files or Information (via compilation-format diversity), T1620 Reflective Code Loading (AppDomain-isolated modules), T1219 Remote Access Software (SysAid deployment abuse).

Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum

the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain

SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature

Check Point Research 2026-07-06

Defender actions

  • Hunt for uxtheme.dll loaded outside its legitimate System32 location, especially by non-standard parents (e.g. WinDirStat.exe), and for RMM/software-deployment tools (SysAid and equivalents) pushing executables to non-standard ProgramData paths.
  • For reverse engineers, resource NativeAOT-capable tooling (e.g. ghidra-nativeaot / ida-nativeaot metadata recovery) — standard .NET decompilers do not handle Native-only compiled output, so import-table triage misses the capability.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.