Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new Iranian-linked hacking group has been caught abusing everyday IT tools to slip malware onto Israeli networks.

Researchers have named the group Cavern Manticore, and its latest campaign shows how creative attackers have become at hiding in plain sight.

Instead of flashy exploits, the group leans on software organizations already trust. At the heart of this campaign is a technique that turns helpful software into a delivery mechanism for spying tools.

The attackers abuse SysAid, a remote monitoring and management platform, to push out a fake software update. That update quietly drops a legitimate looking file that loads hidden malicious code, a method known as DLL sideloading.

Check Point researchers identified the campaign after digging into unusual activity tied to IT service providers in Israel. The group did not stop at one company. It moved from a compromised IT provider to a second organization before reaching its real target.

Check Point said in a report shared with Cyber Security News (CSN) that the malware, called Cavern, is a modular framework, meaning its pieces can be swapped in and out depending on what the attackers want to do.

Some parts handle basic communication, while others are built for stealing files, poking around databases, or scanning networks. This design lets the group tailor each attack without rebuilding everything.

What makes Cavern tricky to catch is its use of three different ways of compiling the same code. Each version needs a different toolset to analyze, slowing down defenders trying to figure out what the malware does.

Combined with links to Iranian groups like MuddyWater and Lyceum, this points to a patient, well resourced adversary.

Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading

The infection begins when Cavern Manticore abuses the software update feature inside SysAid to deliver a bundle of files tied to WinDirStat, a legitimate disk usage tool.

When the real WinDirStat program runs, it unknowingly loads a fake version of a Windows file called uxtheme.dll, which is actually the Cavern backdoor in disguise.

Cavern Agent Execution Chain (Source - Check Point)
Cavern Agent Execution Chain (Source – Check Point)

Once active, this backdoor reaches out to a separate file that handles network traffic, encrypting communications so they are harder to spot.

It then pulls down extra modules on demand, giving attackers tools to browse files, query databases, search directories, or tunnel deeper into the network.

Each module runs in an isolated space and is removed from memory once finished, making it harder for investigators to find evidence later. The malware also cleans up after itself, deleting most files in its working folder except what it needs to keep running.

This housekeeping is a deliberate anti-forensics step, aimed at frustrating anyone trying to piece together what happened after the fact.

Who Cavern Manticore Is Targeting

Cavern Manticore appears focused on Israeli organizations, especially those in government and IT services.

The interest in IT providers is not accidental, since these companies often have trusted access into other businesses, making them an ideal stepping stone toward harder targets.

Cavern Modules Evade Malware Engines (Source - Check Point)
Cavern Modules Evade Malware Engines (Source – Check Point)

Investigators traced the infrastructure to a domain registered through an Iranian hosting provider, adding weight to the assessment that this is state linked activity.

Overlaps with techniques used by MuddyWater and Lyceum, both tied to Iran’s intelligence services, support that connection.

The organizations should watch how their remote management tools are used, since attackers increasingly hide inside trusted administrative channels instead of breaking in through obvious weak points.

Security teams are urged to review logs and file activity involving uxtheme.dll, since that file name is a known target for sideloading abuse.

Limiting remote sessions, tightening access to RMM software, and watching for unusual DLL placement can help catch this activity early.

Because the malware behaves differently across builds, defenders are encouraged to focus on behavior patterns and infrastructure clues rather than fixed indicators.

This case is a reminder that trusted software can become a weapon when attackers get creative. Cavern Manticore’s methodical approach, from supply chain hopping to custom evasion tricks, shows patience organizations cannot ignore.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406 uxtheme.dll (build 02) — Cavern Agent
SHA-256 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603 uxtheme.dll (build 04) — Cavern Agent
SHA-256 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b1 uxtheme.dll (oldest build) — Cavern Agent
SHA-256 a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf4 n-HTCommp.dll — Communication module
SHA-256 b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e8 n-HTCommp.dll — Communication module
SHA-256 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a613 mhm.dll — File manager module
SHA-256 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc mhm.dll (older variant) — File manager module
SHA-256 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4 db.dll — SQL browser module
SHA-256 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a1 ode.dll — LDAP/Directory module
SHA-256 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b n-ten.dll — Network reconnaissance module
SHA-256 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255 n-sws.dll — SOCKS5/WebSocket tunnel module
SHA-256 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819c Older Cav3rn-era, non-modular agent sample
SHA-256 bcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc Older Cav3rn-era, non-modular agent sample
SHA-256 bccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e347 Older CAV3RNHttpModule sample
Domain hospitalinstallation.com Parent domain used for C2 infrastructure
Domain auth.hospitalinstallation.com C2 domain used by older Cavern agent builds
Domain google.com.hospitalinstallation.com C2 domain used by newer Cavern agent builds
Domain adserviceupdate.com C2 domain invoked by older Cav3rn HTTP module
Domain hygienehistory.com C2 domain invoked by older Cav3rn HTTP module
URL https://adserviceupdate.com/cac.aspx Operator deployed ASP.NET C2 handler
URL https://hygienehistory.com/cac.aspx Operator deployed ASP.NET C2 handler
File/Artifact uxtheme.dll Trojanized DLL sideloaded via WinDirStat.exe
File/Artifact n-HTCommp.dll Native communication module used for C2 traffic
File/Artifact config.txt Agent configuration file (keys: i, xd, int)
File/Artifact Cvn.cfg / Cvn.cfg.A / Cvn.cfg.U Legacy alive-time configuration files
File/Artifact .CvnC.png / .CvnA.png / .CvnR.png Steganographic command, API, and result files (older Cav3rn variant)
File/Artifact cac.aspx Operator-deployed ASP.NET handler path
Directory inpt / outpt Command and result drop directories used by older Cav3rn agent
Mutex MYMUTEX123HELLP, MYMUTEX123HELLP02, MYMUTEX123HELLP04 Mutex names used across Cavern agent builds

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework appeared first on Cyber Security News.