Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Cavern Manticore, an Iran-MOIS-linked APT group, deploys a modular .NET C2 framework targeting Israeli government and IT organizations. The framework uses three compilation formats (Mixed-Mode C++/CLI, NativeAOT, .NET Framework) as an anti-analysis layer, with DLL sideloading via WinDirStat.exe for initial execution. Post-exploitation modules provide DPAPI decryption, LDAP brute-forcing, SQL browsing, network reconnaissance, and SOCKS5 tunneling, with C2 traffic XOR-encrypted over HTTPS/WebSocket channels.
- domainadserviceupdate[.]comLegacy C2 domain used by older Cav3rn HTTP module at /cac.aspx endpoint with XOR+Base32-encoded steganographic PNG transport
- domainauth[.]hospitalinstallation[.]comC2 domain used by older Cavern agent build (build 02) for HTTPS beaconing
- domaingoogle[.]com[.]hospitalinstallation[.]comC2 domain used by newer Cavern agent builds (build 04); google.com prefix is a visual deception trick for proxy log skimming
- domainhospitalinstallation[.]comParent C2 domain registered via Iranian hosting provider Fars Data; subdomains used for agent beaconing across multiple build variants
- domainhygienehistory[.]comLegacy C2 domain used by older Cav3rn HTTP module at /cac.aspx endpoint with XOR+Base32-encoded steganographic PNG transport
- filenamen-HTCommp.dllNativeAOT .NET 8 communication module loaded by the Cavern Agent; handles HTTPS/WebSocket C2 transport with XOR (0x48) encryption
- filenameuxtheme.dllCavern Agent core backdoor DLL sideloaded by WinDirStat.exe; compiled as Mixed-Mode C++/CLI with 83 exports, only EnableThemeDialogTexture is operational
- filenameWinDirStat.exeLegitimate binary abused for DLL sideloading; deployed to C:\ProgramData\WinDir\WinDirStat.exe via SysAid update mechanism
- mutexMYMUTEX123HELLP02Mutex created by Cavern Agent build 02 upon initialization via EnableThemeDialogTexture export to ensure singleton execution
- mutexMYMUTEX123HELLP04Mutex created by Cavern Agent build 04 upon initialization via EnableThemeDialogTexture export to ensure singleton execution
- sha2560a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8mhm.dll - File manager module, older Cav3rn variant with legacy naming artifacts
- sha2562cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0n-ten.dll - Network reconnaissance module (NativeAOT .NET 8)
- sha25630cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10ode.dll - LDAP/Active Directory reconnaissance module (.NET Framework 4.7.2 IL-only)
- sha25637e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066uxtheme.dll - Cavern Agent build 02 (Mixed-Mode C++/CLI)
- sha2565394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42db.dll - SQL database browser module (.NET Framework 4.7.2 IL-only)
- sha256541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cbOlder Cav3rn agent - earlier non-modular build with all ApiEx capabilities in single DLL
- sha2565dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18uxtheme.dll - Cavern Agent oldest build (Mixed-Mode C++/CLI)
- sha2567d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255an-sws.dll - SOCKS5/WebSocket tunnel module (NativeAOT .NET 8)
- sha25692cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603buxtheme.dll - Cavern Agent build 04 (Mixed-Mode C++/CLI)
- sha256a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41n-HTCommp.dll - Communication module (NativeAOT .NET 8)
- sha256b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86n-HTCommp.dll - Communication module (NativeAOT .NET 8), alternate sample
- sha256cbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93Older Cav3rn agent - earlier non-modular build, near-identical to above
- sha256ccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748Older Cav3rn HTTP module (CAV3RN_Http_Module) - legacy steganographic PNG transport companion
- urlhxxps://adserviceupdate[.]com/cac[.]aspxLegacy Cav3rn C2 endpoint accepting XOR+Base32-encoded telemetry via POST with steganographic PNG response payloads
- urlhxxps://hygienehistory[.]com/cac[.]aspxLegacy Cav3rn C2 endpoint accepting XOR+Base32-encoded telemetry via POST with steganographic PNG response payloads
Detection / Hunteropenrouter
What Happened
A hacking group linked to Iran's intelligence services has been targeting Israeli government and technology companies using a sophisticated malware framework called Cavern. The attackers gain access by abusing legitimate IT management software and then install their malware by disguising it as a Windows system file. Once installed, the malware can browse files, access databases, steal passwords, map networks, and create secret tunnels into compromised systems. The malware is designed to be very difficult for security researchers to analyze because it uses multiple programming formats that each require different tools to examine. Organizations that use IT management tools like SysAid or remote monitoring software should review their systems for unusual activity, particularly looking for unexpected DLL files in the ProgramData directory. Security teams should also monitor for the specific domains, file names, and behavior patterns described in this report.
Key Takeaways
- Cavern Manticore is an Iran-MOIS-linked threat actor targeting Israeli government and IT sectors using a modular .NET C2 framework with three distinct compilation formats (Mixed-Mode C++/CLI, NativeAOT, .NET Framework) as an anti-analysis layer.
- Initial access is achieved by abusing SysAid software update mechanisms and RMM tools, followed by DLL sideloading via WinDirStat.exe loading a trojanized uxtheme.dll agent.
- The framework uses per-module AppDomain isolation with post-execution unload as an anti-forensics measure, and startup cleanup wipes all previously delivered modules from disk.
- Post-exploitation modules provide extensive capabilities: DPAPI decryption, SQL database browsing, LDAP brute-forcing, network reconnaissance, SMB credential spraying, and SOCKS5 tunneling.
- C2 traffic uses XOR encryption (key 0x48) with optional Base64 encoding, a fixed Microsoft Edge User-Agent, and custom X-User-token headers, with C2 domains on hospitalinstallation.com and legacy domains adserviceupdate.com and hygienehistory.com.
Affected Systems
- Windows systems with SysAid server software deployed
- Organizations using Remote Monitoring and Management (RMM) software
- Israeli government and IT sector organizations
- Systems with .NET Framework 4.7.2 and .NET 8 runtime environments
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Abuse of SysAid software update mechanism or existing RMM software to deploy WinDirStat DLL sideloading package to C:\ProgramData\WinDir\
- Execution: Legitimate WinDirStat.exe sideloads trojanized uxtheme.dll (Cavern Agent) which initializes via EnableThemeDialogTexture export and creates singleton mutex
- C2 Establishment: Cavern Agent loads n-HTCommp.dll (NativeAOT communication module) for HTTPS/WebSocket C2 with XOR (0x48) encrypted traffic to hospitalinstallation.com subdomains
- Reconnaissance: Operator deploys post-exploitation modules (ode.dll for LDAP recon, n-ten.dll for network scanning, mhm.dll for file system enumeration)
- Credential Access: DPAPI decryption via mhm.dll, LDAP brute-force via ode.dll, SMB credential spraying via n-ten.dll's WNetAddConnection2
- Lateral Movement & Exfiltration: SOCKS5 tunneling via n-sws.dll, SQL database access via db.dll, file exfiltration via C2 upload or browser-based remote desktop features
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules but describes behavioral indicators and host artifacts suitable for custom detection engineering. Check Point Threat Emulation and Harmony Endpoint are noted as providing coverage.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | DLL sideloading of uxtheme.dll by WinDirStat.exe from C:\ProgramData is visible via process execution and file creation events. However, NativeAOT modules hide P/Invoke calls through runtime descriptor tables, and AppDomain isolation with post-execution unload limits memory artifact recovery. The agent's startup cleanup deletes previously delivered modules, reducing on-disk forensic evidence. |
| Network Visibility | Medium | C2 traffic uses HTTPS with a fixed Microsoft Edge User-Agent and custom X-User-token header, which can be detected via TLS inspection and header analysis. However, traffic is XOR-encrypted (key 0x48) with Base64 encoding, and WebSocket transport may blend with legitimate WSS traffic. Legacy steganographic PNG transport is more distinctive but only applies to older Cav3rn builds. |
| Detection Difficulty | Hard | The framework's use of three compilation formats, AppDomain isolation with unload, startup directory cleanup, and runtime-resolved P/Invoke calls significantly complicate static and dynamic analysis. NativeAOT modules strip framework symbols and hide string literals in a hydrated section. The fixed User-Agent and C2 domains provide initial detection vectors, but the modular delivery model means defenders must detect behavioral patterns rather than single artifacts. |
Required Log Sources
- Windows Sysmon Event ID 1 (Process Creation)
- Windows Sysmon Event ID 7 (Image Loaded - DLL loads)
- Windows Sysmon Event ID 11 (File Creation)
- Windows Sysmon Event ID 3 (Network Connection)
- Windows Security Event ID 4624 (Logon)
- Windows Security Event ID 4663 (Object Access)
- Proxy/NGFW HTTP headers and TLS SNI logs
- DNS resolution logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Hunt for DLL sideloading where WinDirStat.exe loads uxtheme.dll from C:\ProgramData\WinDir, as legitimate WinDirStat does not load uxtheme.dll from this path | Sysmon Event ID 7 (Image Loaded) correlating WinDirStat.exe as the loading process with uxtheme.dll as the loaded image from ProgramData paths | Execution | Low - legitimate WinDirStat installations do not load uxtheme.dll; this path is attacker-specific |
| Hunt for processes creating mutexes matching the pattern MYMUTEX123HELLP* as indicators of Cavern Agent initialization | Sysmon Event ID 17/18 (Pipe/Named Pipe events) or EDR mutex creation telemetry | Execution | Low - the mutex naming pattern is unique and not used by legitimate software |
| Hunt for outbound HTTPS connections to subdomains of hospitalinstallation.com or to /cac.aspx endpoints on adserviceupdate.com/hygienehistory.com with X-User-token headers | NGFW/proxy logs with TLS SNI, HTTP header inspection, and DNS resolution logs | Command and Control | Low - these domains are attacker-controlled infrastructure with no legitimate use |
| Hunt for .NET AppDomain creation and assembly loading patterns where a process creates isolated AppDomains, loads DLLs via reflection, and then unloads the AppDomain shortly after, indicating Cavern's module isolation mechanism | ETW .NET runtime events (AppDomain.CreateDomain, Assembly.Load) or EDR memory scanning with .NET CLR telemetry | Defense Evasion | Medium - some legitimate .NET applications use AppDomain isolation, but the create-load-unload pattern in rapid succession from non-development processes is suspicious |
| Hunt for rapid file deletion in working directories followed by C2 beaconing, indicating Cavern Agent startup cleanup behavior where all files except n-HTCommp.dll, config.txt, and logs are deleted | Sysmon Event ID 11 (File Creation) and Event ID 23 (File Delete) with process correlation | Defense Evasion | Medium - cleanup utilities and some installers perform similar directory wiping, but the selective retention pattern is distinctive |
Control Gaps
- Static AV signatures likely miss NativeAOT-compiled modules due to stripped symbols, hidden string literals, and runtime-resolved P/Invoke calls that bypass import-table triage
- Network-based detection without TLS inspection cannot identify XOR-encrypted C2 payloads within HTTPS tunnels
- AppDomain isolation with post-execution unload defeats memory scanning that relies on persistent loaded assemblies
- Abuse of legitimate RMM software for initial access blends with authorized administrative activity and may bypass behavioral EDR rules
- The 82 empty stub exports in uxtheme.dll create a sandbox evasion trap where automated analysis invoking default exports observes only benign behavior
Key Behavioral Indicators
- WinDirStat.exe executing from C:\ProgramData\WinDir\ and loading uxtheme.dll (DLL sideloading pattern)
- Process creating mutex named MYMUTEX123HELLP, MYMUTEX123HELLP02, or MYMUTEX123HELLP04
- Outbound HTTPS connections with fixed User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0' and custom X-User-token header ending in '00'
- DLL files with prefix 'n-' (n-HTCommp.dll, n-ten.dll, n-sws.dll) loaded via LoadLibraryA in the context of WinDirStat.exe
- Rapid sequential file deletion in a working directory excluding specific files (n-HTCommp.dll, config.txt, log files)
- .NET process creating and unloading AppDomains in rapid succession with reflection-based assembly loading
- Processes loading DLLs named mhm.dll, db.dll, ode.dll from non-standard paths with get_version export calls
- WNetAddConnection2 API calls from processes in C:\ProgramData\WinDir\ context indicating SMB credential spraying
False Positive Assessment
Low - The C2 domains, mutex names, and DLL sideloading pattern (WinDirStat.exe loading uxtheme.dll from ProgramData) are highly specific to this threat actor and unlikely to appear in legitimate activity. The fixed User-Agent and X-User-token header provide additional low-FP network detection vectors. The main false positive risk is in behavioral detections around AppDomain isolation and directory cleanup, which may overlap with legitimate .NET application behavior.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Search endpoint telemetry for the listed SHA256 hashes, C2 domains (hospitalinstallation.com, adserviceupdate.com, hygienehistory.com), and mutex names (MYMUTEX123HELLP*) to identify potential compromises.
- If your EDR supports it, consider blocking and isolating hosts where WinDirStat.exe is observed loading uxtheme.dll from C:\ProgramData\WinDir, as this is a high-confidence sideloading indicator.
- Consider reviewing DNS and proxy logs for any outbound connections to hospitalinstallation.com subdomains, adserviceupdate.com/cac.aspx, or hygienehistory.com/cac.aspx, and block these domains at your firewall or DNS filter if observed.
- If applicable to your environment, evaluate whether SysAid server update mechanisms can be restricted or monitored for unauthorized package deployment.
Infrastructure Hardening
- Consider implementing network segmentation to isolate SysAid servers and RMM infrastructure from general corporate networks, limiting lateral movement opportunities if these systems are compromised.
- Evaluate whether TLS inspection can be enabled for outbound traffic to detect the fixed Microsoft Edge User-Agent string and custom X-User-token headers associated with Cavern C2 communication.
- If your organization uses RMM software, consider implementing strict allowlisting for remote sessions, monitoring for anomalous session origins, and enforcing MFA for all remote access.
- Consider deploying application allowlisting to prevent execution of unsigned binaries from C:\ProgramData\ directories.
User Protection
- Consider ensuring EDR coverage is deployed on all endpoints, particularly those running SysAid clients or RMM agents, with behavioral detection rules for DLL sideloading patterns.
- If supported by your endpoint tooling, consider monitoring for .NET AppDomain creation and rapid unloading patterns as an anti-forensics indicator.
- Evaluate whether DPAPI-protected secret stores (browser credentials, etc.) on systems in affected sectors warrant additional access monitoring or credential guard implementations.
Security Awareness
- Consider incorporating awareness training for IT staff about the risks of compromised software update mechanisms, particularly for SysAid and RMM tools used in managed service provider chains.
- If relevant to your organization, consider briefing security operations teams on the behavioral indicators of Cavern framework modules, emphasizing that static hash-based detection alone is insufficient due to the framework's modular update and self-replacement capabilities.
- Consider reviewing third-party vendor risk assessments for IT providers in your supply chain, given the threat actor's demonstrated pattern of compromising IT providers as a first hop to higher-value targets.
MITRE ATT&CK Mapping
Execution
Defense Evasion
Credential Access
Collection
Command and Control
Additional IOCs
- Urls:
hxxps://adserviceupdate[.]com/cac.aspx- Legacy Cav3rn C2 endpoint accepting XOR+Base32-encoded telemetry via POST with steganographic PNG response payloadshxxps://hygienehistory[.]com/cac.aspx- Legacy Cav3rn C2 endpoint accepting XOR+Base32-encoded telemetry via POST with steganographic PNG response payloads
- File Hashes:
37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066(SHA256) - uxtheme.dll - Cavern Agent build 02 (Mixed-Mode C++/CLI)92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b(SHA256) - uxtheme.dll - Cavern Agent build 04 (Mixed-Mode C++/CLI)5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18(SHA256) - uxtheme.dll - Cavern Agent oldest build (Mixed-Mode C++/CLI)a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41(SHA256) - n-HTCommp.dll - Communication module (NativeAOT .NET 8)b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86(SHA256) - n-HTCommp.dll - Communication module (NativeAOT .NET 8), alternate sample8e9425c0b46eeb516610ae913d3f2b3f44a023043cb099277031d4ec38a6134(SHA256) - mhm.dll - File manager module (.NET Framework 4.7.2 IL-only)0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8(SHA256) - mhm.dll - File manager module, older Cav3rn variant with legacy naming artifacts5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42(SHA256) - db.dll - SQL database browser module (.NET Framework 4.7.2 IL-only)30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10(SHA256) - ode.dll - LDAP/Active Directory reconnaissance module (.NET Framework 4.7.2 IL-only)2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0(SHA256) - n-ten.dll - Network reconnaissance module (NativeAOT .NET 8)7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a(SHA256) - n-sws.dll - SOCKS5/WebSocket tunnel module (NativeAOT .NET 8)541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cb(SHA256) - Older Cav3rn agent - earlier non-modular build with all ApiEx capabilities in single DLLcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93(SHA256) - Older Cav3rn agent - earlier non-modular build, near-identical to aboveccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748(SHA256) - Older Cav3rn HTTP module (CAV3RN_Http_Module) - legacy steganographic PNG transport companion
- File Paths:
C:\ProgramData\WinDir\WinDirStat.exe- Deployment path for legitimate WinDirStat binary used as DLL sideloading host, delivered via SysAid update mechanismC:\Users\rick\Desktop\Modules\cavern\- PDB path prefix across multiple Cavern modules, revealing developer username 'rick' and internal project name 'cavern'
- Command Lines:
- Purpose: Cavern Agent C2 polling loop initialization via EnableThemeDialogTexture export, creating singleton mutex and loading communication module | Tools:
WinDirStat.exe,uxtheme.dll,n-HTCommp.dll| Stage: Execution |EnableThemeDialogTexture - Purpose: Module dispatch for native DLLs (prefix n-) via LoadLibraryA/GetProcAddress to call get_version export | Tools:
uxtheme.dll,LoadLibraryA,GetProcAddress| Stage: Post-exploitation |LoadLibraryA(<resolvedPath>) - Purpose: Self-update command 002: decompresses GZip+Base64 module payload from C2, writes new numbered DLL to disk, hot-swaps uxtheme.dll | Tools:
uxtheme.dll,GZipStream,Convert.FromBase64String| Stage: Persistence |self_execute("002", <base64_payload>) - Purpose: SOCKS5 tunnel server mode initialization with configurable ports and authentication | Tools:
n-sws.dll| Stage: Lateral Movement |-s -tp <tunnel_port> -sp <socks5_port> -u <user> -p <pass>
- Purpose: Cavern Agent C2 polling loop initialization via EnableThemeDialogTexture export, creating singleton mutex and loading communication module | Tools:
- Other:
MYMUTEX123HELLP- Mutex name used by oldest Cavern Agent build for singleton enforcementconfig.txt- Agent configuration file with keys i, xd, int; used by newer Cavern Agent builds (JSON format)Cvn.cfg- Legacy alive-time configuration file used by older Cav3rn-era mhm.dll variantcac.aspx- Operator-deployed ASP.NET handler on legacy C2 servers accepting custom XOR+Base32-encoded protocol with steganographic PNG responsesMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0- Fixed Microsoft Edge User-Agent string used across all HTTP verbs in n-HTCommp.dll C2 communication; stable host artifact for detectionX-User-token- Custom HTTP header attached to C2-bound verbs (get/send) containing agent ID with literal suffix '00' appended