Malware

Cavern Manticore: Iranian-Linked APT Abuses SysAid RMM and DLL Sideloading to Deploy Modular C2 Framework

dark6 7 July 2026
Read Time:3 Minute, 36 Second

A previously undocumented Iranian-linked threat actor has been caught abusing legitimate IT management software to infiltrate Israeli organizations, according to new research from Check Point. The group, dubbed Cavern Manticore, relies on trusted remote monitoring tools rather than flashy exploits, making its intrusions unusually difficult to spot for defenders who trust the software already running on their networks.

Turning Helpful Software Into a Delivery Mechanism

At the center of the campaign is SysAid, a remote monitoring and management (RMM) platform widely used by IT service providers to remotely administer client endpoints. Cavern Manticore abuses SysAid to push a fake software update that quietly drops a trojanized file, loading hidden malicious code through a technique known as DLL sideloading.

In this campaign, the attackers hid their payload inside a file named uxtheme.dll, sideloaded via the legitimate Windows disk-usage utility WinDirStat. Because the host executable itself is signed and trusted, security tools are far less likely to flag the activity as malicious. This is a recurring pattern in modern intrusion sets: rather than writing a custom loader that antivirus engines can fingerprint, attackers hijack the DLL search order of an existing, trusted binary so their code runs under its reputation.

A Modular, Multi-Compiled Framework

Check Point’s report, shared with Cyber Security News, describes the malware — internally tracked as Cavern — as a modular framework whose components can be swapped in and out depending on the operator’s goals. Some modules handle basic command-and-control communication, while others are purpose-built for file theft, database reconnaissance, or internal network scanning.

Adding to the difficulty of analysis, Cavern is compiled in three distinct ways, each requiring a different toolset to reverse-engineer. This deliberate diversity slows down defenders trying to determine what any given sample actually does, and it also complicates automated detection, since signature-based tools trained on one compiled variant may miss the others entirely.

Ties to Known Iranian Threat Clusters

Researchers noted overlaps with previously tracked Iranian groups, including MuddyWater and Lyceum, both of which have a long history of targeting Middle Eastern government, telecom, and critical infrastructure organizations. The overlap suggests Cavern Manticore is either a rebranded cluster or a closely related team operating with shared tooling and infrastructure, pointing to a patient, well-resourced adversary rather than an opportunistic one.

Iranian state-linked activity has increasingly focused on Israeli targets over the past several years, often blending espionage objectives with disruptive intent. Groups in this ecosystem have shown a willingness to reuse and refine tooling across campaigns rather than building entirely new frameworks each time, which is consistent with the layered, multi-build design seen in Cavern.

A Multi-Stage Compromise Path

Rather than striking a target directly, the group first compromised an IT service provider, then used that foothold to pivot into a second organization before reaching its ultimate target. This supply-chain-style approach lets the attackers ride on trusted administrative relationships that already exist between IT providers and their clients — relationships that typically carry elevated access and less scrutiny than a direct external attack would face.

Command-and-control infrastructure identified in the campaign includes domains such as hospitalinstallation.com, adserviceupdate.com, and hygienehistory.com, along with ASP.NET-based C2 handlers hosted on that infrastructure. The naming conventions chosen for these domains appear designed to blend into ordinary enterprise and healthcare-related web traffic, further reducing the odds of a defender flagging outbound connections as suspicious at a glance.

Defensive Recommendations

  • Audit RMM platforms such as SysAid for unauthorized configuration or update-channel changes.
  • Watch for DLL sideloading involving legitimate signed applications like WinDirStat.
  • Restrict and log outbound connections from IT management tools to unfamiliar domains.
  • Segment IT service provider access from client networks wherever possible.
  • Review the published indicators of compromise and block the associated domains and file hashes.
  • Treat any RMM tool with direct internet-facing update mechanisms as a high-value target for monitoring, not just a background utility.

The campaign underscores a broader trend: attackers increasingly favor abusing trusted software supply chains over deploying custom exploits, a shift that makes detection reliant on behavioral monitoring rather than signature-based tools alone. For organizations that depend on third-party IT providers, Cavern Manticore is a reminder that vendor access needs the same scrutiny as any other privileged account.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su Cavern Manticore: Iranian-Linked APT Abuses SysAid RMM and DLL Sideloading to Deploy Modular C2 Framework, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community