Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework
A new Iranian-linked hacking group has been caught abusing everyday IT tools to slip malware onto Israeli networks.
Researchers have named the group Cavern Manticore, and its latest campaign shows how creative attackers have become at hiding in plain sight.
Instead of flashy exploits, the group leans on software organizations already trust. At the heart of this campaign is a technique that turns helpful software into a delivery mechanism for spying tools.
The attackers abuse SysAid, a remote monitoring and management platform, to push out a fake software update. That update quietly drops a legitimate looking file that loads hidden malicious code, a method known as DLL sideloading.
Check Point researchers identified the campaign after digging into unusual activity tied to IT service providers in Israel. The group did not stop at one company. It moved from a compromised IT provider to a second organization before reaching its real target.
Check Point said in a report shared with Cyber Security News (CSN) that the malware, called Cavern, is a modular framework, meaning its pieces can be swapped in and out depending on what the attackers want to do.
Some parts handle basic communication, while others are built for stealing files, poking around databases, or scanning networks. This design lets the group tailor each attack without rebuilding everything.
What makes Cavern tricky to catch is its use of three different ways of compiling the same code. Each version needs a different toolset to analyze, slowing down defenders trying to figure out what the malware does.
Combined with links to Iranian groups like MuddyWater and Lyceum, this points to a patient, well resourced adversary.
Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading
The infection begins when Cavern Manticore abuses the software update feature inside SysAid to deliver a bundle of files tied to WinDirStat, a legitimate disk usage tool.
When the real WinDirStat program runs, it unknowingly loads a fake version of a Windows file called uxtheme.dll, which is actually the Cavern backdoor in disguise.

Once active, this backdoor reaches out to a separate file that handles network traffic, encrypting communications so they are harder to spot.
It then pulls down extra modules on demand, giving attackers tools to browse files, query databases, search directories, or tunnel deeper into the network.
Each module runs in an isolated space and is removed from memory once finished, making it harder for investigators to find evidence later. The malware also cleans up after itself, deleting most files in its working folder except what it needs to keep running.
This housekeeping is a deliberate anti-forensics step, aimed at frustrating anyone trying to piece together what happened after the fact.
Who Cavern Manticore Is Targeting
Cavern Manticore appears focused on Israeli organizations, especially those in government and IT services.
The interest in IT providers is not accidental, since these companies often have trusted access into other businesses, making them an ideal stepping stone toward harder targets.

Investigators traced the infrastructure to a domain registered through an Iranian hosting provider, adding weight to the assessment that this is state linked activity.
Overlaps with techniques used by MuddyWater and Lyceum, both tied to Iran’s intelligence services, support that connection.
The organizations should watch how their remote management tools are used, since attackers increasingly hide inside trusted administrative channels instead of breaking in through obvious weak points.
Security teams are urged to review logs and file activity involving uxtheme.dll, since that file name is a known target for sideloading abuse.
Limiting remote sessions, tightening access to RMM software, and watching for unusual DLL placement can help catch this activity early.
Because the malware behaves differently across builds, defenders are encouraged to focus on behavior patterns and infrastructure clues rather than fixed indicators.
This case is a reminder that trusted software can become a weapon when attackers get creative. Cavern Manticore’s methodical approach, from supply chain hopping to custom evasion tricks, shows patience organizations cannot ignore.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406 | uxtheme.dll (build 02) — Cavern Agent |
| SHA-256 | 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603 | uxtheme.dll (build 04) — Cavern Agent |
| SHA-256 | 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b1 | uxtheme.dll (oldest build) — Cavern Agent |
| SHA-256 | a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf4 | n-HTCommp.dll — Communication module |
| SHA-256 | b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e8 | n-HTCommp.dll — Communication module |
| SHA-256 | 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a613 | mhm.dll — File manager module |
| SHA-256 | 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc | mhm.dll (older variant) — File manager module |
| SHA-256 | 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4 | db.dll — SQL browser module |
| SHA-256 | 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a1 | ode.dll — LDAP/Directory module |
| SHA-256 | 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b | n-ten.dll — Network reconnaissance module |
| SHA-256 | 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255 | n-sws.dll — SOCKS5/WebSocket tunnel module |
| SHA-256 | 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819c | Older Cav3rn-era, non-modular agent sample |
| SHA-256 | bcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc | Older Cav3rn-era, non-modular agent sample |
| SHA-256 | bccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e347 | Older CAV3RNHttpModule sample |
| Domain | hospitalinstallation.com | Parent domain used for C2 infrastructure |
| Domain | auth.hospitalinstallation.com | C2 domain used by older Cavern agent builds |
| Domain | google.com.hospitalinstallation.com | C2 domain used by newer Cavern agent builds |
| Domain | adserviceupdate.com | C2 domain invoked by older Cav3rn HTTP module |
| Domain | hygienehistory.com | C2 domain invoked by older Cav3rn HTTP module |
| URL | https://adserviceupdate.com/cac.aspx | Operator deployed ASP.NET C2 handler |
| URL | https://hygienehistory.com/cac.aspx | Operator deployed ASP.NET C2 handler |
| File/Artifact | uxtheme.dll | Trojanized DLL sideloaded via WinDirStat.exe |
| File/Artifact | n-HTCommp.dll | Native communication module used for C2 traffic |
| File/Artifact | config.txt | Agent configuration file (keys: i, xd, int) |
| File/Artifact | Cvn.cfg / Cvn.cfg.A / Cvn.cfg.U | Legacy alive-time configuration files |
| File/Artifact | .CvnC.png / .CvnA.png / .CvnR.png | Steganographic command, API, and result files (older Cav3rn variant) |
| File/Artifact | cac.aspx | Operator-deployed ASP.NET handler path |
| Directory | inpt / outpt | Command and result drop directories used by older Cav3rn agent |
| Mutex | MYMUTEX123HELLP, MYMUTEX123HELLP02, MYMUTEX123HELLP04 | Mutex names used across Cavern agent builds |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news