{"id":14116,"date":"2026-07-07T10:03:39","date_gmt":"2026-07-07T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/07\/cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading-to-deploy-c2-framework\/"},"modified":"2026-07-07T10:03:39","modified_gmt":"2026-07-07T10:03:39","slug":"cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading-to-deploy-c2-framework","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/07\/cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading-to-deploy-c2-framework\/","title":{"rendered":"Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework"},"content":{"rendered":"<p>    Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A new Iranian-linked hacking group has been caught abusing everyday IT tools to slip malware onto Israeli networks. <\/p>\n<p class=\"wp-block-paragraph\">Researchers have named the group Cavern Manticore, and its latest campaign shows how creative attackers have become at hiding in plain sight. <\/p>\n<p class=\"wp-block-paragraph\">Instead of flashy exploits, the group leans on software organizations already trust. <a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>At the heart of this campaign is a technique that turns helpful software into a delivery mechanism for spying tools. <\/p>\n<p class=\"wp-block-paragraph\">The attackers abuse SysAid, a remote monitoring and management platform, to push out a fake software update. That update quietly drops a legitimate looking file that loads hidden malicious code, a method known as DLL sideloading.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Check Point researchers identified the campaign after digging into unusual activity tied to IT service providers in Israel. The group did not stop at one company. It moved from a compromised IT provider to a second organization before reaching its real target.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/research.checkpoint.com\/2026\/cavern-manticore-exposing-iran-linked-modular-c2-framework\/\" id=\"https:\/\/research.checkpoint.com\/2026\/cavern-manticore-exposing-iran-linked-modular-c2-framework\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Check Point said in a report<\/a> shared with Cyber Security News (CSN) that the malware, called Cavern, is a modular framework, meaning its pieces can be swapped in and out depending on what the attackers want to do. <\/p>\n<p class=\"wp-block-paragraph\">Some parts handle basic communication, while others are built for stealing files, poking around databases, or scanning networks. This design lets the group tailor each attack without rebuilding everything.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">What makes Cavern tricky to catch is its use of three different ways of compiling the same code. Each version needs a different toolset to analyze, slowing down defenders trying to figure out what the malware does. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/muddywater-hackers-abusing-rmm-tool-deliver-malware\/\" id=\"63234\" target=\"_blank\" rel=\"noreferrer noopener\">Combined with links to Iranian groups like MuddyWater<\/a> and Lyceum, this points to a patient, well resourced adversary.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading\" class=\"wp-block-heading\"><strong>Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The infection begins when Cavern Manticore abuses the software update feature inside SysAid to deliver a bundle of files tied to WinDirStat, a legitimate disk usage tool.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">When the real WinDirStat program runs, it unknowingly loads a fake version of a Windows file called uxtheme.dll, which is actually the Cavern backdoor in disguise. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEihvD3U6DGYEB7qV7rPsPEaYSefVzoJMets0qXdQqfvo2x0YKX0XtPidqIm78ewdrlPsObavawkqmYA4-9r1FDUHakZOXu7IU6ES2VjBJwOyWe_-NfeHciYydwHERKJbXRSK7jTu6YxoqENBEzfewYX-n10yg_GGunnpUcBOfI7iv7mjf_8kbau4VpOuYs\/s1600\/Cavern%2520Agent%2520Execution%2520Chain%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\" alt=\"Cavern Agent Execution Chain (Source - Check Point)\"><figcaption class=\"wp-element-caption\">Cavern Agent Execution Chain (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Once active, this backdoor reaches out to a separate file that handles network traffic, encrypting communications so they are harder to spot. <\/p>\n<p class=\"wp-block-paragraph\">It then pulls down extra modules on demand, giving attackers tools to browse files, query databases, search directories, or tunnel deeper into the network.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Each module runs in an isolated space and is removed from memory once finished, making it harder for investigators to find evidence later. The malware also cleans up after itself, deleting most files in its working folder except what it needs to keep running.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/residentbat-android-malware\/\" id=\"143782\" target=\"_blank\" rel=\"noreferrer noopener\">This housekeeping is a deliberate anti-forensics step<\/a>, aimed at frustrating anyone trying to piece together what happened after the fact.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-who-cavern-manticore-is-targeting\" class=\"wp-block-heading\"><strong>Who Cavern Manticore Is Targeting<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Cavern Manticore appears focused on Israeli organizations, especially those in government and IT services. <\/p>\n<p class=\"wp-block-paragraph\">The interest in IT providers is not accidental, since these companies often have trusted access into other businesses, making them an ideal stepping stone toward harder targets. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjKXWMhemc3zwlLh3LyJJgb2WksGzMamhINNmbeaY3E1dYwa5Yg9lZp4AivCZfIYQQHrv9YKbuC5N7_TtXuVo8BflKG7YuSbqg9DzlzZ4hY7oGZI5SMQ6sxKzdmiMMNqOZC0uhQHfcQPvkvPlXx2vzMwk9UbBSxFZ2-SR3VZfTYGhrZXl3V1LzkDEgigzU\/s1600\/Cavern%2520Modules%2520Evade%2520Malware%2520Engines%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\" alt=\"Cavern Modules Evade Malware Engines (Source - Check Point)\"><figcaption class=\"wp-element-caption\">Cavern Modules Evade Malware Engines (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Investigators traced the infrastructure to a domain registered through an Iranian hosting provider, adding weight to the assessment that this is state linked activity. <\/p>\n<p class=\"wp-block-paragraph\">Overlaps with techniques used by MuddyWater and Lyceum, both tied to Iran\u2019s intelligence services, support that connection.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The organizations should watch how their remote management tools are used, since attackers increasingly hide inside trusted administrative channels instead of breaking in through obvious weak points.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Security teams are urged to review logs and file activity involving uxtheme.dll, since that file name is a known target for sideloading abuse. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-legitimate-ninjaone-rmm-software\/\" id=\"152661\" target=\"_blank\" rel=\"noreferrer noopener\">Limiting remote sessions, tightening access to RMM software<\/a>, and watching for unusual DLL placement can help catch this activity early.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Because the malware behaves differently across builds, defenders are encouraged to focus on behavior patterns and infrastructure clues rather than fixed indicators.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/c60ea6f6-c26b-4886-a6bb-9f7e66c0cf2d\/Cavern-Manticore-Abuses-SysAid-RMM-and-WinDirStat-DLL-Sideloading-to-Deploy-C2-Framework.pdf?AWSAccessKeyId=ASIA2F3EMEYE2W5HKXZP&amp;Signature=dAwVhoIaEV56BKefMfXcm%2FIOU3c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIB93c8eART9XfmGj6tG31ghzVhAFPGXFMWn6aagFEj3zAiEA3YGkBvDDUFWbkI3mmYTO%2FcAwPLOZQqxEs0XiUJn%2BbCkq8wQIZxABGgw2OTk3NTMzMDk3MDUiDLTsZuG9%2B21OkcdObirQBFtJNLgARZlFcl5lD7bkjmzLkdLUzXh9ZhztXrdi7f2sHfph4lbGnyV5KwLq2hQUXgCcSp2ZhTO1Hy1e9QRV0HGZ7tvI%2FgWGMbcNFBRv%2BaCIZrkMlBKyqnALW%2Fz9gpNjijzTqX9MKc6XyNshNykRM7BFpqoB7Tdv3d5u3d28frTHwgXMKABusEDYav1CViyoZ3cfdIKS%2FcwxZc35WxClwx5Co4m6ulGOHIW9NzarE%2FopwHsdSzKQeh%2Ba%2F%2BqJ0%2FvwVzxnsHUWSsw7Oy4weBYaERPurIWMusSc5U%2FbXmI%2FSmfCexdnI5LkFcu6LylZknrBJAGH7F6FcGI1g0Zj%2BH%2B6jWFwGYtffVePQb2FjPMMKrFGKxAOTrQWLO1LQp2uWH2bgPRwtaOymm6803RWPObA5IYZAbAHeiBlFCkIS%2FyicocSt%2Fpu1gAcHBSudvsb3BgLfiT6jfRka9MVjten0CA8wycP1ImJjU9tM6jxkVbMWbSEtn3feETPPQ7xK%2Bc33esp3likhYg4ejP%2FWe0xT5dhE6oruSgZnR1Zod1A3s0EwVHm7kJy%2Fgx91x3GRQCkFjYIUVkWWyDiRqgV1qc8CXm87CucgVBkUUsTv4U%2BDjE8Fn40EPukq9mIeHhxsNi6ZyCtU%2FbkxVTR%2BPreIGFIlFF2h8RXRMuV05L7%2BVmykBejP0JdgQAErNbWGjbt1%2BlKZ1qYahsVsFQpmHTgV04ldParJYR4gmJVee2ql8mXP1nzxkaBi9MCZremknljrbyN%2Bx9f3WvWsYUPZHBBDnNSW2uzof0wxK6y0gY6mAG1g3dk2YAtYcvGTgbddmXUhiY4rjcit9uxF1q9cDk2e1J8C6VehrTo3yp0fYUGghenNaJhsd9oBDpxle7KqOgx%2BymffrQStpvWIs3oTPWklBNjrrX6nZDG440bw5DOEju%2BFQC5Tdzoh%2FBcR9w642E55Y6ZakQKB1syJre%2B%2ByC8r66FhPRBvOVqJ%2Ftw9biqA%2Bl2gXcUtlOhmQ%3D%3D&amp;Expires=1783407895\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">This case is a reminder that trusted software can become a weapon when attackers get creative. Cavern Manticore\u2019s methodical approach, from supply chain hopping to custom evasion tricks, shows patience organizations cannot ignore.<\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA-256<\/td>\n<td>37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406<\/td>\n<td>uxtheme.dll (build 02) \u2014 Cavern Agent<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603<\/td>\n<td>uxtheme.dll (build 04) \u2014 Cavern Agent<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b1<\/td>\n<td>uxtheme.dll (oldest build) \u2014 Cavern Agent<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf4<\/td>\n<td>n-HTCommp.dll \u2014 Communication module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e8<\/td>\n<td>n-HTCommp.dll \u2014 Communication module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a613<\/td>\n<td>mhm.dll \u2014 File manager module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc<\/td>\n<td>mhm.dll (older variant) \u2014 File manager module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4<\/td>\n<td>db.dll \u2014 SQL browser module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a1<\/td>\n<td>ode.dll \u2014 LDAP\/Directory module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b<\/td>\n<td>n-ten.dll \u2014 Network reconnaissance module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255<\/td>\n<td>n-sws.dll \u2014 SOCKS5\/WebSocket tunnel module<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819c<\/td>\n<td>Older Cav3rn-era, non-modular agent sample<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>bcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc<\/td>\n<td>Older Cav3rn-era, non-modular agent sample<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>bccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e347<\/td>\n<td>Older CAV3RNHttpModule sample<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>hospitalinstallation.com<\/td>\n<td>Parent domain used for C2 infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>auth.hospitalinstallation.com<\/td>\n<td>C2 domain used by older Cavern agent builds<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>google.com.hospitalinstallation.com<\/td>\n<td>C2 domain used by newer Cavern agent builds<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>adserviceupdate.com<\/td>\n<td>C2 domain invoked by older Cav3rn HTTP module<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>hygienehistory.com<\/td>\n<td>C2 domain invoked by older Cav3rn HTTP module<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/adserviceupdate.com\/cac.aspx<\/td>\n<td>Operator deployed ASP.NET C2 handler<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/hygienehistory.com\/cac.aspx<\/td>\n<td>Operator deployed ASP.NET C2 handler<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>uxtheme.dll<\/td>\n<td>Trojanized DLL sideloaded via WinDirStat.exe<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>n-HTCommp.dll<\/td>\n<td>Native communication module used for C2 traffic<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>config.txt<\/td>\n<td>Agent configuration file (keys: i, xd, int)<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>Cvn.cfg \/ Cvn.cfg.A \/ Cvn.cfg.U<\/td>\n<td>Legacy alive-time configuration files<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>.CvnC.png \/ .CvnA.png \/ .CvnR.png<\/td>\n<td>Steganographic command, API, and result files (older Cav3rn variant)<\/td>\n<\/tr>\n<tr>\n<td>File\/Artifact<\/td>\n<td>cac.aspx<\/td>\n<td>Operator-deployed ASP.NET handler path<\/td>\n<\/tr>\n<tr>\n<td>Directory<\/td>\n<td>inpt \/ outpt<\/td>\n<td>Command and result drop directories used by older Cav3rn agent<\/td>\n<\/tr>\n<tr>\n<td>Mutex<\/td>\n<td>MYMUTEX123HELLP, MYMUTEX123HELLP02, MYMUTEX123HELLP04<\/td>\n<td>Mutex names used across Cavern agent builds<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong>Prevent critical incidents and financial loss with stronger proactive defense. <\/strong><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=feeds+landing&amp;utm_content=ti+feeds+sales&amp;utm_term=070726#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate a live threat feed from 15K SOC Teams<\/a><\/strong>.<\/p>\n<p class=\"wp-block-paragraph\">\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading\/\">Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/cavern-manticore-abuses-sysaid-rmm-and-windirstat-dll-sideloading\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cavern Manticore Abuses SysAid RMM and WinDirStat DLL Sideloading to Deploy C2 Framework A new Iranian-linked hacking group has been caught abusing everyday IT tools to slip malware onto Israeli networks. Researchers have named the group Cavern Manticore, and its latest campaign shows how creative attackers have become at hiding in plain sight. Instead of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14116","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14116"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14116"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14116\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}