Iran-linked Cavern Manticore Uses .NET C2 to Target Israeli IT

Check Point reports Iran-linked APT Cavern Manticore used a modular .NET C2 framework, abusing SysAid updates to sideload a WinDirStat DLL and move inside Israeli government and IT networks.

Check Point researchers report that Cavern Manticore, an Iran-linked advanced persistent threat actor, used a modular .NET command-and-control framework to target government entities and IT service providers in Israel. The campaign began when attackers abused SysAid’s update mechanism to sideload a WinDirStat DLL that launched a Cavern agent.

The framework separates core communications from post-compromise capabilities. It uses multiple compilation formats across components as an anti-analysis layer. Check Point wrote: “This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components.”

After the agent established command-and-control channels, operators pushed additional modules tailored to each victim. Observed modules provide file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force. The framework also supports SOCKS5 proxying and WebSocket/WSS tunneling.

The agent can load both managed and native modules. Each module runs in its own AppDomain; the domain is terminated when the module is unloaded to remove assembly artifacts from memory. The agent deletes most files and subdirectories from its working directory after use, leaving only the communication module, a configuration file and logs.

Check Point analysts assess the framework was likely developed with assistance from an AI model but with substantial human editing. Evidence includes code comments, typographical errors, hand-picked names and inconsistencies between modules, which indicate active human involvement during development.

In intrusions against Israeli targets, attackers used legitimate remote monitoring and management (RMM) tools for lateral movement and relied on browser-based remote desktop technologies to access victim environments. The actor also exploited built-in features such as remote printing to remove data. In several cases, activity moved from an initially compromised IT provider to a second-hop provider before reaching the intended target.

The report links Cavern Manticore to Iran’s Ministry of Intelligence and Security and notes possible ties to the OilRig subgroup Lyceum, also known as Hexane or SiameseKitten. Targets in the observed campaigns were primarily Israeli government entities and IT service providers, and the activity is described as recent.

The report recommends that security teams monitor for unusual update activity in third-party management tools, unexpected DLL sideloading and isolated .NET modules that disappear from memory. Check Point warns that multi-format compilation and module isolation can complicate analysis and tracking across incidents.

Articles by this author

No posts found.