Overview
- Check Point Research publicly named the cluster Cavern Manticore after profiling a previously undocumented modular command‑and‑control framework built on .NET that separates a persistent agent from mission modules.
- The framework uses three compilation formats and per‑module AppDomain isolation to force analysts to switch toolchains and to remove module artifacts from memory, which makes reverse engineering and forensic reconstruction much harder.
- Initial access and lateral movement rely on abusing managed service relationships, including RMM tools and a SysAid software‑update DLL side‑loading chain that installs a trojanized DLL acting as the Cavern agent.
- Analysts recovered multiple modules for file operations, SQL and Active Directory reconnaissance, network scanning, and SOCKS5/WebSocket tunneling, and most observed samples showed zero or very low detection on VirusTotal.
- WHOIS records tie a campaign domain to Iranian hosting provider Fars Data and Check Point notes tactical overlaps with MuddyWater and Lyceum, while other reporting says related Iran‑linked activity has moved from broad scanning to targeted credential theft and confirmed data exfiltration against regional aviation, energy, and government targets.