
Threat Advisory • Actor Report • TA2026193
Cavern Manticore is a newly identified Iran-linked espionage actor, tied to Iran's Ministry of Intelligence and Security (MOIS), that has emerged in early 2026 targeting Israeli IT service providers, government agencies, and defense organizations. The group operates a modular .NET command-and-control framework called Cavern (also seen as Cav3rn), delivered through DLL side-loading, and has so far evaded public sandboxes and antivirus engines with near-zero detection rates.
Section 01
Cavern Manticore is a newly tracked Iran-linked espionage actor first seen in early 2026, targeting Israel across the IT service providers, government, and defense industries on the Windows platform. The threat actor's primary tooling is Cavern (also known as Cav3rn or CAV3RN), a modular command-and-control framework built on .NET and compiled across multiple runtime formats to complicate reverse engineering.
Cavern Manticore's targeted products span Remote Monitoring and Management (RMM) tooling, browser-based remote desktop technologies, Active Directory, LDAP, SMB, and Microsoft IIS. The actor abuses trusted IT service provider relationships and DLL side-loading to gain initial access, then leverages the Cavern framework for lateral movement, credential theft, and command-and-control, ultimately exfiltrating data over the same C2 channel used for tasking.
Section 02
Cavern Manticore is an Iran-linked hacking group tied to Iran's Ministry of Intelligence and Security (MOIS). It appeared in early 2026 and has focused on Israeli IT service providers, government agencies, and defense-related organizations, activity that lines up with the ongoing joint U.S.-Israel military operation against Iran.
The MOIS attribution is based on overlaps with two known Iranian groups, MuddyWater and Lyceum (a subgroup of OilRig), and on infrastructure clues: the main C2 domain was registered through Fars Data, an Iranian hosting provider, and the C2 traffic patterns match Lyceum's older tradecraft of victim-side proxying and XOR obfuscation.
The group's toolkit is a new modular framework called Cavern (also seen as Cav3rn). It is built on .NET, but its parts are compiled in three different formats: standard .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. This mix is deliberate: it slows down reverse engineers by forcing them to switch between multiple analysis tools. For initial access, the group abuses trusted IT service providers, hopping from one provider to another before reaching the real target.
From there, they trigger the SysAid software update feature to launch a DLL side-loading chain: the legitimate WinDirStat.exe loads a malicious uxtheme.dll, which is the Cavern Agent. When SysAid isn't the entry point, they use RMM tools or browser-based remote desktop features to drop the same agent instead. Once installed, the Cavern Agent loads a native communication module that reaches the C2 server at hospitalinstallation[.]com over HTTPS or WebSocket and pulls down more modules as needed.
For lateral movement, the group relies on the same RMM channels used for initial access along with RDP, and reaches internal hosts through the SOCKS5 and WebSocket tunnels built into n-sws.dll. Credentials are stolen through LSASS memory dumps and the LDAP/SMB brute-force modules. C2 traffic is routed through ASP.NET webshell handlers (cac.aspx) on separate IIS servers, hidden with XOR obfuscation and Base64 encoding, with each backdoor using a fixed set of HTTP verbs to look like normal web traffic.
Data is exfiltrated over the same C2 channel; when clipboard and file-transfer paths are blocked, the actor has abused Windows remote printing to smuggle data out instead. Cavern samples currently show zero or near-zero detections on public sandboxes and antivirus engines, and the modular design means finding one piece doesn't expose the rest, which is what lets the group run long, quiet espionage campaigns against high-value targets.
Section 03
| Name | Origin | Motive | Target Country | Target Industry |
|---|---|---|---|---|
Cavern Manticore |
Iran (MOIS-aligned) | Espionage | Israel | IT Service Providers, Government, Defense |
Section 04
Hunt for DLL Side-Loading of uxtheme.dll
Alert on any process outside C:\Windows\System32\ or C:\Windows\SysWOW64\ loading a file named uxtheme.dll, and specifically inspect executions of WinDirStat.exe that load a non-system-signed copy of that DLL.
Constrain and Monitor SysAid Update Flows
Restrict which endpoints can pull SysAid software updates, alert on update packages that spawn unsigned or unexpected child DLLs, and validate SysAid server integrity where the product is deployed.
Vet RMM Tool Usage
Inventory every RMM agent installed across the estate, block unsanctioned RMM binaries at the endpoint and firewall, and require MFA and approval workflows for RMM-initiated sessions and script deployment.
Detect the Cavern Communication Pattern
Baseline traffic to internal and external IIS-hosted ASP.NET handlers and flag anomalous Base64-encoded POST bodies to unknown domains, particularly requests targeting handlers named cac.aspx or similar single-handler endpoints.
Instrument .NET Runtime Anomalies
Enable ETW-based .NET runtime telemetry and alert on unexpected AppDomain creation in non-development processes, on mixed-mode C++/CLI assemblies loading in user-facing workflows, and on Native AOT binaries appearing outside their sanctioned build paths.
Harden Active Directory Against LDAP Abuse
Enable LDAP signing and channel binding, monitor for paged LDAP searches with a page size of 1,000 originating from non-administrative hosts, and alert on repeated bind failures indicative of brute-force attempts.
Section 05
Section 06
| Type | Value |
|---|---|
SHA256 |
37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d406692cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e868e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a61340a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc85394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b4230cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a102cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b07d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cbcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93ccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748
|
Domain |
hospitalinstallation[.]com |
Filename |
uxtheme.dlln-HTCommp.dllmhm.dlldb.dllode.dlln-ten.dlln-sws.dllcac.aspx
|
Section 07