Meet Cavern Manticore: Iran's Invisible New Espionage Actor

Amber | Actor
Download Now
Cavern Manticore: Iran's Invisible New Espionage Actor (TA2026193) — MOIS-Linked C2 Framework

Threat Advisory • Actor Report • TA2026193

Meet Cavern Manticore: Iran's Invisible New Espionage Actor

Cavern Manticore is a newly identified Iran-linked espionage actor, tied to Iran's Ministry of Intelligence and Security (MOIS), that has emerged in early 2026 targeting Israeli IT service providers, government agencies, and defense organizations. The group operates a modular .NET command-and-control framework called Cavern (also seen as Cav3rn), delivered through DLL side-loading, and has so far evaded public sandboxes and antivirus engines with near-zero detection rates.

SEVERITY: AMBER ADMIRALTY: A1 ESPIONAGE ACTOR IRAN / MOIS-LINKED DLL SIDE-LOADING NEAR-ZERO DETECTION
Threat Actor
Cavern Manticore
Malware
Cavern (aka Cav3rn)
First Seen
Early 2026
Targeted Region
Israel
Targeted Platform
Windows
Targeted Industries
IT Service Providers, Government, Defense
Admiralty Code
A1
Published
July 10, 2026
TA Number
TA2026193

Summary

Cavern Manticore is a newly tracked Iran-linked espionage actor first seen in early 2026, targeting Israel across the IT service providers, government, and defense industries on the Windows platform. The threat actor's primary tooling is Cavern (also known as Cav3rn or CAV3RN), a modular command-and-control framework built on .NET and compiled across multiple runtime formats to complicate reverse engineering.

Cavern Manticore's targeted products span Remote Monitoring and Management (RMM) tooling, browser-based remote desktop technologies, Active Directory, LDAP, SMB, and Microsoft IIS. The actor abuses trusted IT service provider relationships and DLL side-loading to gain initial access, then leverages the Cavern framework for lateral movement, credential theft, and command-and-control, ultimately exfiltrating data over the same C2 channel used for tasking.


Actor Details

#1 — Origins and Targeting of Cavern Manticore

Cavern Manticore is an Iran-linked hacking group tied to Iran's Ministry of Intelligence and Security (MOIS). It appeared in early 2026 and has focused on Israeli IT service providers, government agencies, and defense-related organizations, activity that lines up with the ongoing joint U.S.-Israel military operation against Iran.

#2 — MOIS Attribution Through Infrastructure and Tradecraft Overlaps

The MOIS attribution is based on overlaps with two known Iranian groups, MuddyWater and Lyceum (a subgroup of OilRig), and on infrastructure clues: the main C2 domain was registered through Fars Data, an Iranian hosting provider, and the C2 traffic patterns match Lyceum's older tradecraft of victim-side proxying and XOR obfuscation.

#3 — The Cavern Framework: A Deliberately Fragmented .NET Toolkit

The group's toolkit is a new modular framework called Cavern (also seen as Cav3rn). It is built on .NET, but its parts are compiled in three different formats: standard .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. This mix is deliberate: it slows down reverse engineers by forcing them to switch between multiple analysis tools. For initial access, the group abuses trusted IT service providers, hopping from one provider to another before reaching the real target.

#4 — Initial Access via SysAid Abuse and DLL Side-Loading

From there, they trigger the SysAid software update feature to launch a DLL side-loading chain: the legitimate WinDirStat.exe loads a malicious uxtheme.dll, which is the Cavern Agent. When SysAid isn't the entry point, they use RMM tools or browser-based remote desktop features to drop the same agent instead. Once installed, the Cavern Agent loads a native communication module that reaches the C2 server at hospitalinstallation[.]com over HTTPS or WebSocket and pulls down more modules as needed.

#5 — Lateral Movement, Credential Theft, and Covert C2 Channels

For lateral movement, the group relies on the same RMM channels used for initial access along with RDP, and reaches internal hosts through the SOCKS5 and WebSocket tunnels built into n-sws.dll. Credentials are stolen through LSASS memory dumps and the LDAP/SMB brute-force modules. C2 traffic is routed through ASP.NET webshell handlers (cac.aspx) on separate IIS servers, hidden with XOR obfuscation and Base64 encoding, with each backdoor using a fixed set of HTTP verbs to look like normal web traffic.

#6 — Exfiltration and Near-Zero Detection

Data is exfiltrated over the same C2 channel; when clipboard and file-transfer paths are blocked, the actor has abused Windows remote printing to smuggle data out instead. Cavern samples currently show zero or near-zero detections on public sandboxes and antivirus engines, and the modular design means finding one piece doesn't expose the rest, which is what lets the group run long, quiet espionage campaigns against high-value targets.


Actor Group

NameOriginMotiveTarget CountryTarget Industry
Cavern Manticore Iran (MOIS-aligned) Espionage Israel IT Service Providers, Government, Defense

Recommendations

01

Hunt for DLL Side-Loading of uxtheme.dll

Alert on any process outside C:\Windows\System32\ or C:\Windows\SysWOW64\ loading a file named uxtheme.dll, and specifically inspect executions of WinDirStat.exe that load a non-system-signed copy of that DLL.

02

Constrain and Monitor SysAid Update Flows

Restrict which endpoints can pull SysAid software updates, alert on update packages that spawn unsigned or unexpected child DLLs, and validate SysAid server integrity where the product is deployed.

03

Vet RMM Tool Usage

Inventory every RMM agent installed across the estate, block unsanctioned RMM binaries at the endpoint and firewall, and require MFA and approval workflows for RMM-initiated sessions and script deployment.

04

Detect the Cavern Communication Pattern

Baseline traffic to internal and external IIS-hosted ASP.NET handlers and flag anomalous Base64-encoded POST bodies to unknown domains, particularly requests targeting handlers named cac.aspx or similar single-handler endpoints.

05

Instrument .NET Runtime Anomalies

Enable ETW-based .NET runtime telemetry and alert on unexpected AppDomain creation in non-development processes, on mixed-mode C++/CLI assemblies loading in user-facing workflows, and on Native AOT binaries appearing outside their sanctioned build paths.

06

Harden Active Directory Against LDAP Abuse

Enable LDAP signing and channel binding, monitor for paged LDAP searches with a page size of 1,000 originating from non-administrative hosts, and alert on repeated bind failures indicative of brute-force attempts.


Potential MITRE ATT&CK TTPs

T1195
Initial Access
Supply Chain Compromise (Sub: T1195.002 — Compromise Software Supply Chain)
T1199
Initial Access
Trusted Relationship
T1129
Execution
Shared Modules
T1106
Execution
Native API
T1574
Defense Evasion
Hijack Execution Flow (Sub: T1574.001 — DLL)
T1027
Defense Evasion
Obfuscated Files or Information
T1140
Defense Evasion
Deobfuscate/Decode Files or Information
T1055
Defense Evasion
Process Injection
T1003
Credential Access
OS Credential Dumping (Sub: T1003.001 — LSASS Memory)
T1110
Credential Access
Brute Force (Sub: T1110.001 — Password Guessing)
T1087
Discovery
Account Discovery (Sub: T1087.002 — Domain Account)
T1069
Discovery
Permission Groups Discovery (Sub: T1069.002 — Domain Groups)
T1018
Discovery
Remote System Discovery
T1046
Discovery
Network Service Discovery
T1135
Discovery
Network Share Discovery
T1201
Discovery
Password Policy Discovery
T1021
Lateral Movement
Remote Services (Subs: T1021.001 — Remote Desktop Protocol, T1021.002 — SMB/Windows Admin Shares)
T1219
Lateral Movement
Remote Access Software
T1005
Collection
Data from Local System
T1039
Collection
Data from Network Shared Drive
T1560
Collection
Archive Collected Data
T1213
Collection
Data from Information Repositories
T1071
Command and Control
Application Layer Protocol (Sub: T1071.001 — Web Protocols)
T1105
Command and Control
Ingress Tool Transfer
T1132
Command and Control
Data Encoding (Sub: T1132.001 — Standard Encoding)
T1573
Command and Control
Encrypted Channel (Sub: T1573.001 — Symmetric Cryptography)
T1090
Command and Control
Proxy (Sub: T1090.001 — Internal Proxy)
T1572
Command and Control
Protocol Tunneling
T1041
Exfiltration
Exfiltration Over C2 Channel
T1048
Exfiltration
Exfiltration Over Alternative Protocol

Indicators of Compromise (IOCs)

TypeValue
SHA256 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066
92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b
5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18
a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41
b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86
8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a6134
0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8
5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42
30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10
2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0
7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a
541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cb
cbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93
ccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748
Domain hospitalinstallation[.]com
Filename uxtheme.dll
n-HTCommp.dll
mhm.dll
db.dll
ode.dll
n-ten.dll
n-sws.dll
cac.aspx

References