Skip to content

Cavern Manticore Exposing an Iran-Linked Modular .NET C2 Fra...#2474

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Cavern_Manticore_Exposing_an_Iran-Linked_Modular_b12624b3606ec6c0
Open

Cavern Manticore Exposing an Iran-Linked Modular .NET C2 Fra...#2474
carlospolop wants to merge 1 commit into
masterfrom
update_Cavern_Manticore_Exposing_an_Iran-Linked_Modular_b12624b3606ec6c0

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Check Point Research analyzes Cavern, a modular .NET post-exploitation C2 framework used by the Iran-nexus APT Cavern Manticore, which targets Israeli organizations, especially government and IT providers. The framework is not a single implant: it is a modular toolset made of an agent plus loadable post-exploitation modules for communication, filesystem access, SQL access, LDAP/Active Directory reconnaissance, network reconnaissance, SMB credential testing, port...

🔧 Technical Details

DLL sideloading as an initial loader: A legitimate Windows application can be abused when it searches its local directory for DLLs before system paths. In this case, a WinDirStat deployment under C:\ProgramData\WinDir\WinDirStat.exe causes the legitimate executable to load a trojanized uxtheme.dll. The technique hides malware behind a DLL name expected by the application and can be combined with a realistic export table to reduce suspicion.

Export ordinal sandbox evasion: Malware can mimic a legitimate DLL export table and make most exports inert. Cavern exports 83 functions from uxtheme.dll, but 82 return immediately. The real C2 loop starts only from EnableThemeDialogTexture, ordinal #20/0x14. Automated sandboxes that only load the DLL or call ordinal #1 may see no behavior.

Compilation format as anti-analysis: A malware frame...

🤖 Agent Actions

Continuing from the current state and re-checking the existing single-file update before any further scope changes.
I re-checked the current change set, ran repo-level sanity checks, and applied one tiny reference-format cleanup in the same file. The update remains constrained to a single file and is ready to stay minimal until final completion.
Understood — I continued the run, re-initialized the plan, ran additional sanity checks, and kept the scope limited to the same single-file update without providing the final answer yet.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology > Malware Analysis / Reversing > .NET NativeAOT and Mixed-Mode Malware Analysis; with cross-references to Windows DLL Hijacking and Windows Credential Access/DPAPI".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant