安全客July 12, 2026🇨🇳Translated from Chinese

Iranian State-Sponsored Hackers Unveil Cavern C2 Framework: Multi-Format .NET Compilation Bypasses All Security Detection Tools

In early July 2026, Israeli cybersecurity firm Check Point Research published a detailed report exposing a previously undocumented Iranian threat actor tracked as Cavern Manticore. The group, assessed to operate under Iran’s Ministry of Intelligence and Security (MOIS), has been deploying a highly modular command-and-control framework named Cavern (also referred to as Cav3rn) since the beginning of 2026.

What Happened

The campaign primarily targets Israeli IT service providers and government organizations. Unlike earlier Iranian APT groups such as MuddyWater and OilRig that frequently reuse publicly available tools, Cavern Manticore developed an entirely custom framework written in .NET yet deliberately compiled into three distinct binary formats. This design choice forces security researchers to switch between completely different analysis toolchains, significantly raising the cost and complexity of investigation. The framework has maintained near-zero or extremely low detection rates on VirusTotal, rendering most commercial security products ineffective.

Technical Analysis: Weaponizing Compilation Formats

Cavern’s primary innovation lies not in conventional obfuscation techniques such as packing or control-flow flattening, but in its use of incompatible compilation formats as an anti-analysis layer. The framework consists of three categories of modules:

  • .NET Framework (pure IL): Post-exploitation modules including mhm.dll for file operations and DPAPI decryption, db.dll for SQL database manipulation, and ode.dll for Active Directory reconnaissance. Each module executes inside its own isolated AppDomain and is unloaded immediately after use, leaving no artifacts on disk.
  • Mixed-mode C++/CLI (IL + native code): The core Agent, disguised as uxtheme.dll (Windows theme library), contains 83 exported functions of which 82 are empty decoys designed to trap sandboxes; only one performs actual malicious activity.
  • .NET 8 Native AOT (pure native): Communication module n-HTCommp.dll, network reconnaissance module n-ten.dll, and SOCKS5 proxy module n-sws.dll. The entire .NET runtime is statically linked, and strings only materialize at runtime. Check Point researchers had to develop a custom IDA Pro plugin to recover metadata from these binaries.

Because each module requires a different analysis workflow, experience gained from examining one component cannot be reused on the others, forcing defenders to maintain three separate reverse-engineering capabilities.

Attack Chain: Abusing Trusted RMM Infrastructure

Initial access is obtained by compromising an organization’s remote monitoring and management (RMM) platform rather than exploiting zero-day vulnerabilities. Attackers abuse the legitimate update functionality of SysAid software to push malicious code. A WinDirStat DLL side-loading chain is placed in C:\ProgramData\WinDir\, where the legitimate WinDirStat.exe loads the tampered uxtheme.dll (Cavern Agent). The Agent then beacons to the C2 server hospitalinstallation[.]com over HTTPS or WebSocket, retrieving additional modules on demand.

Network traffic is encrypted with XOR key 0x48, Base64-encoded, and uses a fixed Edge browser User-Agent string along with a custom X-User-token header. Protocol fields are delimited by “_;;_” and parameters by “_,_”. The Agent supports hot updates—it can rename its own DLL, write a new version, and load it without requiring a system reboot—followed by aggressive cleanup that removes all files except the communication module, configuration, and logs. Error messages left in the code, such as “What is this sh*t?! where is get_version?!?!”, suggest manual development by a specific individual rather than automated generation.

Impact: Systematic Weaponization of Supply-Chain Trust

The operation demonstrates three layers of trust abuse: first, compromising IT service providers to reach downstream customers; second, leveraging legitimate software update mechanisms as distribution vectors; and third, coordinated activity between Cavern Manticore and MuddyWater against aviation, energy, and government targets in Egypt, Israel, and the UAE. These parallel campaigns indicate Iran is escalating its cyber operations in response to regional geopolitical tensions.

Defense Recommendations

Organizations should enforce least-privilege access for MSPs, implement change-approval workflows for RMM updates, and monitor for the following indicators of compromise: C2 domain hospitalinstallation[.]com (and historical domains adserviceupdate[.]com, hygienehistory[.]com), file path C:\ProgramData\WinDir\WinDirStat.exe, mutexes MYMUTEX123HELLP02 and MYMUTEX123HELLP04, and network artifacts including the fixed Edge User-Agent and XOR key 0x48. Enabling Windows Code Integrity policies and closely auditing non-privileged directories are also advised.

Conclusion

Cavern Manticore represents a strategic shift from tool-versus-tool competition to analysis-cost competition. By designing a framework whose goal is not merely to evade detection but to make meaningful analysis prohibitively expensive, the group challenges traditional security operations models that rely on manual reverse engineering. The incident underscores that supply-chain security requires continuous verification of every trust relationship, from MSP access rights to automated update mechanisms.