Cavern Manticore Exposing an Iran-Linked Modular .NET C2 Fra...#2474
Open
carlospolop wants to merge 1 commit into
Open
Cavern Manticore Exposing an Iran-Linked Modular .NET C2 Fra...#2474carlospolop wants to merge 1 commit into
carlospolop wants to merge 1 commit into
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology > Malware Analysis / Reversing > .NET NativeAOT and Mixed-Mode Malware Analysis; with cross-references to Windows DLL Hijacking and Windows Credential Access/DPAPI". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Check Point Research analyzes Cavern, a modular .NET post-exploitation C2 framework used by the Iran-nexus APT Cavern Manticore, which targets Israeli organizations, especially government and IT providers. The framework is not a single implant: it is a modular toolset made of an agent plus loadable post-exploitation modules for communication, filesystem access, SQL access, LDAP/Active Directory reconnaissance, network reconnaissance, SMB credential testing, port...
🔧 Technical Details
DLL sideloading as an initial loader: A legitimate Windows application can be abused when it searches its local directory for DLLs before system paths. In this case, a WinDirStat deployment under
C:\ProgramData\WinDir\WinDirStat.execauses the legitimate executable to load a trojanizeduxtheme.dll. The technique hides malware behind a DLL name expected by the application and can be combined with a realistic export table to reduce suspicion.Export ordinal sandbox evasion: Malware can mimic a legitimate DLL export table and make most exports inert. Cavern exports 83 functions from
uxtheme.dll, but 82 return immediately. The real C2 loop starts only fromEnableThemeDialogTexture, ordinal#20/0x14. Automated sandboxes that only load the DLL or call ordinal#1may see no behavior.Compilation format as anti-analysis: A malware frame...
🤖 Agent Actions
Continuing from the current state and re-checking the existing single-file update before any further scope changes.
I re-checked the current change set, ran repo-level sanity checks, and applied one tiny reference-format cleanup in the same file. The update remains constrained to a single file and is ready to stay minimal until final completion.
Understood — I continued the run, re-initialized the plan, ran additional sanity checks, and kept the scope limited to the same single-file update without providing the final answer yet.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.