
Iran-linked Hackers Escalate With A Stealthy New Toolkit
Iran-linked hackers are running a modular command-and-control (C&C) framework against Israel, and the campaign marks a clear jump in tradecraft. The group targets Israeli government entities and IT providers. Moreover, it appears tied to Iran’s Ministry of Intelligence and Security (MOIS), with links to the OilRig subgroup Lyceum, also known as Hexane and SiameseKitten. Consequently, this activity fits a decade-long pattern of MOIS-aligned espionage.
Cavern Manticore’s Roots Run Deep
Lyceum is no newcomer. Since at least 2018, the group has hit oil, gas, and telecom firms across the Middle East and Africa. Furthermore, in 2021 it pivoted to Israeli IT and communications companies using fake LinkedIn job offers and the DanBot and Shark backdoors. That earlier effort also aimed to enable supply chain attacks. Therefore, Cavern Manticore represents an evolution, not a debut.
CAVERN MANTICORE
The chain abuses SysAid’s update feature to sideload a malicious WinDirStat DLL. Legit WinDirStat.exe then loads a trojanized uxtheme.dll (the Cavern agent), which fetches modules on command, letting operators tailor each deployment per victim.
Its edge is anti-analysis: one shared .NET base compiles into three formats, forcing constant toolchain switching. No packer, no obfuscation, just the format itself. Native AOT strips .NET metadata, pushing analysts to native tools like Ghidra/IDA and leaving most samples effectively undetected.
- File & database: file operations, enumeration, and database manipulation.
- Directory attacks: LDAP brute-force and Active Directory reconnaissance.
- Network: network reconnaissance and SMB brute-force.
- Tunneling: SOCKS5 proxy and WebSocket (WSS) tunneling; managed & native modules.
Multi-format Compilation Becomes The Anti-analysis Layer
The framework rests on a shared .NET foundation. However, its components compile into three different formats: standard .NET Framework, Mixed-Mode C++/CLI, and .NET Native AOT. Notably, this is not traditional obfuscation. Analysis shows there is no packer, no control-flow flattening, and no string encryption. Instead, the compilation format itself frustrates analysts. Each format demands a different toolchain, so reverse engineers must constantly context-switch. Native AOT proves especially punishing because it strips .NET metadata and forces analysis with native tools like Ghidra or IDA Pro. As a result, most samples score zero or near-zero detections on VirusTotal.
Agents And Modules Give Attackers Flexibility
Architecturally, Cavern splits into “agents” and “modules.” The agent handles core C&C communication, while modules deliver post-compromise capabilities. Consequently, operators tailor each deployment per victim. The infection chain abuses SysAid’s software update feature to sideload a malicious WinDirStat DLL. The legitimate WinDirStat.exe then loads a trojanized uxtheme.dll, which is the Cavern agent. Afterward, the agent fetches modules on command. Their capabilities include:
- File operations and enumeration
- Database enumeration and manipulation
- LDAP brute-force and Active Directory reconnaissance
- Network reconnaissance and SMB brute-force
- SOCKS5 proxy and WebSocket (WSS) tunneling
Both managed and native modules appear in the toolkit, and the agent reaches its C2 through the Iranian-registered domain hospitalinstallation[.]com.
Anti-forensics Erases The Evidence Trail
The agent works hard to stay invisible. Specifically, it isolates each module in its own AppDomain, then terminates that AppDomain after use. Therefore, the module vanishes from memory, leaving no analyzable assembly artifacts. In addition, the agent deletes all files and subdirectories in its working directory, sparing only the communication module, config file, and log files. Because of this, forensic recovery of the full toolkit from a single host becomes nearly impossible.
AI Likely Helped, But Humans Did The Real Work
AI may have influenced some common code. The available evidence suggests that there has been extensive human writing. The comments in code, typos, chosen names, and differences between modules are all indicative of human authorship. It can be stated that Cavern is “a human-authored framework, very plausibly built with some AI assistance for routine code, but driven and shaped throughout by a developer.”
Living Off The Land Powers Lateral Movement
Cavern Manticore leans hard on legitimate tools. For instance, the actor uses RMM solutions for lateral movement between victims. It also uses browser-based remote desktop tools to reach victim environments. Furthermore, it exploits built-in remote printing features for data exfiltration. These living-off-the-land techniques blend malicious activity into normal IT operations. Meanwhile, RMM abuse has become a defining trend.
The Broader Iran-versus-Israel Cyber Front
“Cavern Manticore” does not work alone. In June 2025, Israel had about 1,600 cyber attacks compared to 4,800 attacks in June 2026. Iranian groups have posed as Chaos ransomware to conduct espionage activities, while an Iranian-linked group caused havoc in the LA Metro. Hence, Cavern Manticore is part of a larger cyber espionage program that is highly coordinated.”
Conclusion: When Trusted IT Tools Become the Espionage Path
Cavern Manticore shows how modern espionage no longer depends on loud malware. The framework abuses trusted software behavior, DLL sideloading, RMM tools, browser-based remote access, and modular C&C to move quietly across victim environments. Its strength is not only stealth. It is flexibility.
The attacker can load only the modules needed for each target, erase evidence after use, and blend activity into normal IT operations.
Why This Threat Matters
Iran-linked actors are using Cavern Manticore as a modular control framework against Israeli government and IT providers. That makes the campaign especially dangerous for organizations that rely on trusted administration tools, shared service providers, and remote management workflows.
- SysAid update abuse creates a trusted delivery path
- DLL sideloading hides malicious logic behind legitimate binaries
- Native AOT and mixed compilation reduce detection and slow analysis
- LDAP and SMB brute-force modules support lateral movement
- SOCKS5 and WSS tunneling help attackers maintain covert access
- Anti-forensics removes key artifacts before responders can recover them
This is not simple malware. It is an adaptable espionage framework designed to survive inside real enterprise environments.
Where Xcitium Changes the Outcome
This attack must be stopped where Cavern Manticore depends most on trust, execution and privileged movement.
Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance when suspicious tools, DLLs, scripts, modules, or payloads attempt to run.
Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
DLL sideloading, module execution, tunneling tools, reconnaissance activity, and follow-on payloads are stopped before they become operational impact.
Xcitium ITDR strengthens the identity layer when attackers attempt LDAP brute-force, Active Directory reconnaissance, privileged access abuse, or lateral movement across trusted accounts.
Detection asks, “Did we recognize this framework?”
Execution Governance asks, “Could unknown code turn trusted tools into attacker control?”
That is the difference.
Stop Espionage Before Trusted Tools Are Abused
Cavern Manticore proves that nation-state operators are moving deeper into legitimate administration paths. They do not always need obvious malware behavior. They can abuse software updates, sideload DLLs, run modular tooling, and disappear before investigation catches up.
Security teams cannot rely only on after-the-fact detection.
They need runtime control before trust.
They need proof before impact.
Govern unknown execution before it becomes attacker control.
Secure privileged identity before movement spreads.
Prove what malicious activity could not do.