Cavern Manticore
The Modus Operandi of an MOIS-Linked Initial-Access and Destructive Operator
Key Judgments (BLUF)
Cavern Manticore is the label applied by Check Point Research to an Iranian state-aligned cyber operator that is, in this assessment, equivalent to the actor most widely tracked as MuddyWater (see the alias crosswalk in §2.1). The judgments below carry the confidence and likelihood tags defined in Appendix E.
1. Scope & Analytic Approach
This product characterizes the modus operandi of Cavern Manticore across the intrusion lifecycle: initial access, the Cavern C2 toolset, lateral movement and persistence, and coordinated destructive operations executed with partner clusters. It is written for SOC, DFIR, and detection-engineering audiences and closes with ATT&CK-mapped, testable detections (§10), an intelligence-gaps register (§11), IOCs (Appendix B), and a graded source register (References).
Two disciplines are applied consistently. First, observed versus inferred is kept explicit: forensic artifacts are stated as fact and cited to the reporting party, while intent and relationships are labeled as assessment. Second, claims are graded for source reliability (Appendix E); adversary self-attribution is never treated as forensic fact.
2. Actor Overview & Attribution
Cavern Manticore has operated since at least 2017 and is assessed with High confidence to be subordinate to the Iranian MOIS. Attribution rests on convergent official and vendor reporting: US Cyber Command’s January 2022 public linkage of MuddyWater to MOIS, CISA advisory AA22-055A, and sustained tracking by Microsoft Threat Intelligence, ESET, and Group-IB. The group’s targeting concentrates on the Middle East — with heavy emphasis on Israel and Gulf states — while expanding opportunistically into Europe and North America.
2.1 Alias Crosswalk
The same actor is tracked under many vendor names. The load-bearing equivalence for this product is Cavern Manticore ≡ MuddyWater; the crosswalk below reconciles the naming and should be read alongside the partner clusters in §9.
3. Strategic Objectives & Targeting
Cavern Manticore pursues MOIS intelligence priorities — espionage, access development, and, when directed, disruptive or destructive effect. Its signature strategic pattern is supply-chain leverage: compromising IT and managed-service providers (notably Israeli providers) to reach downstream victims through trusted channels. This both scales access and complicates attribution and eviction.
4. Modus Operandi — Initial Access
4.1 Exploitation of Public-Facing Applications
ToolShell (SharePoint). The group has exploited the SharePoint ToolShell chain against on-premises servers. The accurate timeline and composition matter for historical log look-back:
• Original chain (Pwn2Own Berlin, May 2025): CVE-2025-49706 (authentication bypass via manipulated HTTP Referer header) chained with CVE-2025-49704 (deserialization RCE). Patched by Microsoft on July 8–9, 2025.
• In-the-wild patch bypasses (first observed mid-July 2025): CVE-2025-53771 (variant of ‑49706) chained with CVE-2025-53770 (variant of ‑49704). Active exploitation was observed from July 16–18, 2025; Microsoft acknowledged active attacks and CISA added ‑53770 to the KEV catalog on July 20; emergency out-of-band patches shipped July 21, 2025.
• Persistence: exploitation permits theft of the SharePoint ASP.NET MachineKey (ValidationKey + DecryptionKey), which is used to forge signed __VIEWSTATE payloads. Forged-key access survives patching and reboots — patching alone is therefore insufficient.
4.2 Spear-Phishing & Social Engineering
Adversary-in-the-mailbox. Per ESET (January 2026), the group abuses already-compromised internal mailboxes to spear-phish trusted contacts, exploiting existing trust relationships rather than spoofed externals. ClickFix. TA450 (MuddyWater) was confirmed trialing the ClickFix technique over a two-day window in November 2024 against ~39 organizations, primarily in the UAE and Saudi Arabia, using PowerShell-driven silent RMM installation (Proofpoint/Anvilogic). The technique has not been observed repeating for this actor since, so it is assessed as possibly still experimental for the group (Moderate confidence).
Loader-to-RMM maturation. The MuddyViper campaign (ESET; active Sept 2024–Mar 2025) used a Fooder loader disguised as a Snake game to deploy the MuddyViper backdoor — which uses the Windows CNG cryptographic API, a trait ESET notes as distinctive among Iran-aligned groups — alongside CE-Notes and LP-Notes stealers and go-socks5 reverse tunnels. The August 2025 Phoenix v4 campaign (Group-IB) delivered the FakeUpdate loader via compromised accounts accessed through NordVPN against 100+ MENA government entities.
4.3 Supply-Chain Compromise via RMM Tools
The group’s supply-chain tradecraft is exemplified by abuse of a SysAid software update and WinDirStat DLL side-loading (Check Point Research): a trojanized uxtheme.dll serves as the Cavern Agent entry point (§5). Observed abused RMM tooling includes SysAid, Atera, SimpleHelp, PDQ Connect, Level, Syncro, ScreenConnect, AnyDesk, and Action1 (Check Point, ESET, Proofpoint) — a non-exhaustive list. RMM abuse is a hallmark of the group’s living-off-the-land evolution: it blends with legitimate administration traffic and frequently evades application-control policies.
5. The Cavern Framework
Cavern is a modular, .NET-based command-and-control framework disclosed by Check Point Research (July 2026). Its engineering priorities are modularity, forensic minimization, and anti-analysis — the framework is built to run briefly, leave little on disk, and defeat automated triage. The findings in this section originate in the Check Point primary; hashes and sample-specific values should be reconciled against that source at copy-edit (marked in Appendix B).
5.1 Three-Binary Architecture
5.2 Anti-Analysis Engineering
1. Anti-sandbox export design. The agent’s uxtheme.dll exports 83 functions mimicking the legitimate Windows theming DLL; 82 are empty stubs that return immediately. The real backdoor entry point is export ordinal #20 (EnableThemeDialogTexture), not #1. Automated sandboxes that invoke default/first exports observe only inert behavior and misclassify the sample as benign — a deliberate trap.
2. Startup cleanup routine. Newer builds aggressively wipe the working directory on first start, deleting everything except the communication module (n-HTCommp.dll), config.txt, and logs — a forensic countermeasure that removes prior-session module residue before the next cycle.
3. Numbered self-update scheme. The agent hot-swaps its own uxtheme.dll via command 002 (a Base64+GZip module push): it renames the running DLL, writes the new version, and terminates — updating in place without re-dropping persistence.
4. NativeAOT string obfuscation. In n-HTCommp.dll, readable strings (HTTPS endpoints, verb set, custom headers) exist only in a compressed, runtime-materialized section; verb constants are packed as integer immediates inside cmp instructions rather than as string literals. A static strings pass on disk yields nothing usable — a notably sophisticated evasion that defeats string-based triage.
5.3 Module Command Table & Capability Gap
Analysts recovered a 61-command enumeration from the symbol-retaining IL-only modules. Notably, the 5xx (process), 6xx (registry), and 7xx (service) ID ranges have no implementation in recovered samples — assessed (Moderate confidence) to indicate that at least one module remains unrecovered. This is logged as a collection gap in §11.
5.4 C2 Infrastructure & Masquerading
The C2 domain hospitalinstallation[.]com was registered through Fars Data, an Iranian hosting provider — itself a weak infrastructure attribution signal. Newer builds prepend the subdomain google.com.hospitalinstallation[.]com, a visual masquerade targeting proxy-log reviewers who skim URLs left-to-right. The communication module uses a fixed Microsoft Edge User-Agent (Chrome/146.0.0.0 … Edg/146.0.0.0) across all HTTP verbs, and applies XOR key 0x48 over Base64-encoded bodies — both stable network detection artifacts (§10).
5.5 Authorship Fingerprints — Competing Hypotheses
Recovered code contains human developer artifacts: profanity-laden error strings, developer typos (“tunnel message receivecd,” “handeling connect ms”), a local build path C:\Users\rick\Desktop\Modules\cavern\, and the mutex naming MYMUTEX123HELLP02 / HELLP04. These are strong attribution anchors. The meaning of these artifacts is an inference, and is best treated as competing hypotheses:
• H1 — Human-authored, possibly AI-assisted for boilerplate (most likely): typos, profanity, and a personal build path are hallmarks of hand-written code. Moderate confidence.
• H2 — Substantially AI-generated (unlikely): the idiosyncratic errors and personal path argue against wholesale generation, though AI assistance for scaffolding cannot be excluded.
• H3 — Deliberate false-flag artifacts (unlikely): possible but unparsimonious given the operational OPSEC failures elsewhere; no corroborating evidence.
Assessment: the framework is human-authored, possibly AI-assisted for boilerplate (Moderate confidence). This distinction matters because it bounds claims about the group’s operational tempo and scalability — Cavern is a maturation of human tradecraft, not evidence of autonomous operations.
6. Historical & Alternative Tooling
Cavern sits at the end of a decade-long tooling arc. The evolution below (full template in Appendix C) shows a steady move from PowerShell-heavy custom implants toward Go/.NET C2 and RMM-centric living-off-the-land operations.
• PhonyC2 → MuddyC2Go (through Nov 2023): successive custom C2 frameworks; MuddyC2Go is Go-based (Deep Instinct, Group-IB).
• MuddyViper (ESET; active Sept 2024–Mar 2025): C/C++ backdoor via the Fooder/Snake loader, using the Windows CNG crypto API; co-deployed with CE-Notes, LP-Notes, and go-socks5 tunnels.
• Phoenix v4 (Group-IB; Aug–Oct 2025): AES-encrypted payloads, COM-based persistence via Winlogon shell-value modification, WinHTTP beaconing, and a built-in Chromium credential stealer (Chrome, Opera, Brave, Edge).
• DLL side-loading campaign (Symantec/Broadcom; Q1 2026): legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries side-load malicious DLLs embedding ChromElevator for App-Bound Encryption bypass; nine organizations across nine countries.
7. Lateral Movement & Persistence
The group favors living-off-the-land movement: PowerShell and WMI, Registry Run-key persistence, and RMM tooling for both lateral movement and re-entry. The May 2026 Symantec reporting adds Node.js scripts launching PowerShell reconnaissance and staging of stolen data on public file-transfer services (e.g., sendit[.]sh) — OPSEC lapses that are useful detection opportunities. Network pivoting via SOCKS5 reverse-proxy tunneling (2026 DLL-sideloading campaign) is now also formalized as a dedicated Cavern module (n-sws.dll), illustrating how ad-hoc tradecraft is productized into the framework over time.
8. Coordinated Operations & Handoffs
The initial-access-broker thesis is the analytic spine of this report: Cavern Manticore develops and pre-positions access, then hands it to destructive or ransomware-capable MOIS partners. Two operations anchor the pattern.
8.1 DEV-1084 / DarkBit (April 2023)
Microsoft documented MERCURY (MuddyWater) obtaining access — with Log4j among the initial vectors — and handing off to DEV-1084, which conducted destructive actions including DarkBit ransomware deployment and Azure AD / cloud-resource destruction. This is a High confidence confirmed instance of the access-development-to-destruction handoff.
8.2 Void Manticore / Handala — the Stryker Operation
Impact figure. The device-wipe count is contested and must be stated with source discipline:
• ~80,000 devices — independent forensic assessment (FBI-seizure and Red Sheep Security reporting). Use this as the headline figure (Moderate confidence).
• 200,000+ devices across 79 countries — the Handala manifesto self-claim (echoed by SC World, Krebs on Security). Cite explicitly as an unverified adversary claim; do not treat as forensic fact.
Two-backdoor pre-positioning. Before the handoff to Handala/Void Manticore, MuddyWater pre-positioned two implants across U.S. and Israeli infrastructure — the Dindoor backdoor (undocumented at the time) and the Fakeset Python implant — across targets reported to include a U.S. bank, an airport operator, and a defense contractor. The destructive effect was then delivered through the Microsoft Intune MDM plane (no malware, no exploit — abuse of administrative access), underscoring KJ-7: the management and identity planes are the decisive terrain.
9. Detection & Defensive Recommendations
Recommendations are framework- and campaign-specific, ATT&CK-mapped, and framed as testable detections. Illustrative detection logic is provided for orientation; validate and tune against your telemetry before deployment.
9.1 SharePoint / ToolShell
• Rotate MachineKeys after patching (ValidationKey + DecryptionKey) and restart IIS; stolen keys survive patching (T1190, T1606).
• Alert on POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit with a Referer of /_layouts/SignOut.aspx.
9.2 Cavern Host Artifacts
• Flag uxtheme.dll loaded from C:\ProgramData\WinDir\ rather than System32 (T1574.002).
• Alert on mutexes matching MYMUTEX123HELLP*, and on WinDirStat.exe executing from C:\ProgramData\.
9.3 Network
• Detect the fixed Edge User-Agent (Chrome/146.0.0.0 … Edg/146.0.0.0) across all verbs from server/non-browser hosts (T1071.001).
• Hunt XOR-0x48 over Base64 HTTP bodies; alert on the subdomain-prefix masquerade pattern *.hospitalinstallation[.]com (T1573, T1071).
9.4 Identity / MDM Plane (highest leverage)
• Enforce FIDO2 / phishing-resistant MFA on all Global Administrator and Intune-privileged accounts (T1078).
• Enable Multi-Admin Approval (MAA) for bulk device actions; audit Intune API logs for bulk-wipe commands issued outside change windows (T1531, T1485).
9.5 LDAP / Active Directory
• Correlate repeated internal LDAP bind failures (Cavern ode.dll, delayed/break-on-success brute force) with SMB brute force (n-ten.dll) from the same host (T1110, T1087.002).
10. Intelligence Gaps & Collection Requirements
Stated as clearly as the judgments they qualify. Each gap is paired with a collection requirement to guide forward tasking.
11. Outlook (12-Month)
• The group will very likely deepen RMM and supply-chain access development, given its demonstrated payoff and low custom-malware cost (Moderate confidence).
• Destructive effect will likely continue to be delivered through the identity/MDM plane rather than bespoke wipers, because it requires no malware and defeats endpoint controls (Moderate confidence).
• Cavern will likely gain modules (closing the 5xx/6xx/7xx gap) and further anti-analysis hardening; expect continued productization of ad-hoc tradecraft (Moderate confidence).
• Opportunistic n-day exploitation of public-facing applications will almost certainly persist as a parallel access stream alongside phishing (High confidence).









