LIVE · cybersecurity feed
apthigh

Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

zeroday.news·2d ago
ShareXLinkedInWhatsAppFacebook

Check Point Research (CPR) has identified a sophisticated modular command-and-control (C2) framework named 'Cavern Manticore,' linked to an Iran-nexus threat actor. This group primarily targets Israeli organizations, with a particular focus on government entities and the IT sector. Cavern Manticore exhibits technical similarities to other Iran-linked groups, including MuddyWater and Lyceum, suggesting a connection to Iran's Ministry of Intelligence and Security (MOIS).

The framework is built upon a .NET foundation but distinguishes itself by compiling its various components into different output formats. These include standard .NET Framework, Mixed-Mode C++/CLI, and .NET Native AOT. This deliberate variation in compilation methods serves as an anti-analysis layer, forcing reverse engineers to employ multiple toolsets and complex metadata reconstruction workflows.

CPR observed both 'Cavern agents' and 'Cavern modules' in use, indicating a modular architecture. This design allows for flexibility, separating core communication capabilities from specialized post-exploitation functions. Attackers can tailor deployments to specific victim environments, limiting the information available to defenders and enabling extended access through specialized modules.

Initial access into victim networks was frequently achieved by exploiting legitimate Remote Monitoring and Management (RMM) software already deployed within the targeted organizations. In one observed instance, the attackers leveraged a software update feature within SysAid to deploy malware, though SysAid itself was not compromised, nor was a vulnerability in its software exploited.

The Cavern Agent, compiled as a Mixed-Mode C++/CLI DLL named 'uxtheme.dll,' exports numerous functions that mimic a legitimate Windows theming library. However, only one function, 'EnableThemeDialogTexture,' serves as the operational entry point, while others are inert stubs designed to mislead automated analysis tools.

Post-exploitation modules offer a wide range of capabilities, including file system and database browsing, LDAP querying, network reconnaissance, and tunneling. Specific modules identified include File Manager, SQL Browser, LDAP Module, Network Module, and Tunnel Module, each compiled in formats optimized for their function and evasion.

The framework's anti-analysis measures are robust. Beyond the varied compilation formats, it employs per-module AppDomain isolation as an anti-forensics technique. Many observed samples exhibit very low detection rates on VirusTotal, underscoring the effectiveness of its evasion strategies.

Analysis of the NativeAOT compiled modules, which presented the most significant challenge, required the development of specialized tools. These tools aid in reconstructing .NET type systems and recovering metadata from stripped binaries, enabling deeper investigation into the framework's operations.

aptc2 frameworkiranespionagemalware analysis
ShareXLinkedInWhatsAppFacebook
← Back to latest

More News

view all →
zeroday.news · 4h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 5h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 58m ago·high

Accenture Confirms Security Incident After Hacker Claims 35GB Source-Code Theft

Accenture has acknowledged a security incident after a threat actor advertised what they claim is stolen internal data. The attacker, using the alias "888", says they took more than 35GB of source code and cloud credentials from the consulting giant and are offering it for sale. Accenture says it has addressed the source of the issue and that its operations were not disrupted.

zeroday.news · 4h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 5h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 5h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.