Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore... Cavern is a modular post-exploitation C2 framework built entirely on .NET...
Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore... Cavern is a modular post-exploitation C2 framework built entirely on .NET...
Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore... Cavern is a modular post-exploitation C2 framework built entirely on .NET...
22 distinct techniques documented for this family, organized by ATT&CK tactic.
The recovered execution chain begins with SysAid’s software update feature, which the actor leverages to deploy a WinDirStat DLL sideloading package to C:\ProgramData\WinDir\WinDirStat.exe . The legitimate WinDirStat.exe binary loads the trojanized uxtheme.dll , which is the Cavern Agent
whether the payload is XORed with key 0x48 ... Base64 is applied on top of XOR only for the HTTP transport
Newer agent builds perform aggressive directory cleanup on first startup: they enumerate all files and subdirectories in the working directory and delete everything except the Communication Module ... the configuration file ... and log files.
The recovered execution chain begins with SysAid’s software update feature, which the actor leverages to deploy a WinDirStat DLL sideloading package to C:\ProgramData\WinDir\WinDirStat.exe . The legitimate WinDirStat.exe binary loads the trojanized uxtheme.dll , which is the Cavern Agent
LDAP_BRUTE = 407 ... LDAP brute-force ... The NetUseBrute function iterates over operator-supplied credential pairs
NET_INTERFACES = 1102 ... network interfaces ... NET_IP_CONFIG = 1103 ... IP configuration ... NET_ARP_TABLE = 1501
The network module is compiled as NativeAOT and provides network reconnaissance , port scan , share enumeration , and SMB brute-force .
LDAP_ALL_GROUPS = 402 ... enumerate all groups ... LDAP_GROUP_MEMBER = 404 ... group members
The file manager module implements... drive/file/directory enumeration, recursive file search with content matching
The communication module n-HTCommp.dll parses the verb , performs the network operation , and returns the result... Each verb maps to a distinct network operation
The tunnel module implements a full SOCKS5 proxy and WebSocket / WSS tunnel in both server and client modes. | Each verb maps to a distinct network operation... get HTTP GET ... send HTTP POST ... upload HTTP POST multipart/form-data
The tunnel module implements a full SOCKS5 proxy and WebSocket / WSS tunnel in both server and client modes.
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.