Home/ Blog/ Security news/ Article
Blog · Security news

The new Cavern C2 needs no CVE. It abuses your IT provider's own tools to get in.

Check Point ties the Iran-linked Cavern C2 to intrusions that skip vulnerabilities entirely, abusing IT providers' own deployment tools. Why detection, not a

Trusted software parcel hiding a malicious thread moving across a chain of provider network nodes

There is nothing to patch here, and that is exactly why it is worth your time. An Iran-nexus group that Check Point Research calls Cavern Manticore has been operating inside Israeli IT providers and government networks since early 2026, and it got in without firing a single vulnerability. No CVE, no zero-day, no exposed service. The operators used software the victims already trusted, then moved down a chain of service providers to reach the organizations they were really after. If your response plan only wakes up when a CVE drops, you would never see this one coming.

A campaign built on trust, not a bug

Check Point attributes the activity to an Iran-nexus cluster it links to the country's Ministry of Intelligence and Security, with technical overlaps to two long-running Iranian operations, MuddyWater and Lyceum (assessed as a subgroup of OilRig). Independent reporting by The Hacker News lines up on the core facts: a modular remote-control framework, or C2, that had not been publicly documented before, which Check Point named Cavern and which is aimed at IT and government targets in Israel and the wider region. Attribution here is Check Point's assessment, not a confirmed government finding, so read it as strong analysis rather than settled fact.

The interesting part is not the malware. It is how the malware arrived. According to Check Point, the operators were already inside a victim environment, and from there they turned a deployment tool the victim already trusted into a delivery mechanism, using it to push a package onto another machine. Check Point is blunt on a point worth repeating, because a rushed headline reader will get it wrong: SysAid itself was not breached, and no flaw in SysAid was used. The deployment tool did precisely what it was built to do. The attacker was simply the one driving the console.

Why there is no CVE to wait for

The delivered package was WinDirStat, a real disk-usage utility, dropped at C:\ProgramData\WinDir\WinDirStat.exe. The signed, legitimate executable then side-loads a malicious uxtheme.dll, and that DLL is the Cavern Agent. This is DLL side-loading (MITRE ATT&CK T1574.002): a trusted binary is coaxed into loading an attacker's library from its own folder. Nothing about WinDirStat.exe is malicious, which is the entire point. An allowlist waves it through, and the hostile code runs under a good name.

How a Cavern intrusion unfolds, and where a defender can catch it
  1. 1Attacker, already inside, abuses a trusted deployment tool to push a packageDetection point
  2. 2Signed WinDirStat.exe side-loads a malicious uxtheme.dll (the Cavern Agent)Detection point
  3. 3Agent calls out to C2 over HTTPS or WebSocket and pulls native modulesDetection point
  4. 4Modules run AD recon, SQL theft, file collection and SOCKS5 tunnelingDetection point
Reconstructed from Check Point Research, July 2026

Once running, the agent reaches out to its C2 and pulls native modules on demand. Check Point recovered five of them, and the capability list reads like a full intrusion kit rather than a single-purpose implant:

ModuleWhat it gives the operator
mhm.dllSteals files, decrypts DPAPI secrets, bundles archives
db.dllReads and tampers with SQL databases
ode.dllMaps Active Directory over LDAP, then brute-forces it
n-ten.dllScans the network, brute-forces SMB
n-sws.dllOpens a SOCKS5 proxy, tunnels over WebSocket
The five post-exploitation modules Check Point recovered from Cavern. Naming and functions per Check Point Research.

Check Point counts 61 command IDs across those modules. Together they can tunnel traffic through a SOCKS5 proxy, decrypt Windows DPAPI secrets, and brute-force Active Directory. The agent talks to its controller over HTTPS or WebSocket, with a fixed browser User-Agent and a simple XOR obfuscation (key 0x48) over the payloads. The controller domain in recent activity was hospitalinstallation[.]com, at times dressed up to look like a Google subdomain so it survives a quick glance at proxy logs.

The signature detail: it is built to score zero

Here is the claim I would put money on being buried under the day-one recap. Cavern's authors compiled the same framework three different ways on purpose: plain .NET, mixed-mode C++/CLI, and NativeAOT. Each format forces a reverse engineer into a different toolset, and the NativeAOT builds strip their symbols and materialize strings only at runtime. Check Point notes that most of the samples it saw score zero or near-zero on VirusTotal.

Treat that as an instruction, not a curiosity. If the payload is engineered to defeat file reputation, then file reputation is not your detection. Any control that waits for a known-bad hash or a matching signature has already lost this fight. The detection budget has to move to behavior: what loaded, from where, and what it did next.

Why an IT provider should read this as a direct threat

The multi-hop path is the part that should keep managed-service and hosting operators up at night. Check Point observed the actor moving from one compromised IT provider to a second provider before reaching the intended target. If you run infrastructure for other companies, you are not a bystander in a campaign like this. You are the road it travels.

That reframes a comforting line a lot of providers tell themselves. "We were not the target" is not the same as "we were not compromised." An intruder can sit inside your estate for the sole purpose of using your trusted deployment channel as a delivery van to your customers, and your own data can stay untouched the whole time. The blast radius is every downstream client who trusts a push that appears to come from you.

What to actually watch tonight

Because there is no patch, the work is all detection and hardening. Concrete places to look:

  • Your deployment and remote-management tools are a privileged execution channel. Treat them like one. Alert on software-push jobs that fire outside a change window, and on unexpected packages landing on hosts (a WinDirStat install nobody requested is a fine example).
  • Hunt for DLL side-loading. An unsigned DLL loading next to a signed executable, especially under C:\ProgramData, is the tell. Watch for uxtheme.dll loading from non-system paths.
  • Judge behavior, not hashes. LDAP brute-force, SMB scanning, and a SOCKS5 proxy running from an ordinary workstation are all abnormal, whatever a file scanner reports.
  • Read the network shape. A fixed User-Agent paired with XOR-encoded payloads, or an ASP.NET handler such as cac.aspx appearing on a web server, are each worth a hunt.

None of that depends on knowing the next domain or the next hash. That is the whole value of behavioral detection, and it is the only thing that holds up against a framework rebuilt specifically to stay off the radar. We have made the same argument about other implants engineered to blind the tools meant to catch them, from EDR killers that now ship as products to C2 that hides inside Microsoft Teams traffic. The pattern is steady: when the payload is invisible, the activity is not.

The takeaway

Cavern is a reminder that the perimeter for a managed-infrastructure business is no longer just the firewall. It is the management plane itself, the deployment console and the remote-access tooling that quietly run code across every host you touch. Iran-nexus operators have decided that path is worth the effort, and they built a framework specifically to travel it without tripping the alarms most shops still rely on. The providers that see this coming will be the ones already watching their own tools as closely as they watch the front door. For a related case where attackers walk in with no CVE at all, see our write-up on Scattered Spider and the help desk.

Topics

Frequently asked questions

Is there a patch for the Cavern C2 framework?

No. Cavern Manticore does not exploit a vulnerability, so there is no CVE and no patch to apply. Check Point reports the operators abuse legitimate deployment tools and DLL side-loading, which means defense is detection and hardening: watch your management tooling and hunt for unsigned DLLs loading beside signed binaries.

Was SysAid compromised in the Cavern attacks?

No. Check Point states plainly that SysAid was not breached and no SysAid vulnerability was involved. The attacker was already inside the victim network and abused a legitimate software-deployment feature to push malware to another machine, using the tool as designed rather than exploiting a flaw in it.

Who is behind Cavern Manticore?

Check Point attributes the campaign to an Iran-nexus cluster it links to Iran's Ministry of Intelligence and Security, with technical overlaps to the MuddyWater and Lyceum groups. Targeting has centered on Israeli IT providers and government bodies since early 2026. This attribution is Check Point's assessment, not a confirmed government finding.

Why do antivirus scanners miss the Cavern malware?

The framework is compiled three different ways, including NativeAOT builds that strip symbols and hide strings until runtime. Check Point found most samples score zero or near-zero on VirusTotal. Signature and file-reputation tools are unreliable against it, so detection should focus on behavior: DLL loads, deployment activity, and network patterns.

How can defenders detect Cavern activity?

Focus on behavior rather than known indicators. Alert on deployment jobs outside change windows, unsigned DLLs loading beside signed binaries under C:
rogramData, LDAP brute-force, SMB scanning, and SOCKS5 proxying from a workstation. Check Point also flags a fixed User-Agent with XOR-encoded traffic and an ASP.NET handler named cac.aspx on web servers.

Why does the Cavern campaign matter to IT and hosting providers?

Check Point observed the actor hopping from one compromised IT provider to another before reaching the real target. If you run infrastructure for other companies, your trusted deployment channel can become a delivery path to your customers, even when your own data is never touched. Being a conduit is still being breached.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.