THREAT OPS › Threat News › Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p><strong>Note:</strong><em> </em>SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature to deploy malware onto another machine within it.</p>
<hr class="wp-block-separator has-alpha-
Attributed threat actors
- OilRigG0049
- HEXANEG1001
- MuddyWaterG0069
MITRE ATT&CK techniques
Indicators of compromise
- 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066sha256
- 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603bsha256
- 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18sha256
- a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41sha256
- b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86sha256
- 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a6134sha256
- 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8sha256
- 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42sha256
- 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10sha256
- 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0sha256
- 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255asha256
- 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cbsha256
- cbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93sha256
- ccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748sha256
- 0813a307e19b696c19cab43ee0c768c2md5
- https://malpedia.caad.fkie.fraunhofer.de/actor/muddywaterurl
- https://malpedia.caad.fkie.fraunhofer.de/actor/lyceumurl
- https://www.sysaid.comurl
- https://blog.washi.dev/posts/recovering-nativeaot-metadata/url
- https://<adserviceupdate.com|hygienehistory.com>/cac.aspxurl
- https://adserviceupdate.com/cac.aspxurl
- https://hygienehistory.com/cac.aspxurl
- 146.0.0.0ipv4
- auth.hospitalinstallation.comdomain
- google.com.hospitalinstallation.comdomain
- hospitalinstallation.comdomain