Cavern agents were observed in the wild using DLL sideloading, NativeAOT modules, AppDomain unloading, and low VirusTotal detection rates.

Cavern agents were observed in the wild using DLL sideloading, NativeAOT modules, AppDomain unloading, and low VirusTotal detection rates.

Once installed, the tool can infiltrate programs used to access other computers. Malware disguised as legitimate updates sent by the IT provider can be sent to the customer.

Iran-linked Cavern Manticore hackers used a modular C&C framework, likely built with AI assistance, to target Israeli government entities and IT providers.