Cavern Manticore abuse of SysAid software deployment

Confirmed
Discovered Jul 6, 2026

Defender-focused assessment of SysAid software update deployment feature.

0
Affected Packages
10
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
uxtheme[.]dll
C:\ProgramData\WinDir\WinDirStat[.]exe
Cavern Manticore
n-HTCommp[.]dll
n-HTCommp[.]dll

Analysis

Executive Summary

Check Point Research explicitly states that SysAid was not compromised and no SysAid vulnerability was involved. After gaining access to victim environments, Cavern Manticore abused the legitimate SysAid software-update feature to deploy a WinDirStat DLL-sideloading package. WinDirStat.exe loaded a trojanized uxtheme.dll Cavern Agent, which loaded n-HTCommp.dll for command and control and operator-selected modules. CPR also observed initial footholds through existing RMM software in multiple intrusions. [1]

The public evidence supports a high-confidence incident, but does not support filling every missing artifact, actor, victim, or infrastructure field. Unknown values below remain explicit. [1]

Key Facts

Analysis table
FactValue
Affected artifactSysAid software update deployment feature
Ecosystementerprise-rmm
Malicious versions/referenceSysAid deployment feature version unknown
Disclosure2026-07-06
Immediate actionPreserve evidence, disable the affected path, revoke exposed identities, and audit downstream use

Evidence Assessment

Analysis table
AssessmentClaim
ConfirmedCheck Point Research explicitly states that SysAid was not compromised and no SysAid vulnerability was involved. After gaining access to victim environments, Cavern Manticore abused the legitimate SysAid software-update feature to deploy a WinDirStat DLL-sideloading package. WinDirStat.exe loaded a trojanized uxtheme.dll Cavern Agent, which loaded n-HTCommp.dll for command and control and operator-selected modules. CPR also observed initial footholds through existing RMM software in multiple intrusions. [1]
UnclearExact full victim scope, complete exposure window, and any indicators not listed in iocs.json.
Not observedNo additional attacker infrastructure is asserted beyond the source-backed values.

Impact Determination

Analysis table
ClassificationCriteriaRequired actionClosure gate
Confirmed compromiseMatching deployment/artifact plus unauthorized downstream activityIsolate, preserve, revoke, investigateNo persistence or unauthorized follow-on activity; affected identities rotated
ExposedMatching vendor/update/browser path without confirmed executionCollect deployment and access historyComplete inventory and negative evidence review
Not observedVerified clean deployment outside the evidenced window/pathDocument evidenceIndependent validation recorded

Minimum Evidence To Collect

  • Collect deployment/update and administrative audit logs from the affected control plane; they establish who changed or delivered the artifact.
  • Collect endpoint, application, proxy, and identity-provider telemetry from affected systems; they resolve execution and downstream access.
  • Preserve suspect files, bundles, caches, and configuration with hashes and UTC timestamps before remediation.
  • Record credential and session revocation evidence because exposed tokens or user signing context may remain useful after containment.

Timeline

  • 2026-07-06: Public source disclosure or reporting. [1]
  • Other exact timestamps not stated in the supplied sources remain unknown; incident teams should build a UTC timeline from their own logs.

What Happened

Check Point Research explicitly states that SysAid was not compromised and no SysAid vulnerability was involved. After gaining access to victim environments, Cavern Manticore abused the legitimate SysAid software-update feature to deploy a WinDirStat DLL-sideloading package. WinDirStat.exe loaded a trojanized uxtheme.dll Cavern Agent, which loaded n-HTCommp.dll for command and control and operator-selected modules. CPR also observed initial footholds through existing RMM software in multiple intrusions. [1]

Initial Access and Execution Trigger

Treat the vendor, deployment, update, or RMM control plane as an exposure boundary. Collect administrative audit logs, credential/token use, package or deployment history, target host inventories, and downstream access records; distinguish legitimate tool use from unauthorized deployment. [1]

Payload Behavior, Credentials, and Data

The source-backed impact is limited to the facts stated above. The machine-readable profile does not add unsupported malware infrastructure or hashes. [1]

Defense Evasion, Exfiltration, and Command and Control

Use only the source-backed selectors in iocs.json. Where those arrays are empty, hunt from deployment, identity, browser, and host telemetry instead of treating vendor or reporting domains as attacker infrastructure.

Affected Assets and Blast Radius

Prioritize systems that consumed SysAid software update deployment feature, their administrative identities, and connected downstream data or funds. Scope should be evidence-driven rather than assuming every customer was compromised.

Indicators of Compromise

See iocs.json. Confirmed selectors include: SysAid, Cavern Manticore, C:\ProgramData\WinDir\WinDirStat.exe, uxtheme.dll, n-HTCommp.dll, MYMUTEX123HELLP02, MYMUTEX123HELLP04. Empty IOC categories are intentionally omitted from this prose.

Detection and Hunting

Run scripts/hunt_cavern-manticore-sysaid-supply-chain.py opens in a new tab against exported CSV, JSON, JSONL, text, log, YAML, XML, JavaScript, or HAR evidence. It answers whether source-backed incident selectors occur in the collected scope. A match is a triage lead, not proof by itself; expected false positives include documentation and legitimate product references. Escalate by preserving the matched evidence, correlating deployment and identity timestamps, and reviewing downstream activity.

Downstream Abuse Audits

Review the identities at risk—SysAid/RMM administrative identities and victim-host credentials—for access after the earliest suspected exposure. Revoke active sessions/tokens first when continued misuse is plausible, then compare administrative, application, and transaction records to an approved baseline.

Remediation and Recovery Gates

  1. Preserve suspect artifacts, deployment metadata, logs, and UTC timestamps.
  2. Stop the affected integration, update, RMM, or browser delivery path.
  3. Isolate confirmed systems and disable compromised administrative identities.
  4. Revoke and rotate SysAid/RMM administrative identities and victim-host credentials.
  5. Remove malicious artifacts and persistence identified by evidence.
  6. Rebuild from independently verified artifacts when execution occurred.
  7. Audit downstream access and transactions for the full evidence-backed window.
  8. Restore only after clean deployment and cache/update validation.
  9. Close only when inventory is complete, tokens/sessions are invalidated, no persistence remains, and monitoring shows no follow-on activity.

Open Questions

  • What exact deployment, build, package, or vendor identity was altered?
  • What are the first and last confirmed exposure timestamps?
  • Which customers or systems have positive execution or downstream-abuse evidence?

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jul 6, 2026DiscoveryDiscovery recorded for Cavern Manticore abuse of SysAid software deployment.research.checkpoint.com
Jul 6, 2026Cavern Manticore abuse of SysAid software deploymentUnknownresearch.checkpoint.com
Jul 6, 2026First seenFirst seen recorded for Cavern Manticore abuse of SysAid software deployment.research.checkpoint.com
Jul 6, 2026DisclosureDisclosure recorded for Cavern Manticore abuse of SysAid software deployment.research.checkpoint.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

10 IOCs
commanduxtheme.dll
commandC:\ProgramData\WinDir\WinDirStat.exe
commandCavern Manticore
file_pathn-HTCommp.dll
commandn-HTCommp.dll
commandMYMUTEX123HELLP04
commandSysAid
commandMYMUTEX123HELLP02
file_pathC:\ProgramData\WinDir\uxtheme.dll
file_pathC:\ProgramData\WinDir\WinDirStat.exe

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Cavern Manticore abuse of SysAid software deployment exported-evidence scopePythonDo collected exports contain source-backed incident selectors?scripts/hunt_cavern-manticore-sysaid-supply-chain.py opens in a new tabresearch.checkpoint.com

Hunt Manifest: Cavern Manticore abuse of SysAid software deployment exported-evidence scope

Title
Cavern Manticore abuse of SysAid software deployment exported-evidence scope
Question
Do collected exports contain source-backed incident selectors?
Telemetry Family
Python
Repository
scripts/hunt_cavern-manticore-sysaid-supply-chain.py
Show tested hunting scriptscripts/hunt_cavern-manticore-sysaid-supply-chain.py
scripts/hunt_cavern-manticore-sysaid-supply-chain.py opens in a new tabPython
#!/usr/bin/env python3
"""Offline incident-specific selector hunt for cavern-manticore-sysaid-supply-chain."""
import json, os, sys
from pathlib import Path
SELECTORS=['SysAid', 'Cavern Manticore', 'C:\\ProgramData\\WinDir\\WinDirStat.exe', 'uxtheme.dll', 'n-HTCommp.dll', 'MYMUTEX123HELLP02', 'MYMUTEX123HELLP04']
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.js','.map','.har','.php','.ini','.conf'}
def scan(root):
 matches=[]
 paths=[root] if root.is_file() else root.rglob('*')
 for p in paths:
  if p.is_file() and (not p.suffix or p.suffix.lower() in TEXT_SUFFIXES):
   try:
    text=p.read_text(errors='ignore').lower()
   except OSError:
    continue
   hits=sorted(s for s in SELECTORS if s.lower() in text)
   if hits: matches.append({'path':str(p),'hits':hits})
 return matches
def main():
 root=Path(sys.argv[1] if len(sys.argv)>1 else '.'); matches=scan(root); report={'incident':'cavern-manticore-sysaid-supply-chain','match_count':len(matches),'matches':matches}
 out=Path(os.environ.get('OUT','hp-cavern-manticore-sysaid-supply-chain-hunt')); out.mkdir(parents=True,exist_ok=True); target=out/'report.json'; target.write_text(json.dumps(report,indent=2)); print(json.dumps({'match_count':len(matches),'report':str(target)})); return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
research.checkpoint.comSecurity Researcher95%1Defender-focused assessment of SysAid software update deployment feature.