Executive Summary
Check Point Research explicitly states that SysAid was not compromised and no SysAid vulnerability was involved. After gaining access to victim environments, Cavern Manticore abused the legitimate SysAid software-update feature to deploy a WinDirStat DLL-sideloading package. WinDirStat.exe loaded a trojanized uxtheme.dll Cavern Agent, which loaded n-HTCommp.dll for command and control and operator-selected modules. CPR also observed initial footholds through existing RMM software in multiple intrusions. [1]
The public evidence supports a high-confidence incident, but does not support filling every missing artifact, actor, victim, or infrastructure field. Unknown values below remain explicit. [1]