Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.
Cavern Manticore Uses Legitimate RMM Tools in Multi-Stage Cyber Campaign
Researchers have identified Cavern, a sophisticated modular .NET-based command-and-control (C2) framework associated with the advanced persistent threat (APT) group Cavern Manticore. This group has been linked to an intelligence agency and shares operational characteristics with previously observed threat groups, including MuddyWater and Lyceum.
The framework primarily targets organisations across Asia, particularly IT service providers and government entities. It uses a multi-stage execution process involving Dynamic Link Library (DLL) sideloading, modular post-exploitation components, and Hypertext Transfer Protocol Secure (HTTPS) and WebSocket communications.
Cavern also uses multiple. NET compilation formats to make analysis and reverse engineering more difficult. Its capabilities include file and database management, Lightweight Directory Access Protocol (LDAP) enumeration, network reconnaissance, tunneling, and lateral movement.
Researchers have observed initial access through the misuse of legitimate Remote Monitoring and Management (RMM) software already deployed within affected environments.
Recommendations
- Patch and regularly update RMM software, such as SysAid.
- Monitor for suspicious DLL sideloading involving legitimate applications, such as WinDirStat.
- Restrict the execution of unsigned or unexpected DLL files through application control policies.
- Monitor outbound HTTP, HTTPS, and WebSocket traffic for abnormal Command-and-Control (C2) communications.
- Inspect network traffic for unusual Base64-encoded and XOR-obfuscated communications.
- Detect unauthorised loading or updating modules from remote C2 infrastructure.
- Monitor for LDAP enumeration, Server Message Block (SMB) brute-force attempts, port scanning, and network share enumeration.
- Audit the creation and use of SOCKS5 proxies or unauthorised tunneling activity.
- Enable Endpoint Detection and Response (EDR) solutions to detect post-exploitation activity and lateral movement.
- Restrict administrative privileges and enforce the principle of least privilege (PoLP).
Lupovis Detects Coordinated NetScaler Exploitation Campaign
Following the recent disclosure of CVE-2026-8451 affecting Citrix NetScaler, researchers observed active exploitation attempts targeting vulnerable appliances within 24 hours of the vulnerability being publicly disclosed.
Lupovis detected a coordinated scanning campaign originating from a single IP address and targeting multiple decoy sensors. Researchers also observed the successful delivery of a publicly available proof-of-concept exploit against NetScaler devices configured as Security Assertion Markup Language (SAML) Identity Providers (IdPs).
The campaign exploited the CVE-2026-8451 memory overread vulnerability, which can expose sensitive memory contents through the NSC_TASS cookie without authentication.
The speed at which exploitation activity emerged before the vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, highlights the promptly patching affected NetScaler appliances, reviewing SAML-related activity, and monitoring environments for potential indicators of exploitation.
Recommendations
- Patch the affected Citrix NetScaler Application Delivery Controller (ADC) and Gateway versions to 14.1-72.61 or 13.1-63.18 immediately.
- Disable Security Assertion Markup Language (SAML) Identity Provider (IdP) functionality if immediate patching is not possible.
- Review logs for suspicious POST /saml/login requests since 30 June 2026.
- Decode and inspect SAMLRequest values for abnormal whitespace-padded payloads.
- Monitor for repeated automated requests using the python requests/2.32.5 User-Agent.
- Inspect NSC_TASS cookies for unexpected binary or memory data that may indicate successful exploitation.
- Restrict Internet exposure to Citrix NetScaler management interfaces where possible.
- Continue monitoring for new CitrixBleed-related exploitation attempts and apply future security updates promptly.
Microsoft Addresses Edge Security Vulnerability
Microsoft has released a security update addressing one medium-severity vulnerability in Microsoft Edge.
[Medium] CVE-2026-58523: Microsoft Edge (Chromium-based)- An improper access control vulnerability in Microsoft Edge for Android could allow an unauthorised attacker to bypass a security feature over a network.
Recommendations
- Ensure that all systems are patched and updated.
Google Addresses Multiple Chrome Vulnerabilities
Google has released six security fixes for Google Chrome, including two high-severity and four medium-severity vulnerabilities.
The update addresses the following vulnerabilities:
- [Medium] CVE-2026-14384 & CVE-2026-14396: Out-of-bounds read vulnerabilities in ANGLE that could allow remote attackers to expose cross-origin data through specially crafted HTML pages.
- [High] CVE-2026-14415: An inappropriate implementation vulnerability in V8 that could allow remote attackers to exploit heap corruption through crafted Hypertext Markup Language (HTML) pages after user interaction.
- [High] CVE-2026-14422: An out-of-bounds read and write vulnerability in Tint that could allow remote attackers to access memory outside the intended boundaries through crafted HTML pages.
- [Medium] CVE-2026-14410: An inappropriate implementation vulnerability in Skia could enable user interface spoofing following the compromise of renderer process.
- [Medium] CVE-2026-14381: An incorrect security user interface implementation vulnerability in WebAppInstalls that could allow remote attackers to perform spoofing.
Recommendations
- Ensure that all systems are patched and updated.
Cisco Addresses Multiple High-Severity Vulnerabilities
Cisco has released eight security fixes, all rated as high severity.
The update addresses the following vulnerabilities:
- [High] CVE-2026-20213, CVE-2026-20214, CVE-2026-20217, CVE-2026-20215, CVE-2026-20244, CVE-2026-20243, and CVE-2026-20216: Cisco Secure Endpoint
Multiple vulnerabilities in ClamAV file format parsers could allow unauthenticated remote attackers to cause a Denial-of-Service (DoS) condition or potentially other impacts
- The vulnerabilities are linked to memory corruption, improper boundary checks, integer overflow, and resource handling issues. Exploitation requires a specially crafted file to be submitted for scanning. An input validation vulnerability could allow an unauthenticated remote attacker to read arbitrary files from a restricted container by sending a specially crafted HTTP request.
- [High] CVE-2026-20191: Cisco Catalyst Center
Recommendations
- Ensure that all systems are patched and updated.
References
https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/
https://www.lupovis.io/lupovis-insights/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58523
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312[.]html
https://issues.chromium.org/issues/497543485
https://issues.chromium.org/issues/511737097
https://issues.chromium.org/issues/515086856
https://issues.chromium.org/issues/517225032
https://issues.chromium.org/issues/513836996
https://issues.chromium.org/issues/407283320
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-file-read-wLH2vf8X









