Threat Summary
Current OTX Pulse data highlights a convergence of distinct high-threat activities spanning credential theft, academic sector espionage, and nation-state supply chain attacks. The primary threats include the Salat Stealer infostealer campaign distributing Go-based malware for surveillance and data exfiltration, and UNK_MassTraction, a suspected China-aligned cluster actively exploiting Roundcube webmail servers at US and Canadian universities to deploy webshells (SquareShell/VShell). Simultaneously, Cavern Manticore, an Iran-nexus actor, is leveraging supply chain compromises (specifically SysAid) and a sophisticated .NET/Native AOT modular C2 framework to target Israeli government and technology sectors. Collectively, these campaigns demonstrate a high volume of exploitation attempts against critical infrastructure, academia, and government entities.
Threat Actor / Malware Profile
Salat Stealer (Unknown Actor)
- Type: Information Stealer (Go-based)
- Distribution: Bundled with legitimate-looking software, often associated with game cheats or utilities.
- Behavior: Conducts deep system reconnaissance to steal browser credentials, cryptocurrency wallets, and session tokens from Discord and Steam. Unique capabilities include desktop streaming and capturing audio/video via microphone and webcam.
- Evasion: Written in Go language to hinder analysis; includes Windows Defender evasion techniques.
UNK_MassTraction (China-Aligned)
- Type: APT / Webshell Deployment
- Targeting: Physics and engineering departments in North American universities.
- Methodology: Exploits n-day vulnerabilities in Roundcube mail servers (CVE-2023-2868, CVE-2024-42009, CVE-2025-49113).
- Payload: Deploys SquareShell or VShell webshells to maintain persistence in server memory and facilitate credential theft.
Cavern Manticore (Iran-Nexus)
- Type: Modular C2 Framework
- Targeting: Israeli Government and IT sectors.
- Methodology: Supply chain compromise via SysAid, abuse of Remote Monitoring and Management (RMM) tools, and DLL sideloading.
- Technical: Uses a framework built on .NET compiled into Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. Modules include MOIS and various post-exploitation capabilities.
IOC Analysis
The provided IOCs include a mix of infrastructure and artifacts:
- File Hashes (SHA256, MD5, SHA1): Multiple hashes for Salat Stealer samples and Cavern Manticore payloads. SOC teams should immediately search endpoint detection logs (EDR) and SIEM data for these specific hash values to identify compromise.
- Network Infrastructure (IPv4, URLs): Indicators include
45.86.229.111,194.213.18.133, and45.150.109.151(hosting a suspicious JQuery script on port 23088). Firewalls and proxies should block these IPs and the specific domainauth.hospitalinstallation.com. - CVEs: Exploitation attempts for CVE-2023-2868, CVE-2024-42009, and CVE-2025-49113 are key signals of UNK_MassTraction activity. Web server logs must be scanned for patterns associated with these vulnerabilities.
Detection Engineering
Sigma Rules
title: Potential Salat Stealer Execution
description: Detects potential execution of Salat Stealer based on process characteristics and access to sensitive wallet/credential paths often targeted by this Go-based stealer.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\salat.exe'
- '\xeno.exe'
# Generic Go binary heuristic often used by stealers
selection_go:
Company|contains: 'Unknown'
Image|endswith: '.exe'
condition: 1 of selection*
falsepositives:
- Legitimate game utilities if named similarly
level: high
tags:
- attack.credential_access
- attack.collection
---
title: Roundcube Webshell Exploitation Attempt (UNK_MassTraction)
description: Detects exploitation of Roundcube vulnerabilities associated with UNK_MassTraction (CVE-2023-2868, CVE-2024-42009) leading to potential webshell upload.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
product: apache
service: access
detection:
selection_uri:
cs-uri-query|contains:
- '_plugin'
- 'handler='
selection_exploit:
cs-uri-query|contains:
- 'wget'
- 'curl'
- 'echo base64'
condition: all of selection*
falsepositives:
- Legitimate plugin testing
level: critical
tags:
- attack.initial_access
- attack.webshell
---
title: Cavern Manticore SysAid or Native AOT Suspicious Execution
description: Detects suspicious execution patterns associated with Cavern Manticore, including Native AOT binaries or unusual rundll32 execution linked to SysAid directories.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_sysaid:
Image|contains: 'SysAid'
Image|endswith: '.exe'
CommandLine|contains: 'rundll32'
selection_native:
# Heuristic for potential Native AOT compilation artifacts (often lack standard .NET metadata)
Image|endswith: '.exe'
CommandLine|contains: 'dllhost'
Company: 'Microsoft Corporation'
condition: 1 of selection*
falsepositives:
- Legitimate SysAid updates
level: high
tags:
- attack.persistence
- attack.defense_evasion
KQL (Microsoft Sentinel)
// Hunt for Salat Stealer and Cavern Manticore File Hashes
let Hashes = dynamic([
"60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271",
"075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
"a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0",
"0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8"
]);
DeviceProcessEvents
| where SHA256 in Hashes or MD5 in Hashes or SHA1 in Hashes
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, AccountName, InitiatingProcessFileName
// Hunt for UNK_MassTraction C2 Infrastructure
let C2_IPs = dynamic(["45.86.229.111", "194.213.18.133", "45.150.109.151"]);
DeviceNetworkEvents
| where RemoteIP in C2_IPs
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, LocalIP
PowerShell Hunt Script
# Check for presence of Salat Stealer and Cavern Manticore File Hashes
$TargetHashes = @(
"60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271",
"075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
"7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd",
"d6c7ca66c4fef2bf7c62261f58f2f6ab",
"7e6f8597028e4dc2ff63ed330f989fe9dbca3093",
"347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff",
"742be0bf09856460bc85f9674d6914c7",
"3711d405a68a926f73df57c886845a1c7928b778",
"a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0",
"a9336884e006503bc821f3f0d36f141f",
"d0bba7c040ecffd8cc31a62330a144eb",
"0f57a2bb4c0696170b73e2d35f17c5a6f2f910d7",
"843d2017c4ded1dbb694dd4bf20bcd9e92af92f6",
"0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8",
"2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0",
"30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10"
)
Write-Host "Scanning for known malicious file hashes..."
$DrivesToScan = @("C:\")
foreach ($Drive in $DrivesToScan) {
Write-Host "Scanning $Drive..."
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
Where-Object { !$_.PSIsContainer } |
ForEach-Object {
$File = $_
try {
$Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName) | Hash: $Hash" -ForegroundColor Red
}
} catch {
# Ignore permission errors
}
}
}
# Check for network connections to UNK_MassTraction C2 IPs
$MaliciousIPs = @("45.86.229.111", "194.213.18.133", "45.150.109.151")
$Connections = Get-NetTCPConnection -State Established
foreach ($IP in $MaliciousIPs) {
$Match = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Match) {
Write-Host "[!] SUSPICIOUS CONNECTION DETECTED to $IP on local port $($Match.LocalPort)" -ForegroundColor Yellow
}
}
Response Priorities
-
Immediate:
- Block all listed IPv4 addresses and the domain
auth.hospitalinstallation.comon perimeter firewalls and proxies. - Scan endpoints for the listed file hashes associated with Salat Stealer and Cavern Manticore.
- Analyze web server logs (Roundcube) for exploitation attempts related to CVE-2023-2868, CVE-2024-42009, and CVE-2025-49113.
- Block all listed IPv4 addresses and the domain
-
24 Hours:
- If evidence of Salat Stealer is found, force password resets for all browser-stored credentials and cryptocurrency wallets.
- Isolate hosts identified as communicating with the UNK_MassTraction C2 infrastructure.
- Initiate forensic analysis on SysAid servers for signs of Cavern Manticore persistence.
-
1 Week:
- Patch Roundcube instances to the latest stable version to mitigate against n-day exploits.
- Review and restrict RMM tool usage and permissions to prevent abuse by Cavern Manticore.
- Implement strict application allowlisting for web directories to prevent webshell upload and execution.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.