Back to Intelligence

Salat Stealer, UNK_MassTraction & Cavern Manticore: OTX Pulse Analysis — Multi-Vector APT Campaigns

SA
Security Arsenal Team
July 7, 2026
6 min read

Threat Summary

Current OTX Pulse data highlights a convergence of distinct high-threat activities spanning credential theft, academic sector espionage, and nation-state supply chain attacks. The primary threats include the Salat Stealer infostealer campaign distributing Go-based malware for surveillance and data exfiltration, and UNK_MassTraction, a suspected China-aligned cluster actively exploiting Roundcube webmail servers at US and Canadian universities to deploy webshells (SquareShell/VShell). Simultaneously, Cavern Manticore, an Iran-nexus actor, is leveraging supply chain compromises (specifically SysAid) and a sophisticated .NET/Native AOT modular C2 framework to target Israeli government and technology sectors. Collectively, these campaigns demonstrate a high volume of exploitation attempts against critical infrastructure, academia, and government entities.

Threat Actor / Malware Profile

Salat Stealer (Unknown Actor)

  • Type: Information Stealer (Go-based)
  • Distribution: Bundled with legitimate-looking software, often associated with game cheats or utilities.
  • Behavior: Conducts deep system reconnaissance to steal browser credentials, cryptocurrency wallets, and session tokens from Discord and Steam. Unique capabilities include desktop streaming and capturing audio/video via microphone and webcam.
  • Evasion: Written in Go language to hinder analysis; includes Windows Defender evasion techniques.

UNK_MassTraction (China-Aligned)

  • Type: APT / Webshell Deployment
  • Targeting: Physics and engineering departments in North American universities.
  • Methodology: Exploits n-day vulnerabilities in Roundcube mail servers (CVE-2023-2868, CVE-2024-42009, CVE-2025-49113).
  • Payload: Deploys SquareShell or VShell webshells to maintain persistence in server memory and facilitate credential theft.

Cavern Manticore (Iran-Nexus)

  • Type: Modular C2 Framework
  • Targeting: Israeli Government and IT sectors.
  • Methodology: Supply chain compromise via SysAid, abuse of Remote Monitoring and Management (RMM) tools, and DLL sideloading.
  • Technical: Uses a framework built on .NET compiled into Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. Modules include MOIS and various post-exploitation capabilities.

IOC Analysis

The provided IOCs include a mix of infrastructure and artifacts:

  • File Hashes (SHA256, MD5, SHA1): Multiple hashes for Salat Stealer samples and Cavern Manticore payloads. SOC teams should immediately search endpoint detection logs (EDR) and SIEM data for these specific hash values to identify compromise.
  • Network Infrastructure (IPv4, URLs): Indicators include 45.86.229.111, 194.213.18.133, and 45.150.109.151 (hosting a suspicious JQuery script on port 23088). Firewalls and proxies should block these IPs and the specific domain auth.hospitalinstallation.com.
  • CVEs: Exploitation attempts for CVE-2023-2868, CVE-2024-42009, and CVE-2025-49113 are key signals of UNK_MassTraction activity. Web server logs must be scanned for patterns associated with these vulnerabilities.

Detection Engineering

Sigma Rules

YAML
title: Potential Salat Stealer Execution
description: Detects potential execution of Salat Stealer based on process characteristics and access to sensitive wallet/credential paths often targeted by this Go-based stealer.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\salat.exe'
      - '\xeno.exe' 
    # Generic Go binary heuristic often used by stealers
  selection_go:
    Company|contains: 'Unknown'
    Image|endswith: '.exe'
  condition: 1 of selection*
falsepositives:
  - Legitimate game utilities if named similarly
level: high
tags:
  - attack.credential_access
  - attack.collection
---
title: Roundcube Webshell Exploitation Attempt (UNK_MassTraction)
description: Detects exploitation of Roundcube vulnerabilities associated with UNK_MassTraction (CVE-2023-2868, CVE-2024-42009) leading to potential webshell upload.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
  product: apache
  service: access
detection:
  selection_uri:
    cs-uri-query|contains:
      - '_plugin'
      - 'handler='
  selection_exploit:
    cs-uri-query|contains:
      - 'wget'
      - 'curl'
      - 'echo base64'
  condition: all of selection*
falsepositives:
  - Legitimate plugin testing
level: critical
tags:
  - attack.initial_access
  - attack.webshell
---
title: Cavern Manticore SysAid or Native AOT Suspicious Execution
description: Detects suspicious execution patterns associated with Cavern Manticore, including Native AOT binaries or unusual rundll32 execution linked to SysAid directories.
status: experimental
date: 2026/07/07
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_sysaid:
    Image|contains: 'SysAid'
    Image|endswith: '.exe'
    CommandLine|contains: 'rundll32'
  selection_native:
    # Heuristic for potential Native AOT compilation artifacts (often lack standard .NET metadata)
    Image|endswith: '.exe'
    CommandLine|contains: 'dllhost'
    Company: 'Microsoft Corporation'
  condition: 1 of selection*
falsepositives:
  - Legitimate SysAid updates
level: high
tags:
  - attack.persistence
  - attack.defense_evasion

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Salat Stealer and Cavern Manticore File Hashes
let Hashes = dynamic([
    "60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271", 
    "075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
    "a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0",
    "0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8"
]);
DeviceProcessEvents
| where SHA256 in Hashes or MD5 in Hashes or SHA1 in Hashes
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, AccountName, InitiatingProcessFileName

// Hunt for UNK_MassTraction C2 Infrastructure
let C2_IPs = dynamic(["45.86.229.111", "194.213.18.133", "45.150.109.151"]);
DeviceNetworkEvents
| where RemoteIP in C2_IPs
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, LocalIP

PowerShell Hunt Script

PowerShell
# Check for presence of Salat Stealer and Cavern Manticore File Hashes

$TargetHashes = @(
    "60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271",
    "075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
    "7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd",
    "d6c7ca66c4fef2bf7c62261f58f2f6ab",
    "7e6f8597028e4dc2ff63ed330f989fe9dbca3093",
    "347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff",
    "742be0bf09856460bc85f9674d6914c7",
    "3711d405a68a926f73df57c886845a1c7928b778",
    "a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0",
    "a9336884e006503bc821f3f0d36f141f",
    "d0bba7c040ecffd8cc31a62330a144eb",
    "0f57a2bb4c0696170b73e2d35f17c5a6f2f910d7",
    "843d2017c4ded1dbb694dd4bf20bcd9e92af92f6",
    "0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8",
    "2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0",
    "30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10"
)

Write-Host "Scanning for known malicious file hashes..."

$DrivesToScan = @("C:\")

foreach ($Drive in $DrivesToScan) {
    Write-Host "Scanning $Drive..."
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object {
        $File = $_
        try {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        } catch {
            # Ignore permission errors
        }
    }
}

# Check for network connections to UNK_MassTraction C2 IPs
$MaliciousIPs = @("45.86.229.111", "194.213.18.133", "45.150.109.151")
$Connections = Get-NetTCPConnection -State Established

foreach ($IP in $MaliciousIPs) {
    $Match = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Match) {
        Write-Host "[!] SUSPICIOUS CONNECTION DETECTED to $IP on local port $($Match.LocalPort)" -ForegroundColor Yellow
    }
}

Response Priorities

  • Immediate:

    • Block all listed IPv4 addresses and the domain auth.hospitalinstallation.com on perimeter firewalls and proxies.
    • Scan endpoints for the listed file hashes associated with Salat Stealer and Cavern Manticore.
    • Analyze web server logs (Roundcube) for exploitation attempts related to CVE-2023-2868, CVE-2024-42009, and CVE-2025-49113.
  • 24 Hours:

    • If evidence of Salat Stealer is found, force password resets for all browser-stored credentials and cryptocurrency wallets.
    • Isolate hosts identified as communicating with the UNK_MassTraction C2 infrastructure.
    • Initiate forensic analysis on SysAid servers for signs of Cavern Manticore persistence.
  • 1 Week:

    • Patch Roundcube instances to the latest stable version to mitigate against n-day exploits.
    • Review and restrict RMM tool usage and permissions to prevent abuse by Cavern Manticore.
    • Implement strict application allowlisting for web directories to prevent webshell upload and execution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsalat-stealerunk-mastractioncavern-manticorewebshellapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.