Skip to main content
Threat IntelligenceEmerging Threats

Iran-Linked Cavern Manticore Targets Israel with Modular Cyber Attacks

Government building in Tel Aviv with people walking nearby, hint of cyber threat in background.

"The adversary’s ability to gain access to organizations in the defense and government sectors during the US military campaign ‘Operation Epic Fury’ demonstrates both a high operational tempo and a disciplined approach to target selection," the researchers wrote in a threat intelligence report published on July 6.

Cavern Manticore: a new actor with Iranian links

Check Point Research, the Tel Aviv-headquartered cybersecurity firm, identified a previously unreported cyber threat group it is tracking as "Cavern Manticore." According to the July 6 report, the group has been targeting Israeli government and IT organizations since early 2026. Check Point noted technical overlaps between Cavern Manticore and two known adversary clusters—MuddyWater and Lyceum—both of which have previously been linked in public reporting to Iran’s Ministry of Intelligence and Security (MOIS).

Initial access methods: RMM, browser-based remote desktop and SysAid

Check Point’s analysis describes two primary initial access vectors. First, the actor abuses existing remote monitoring and management (RMM) software to move laterally within victim environments and to deliver malicious components disguised as legitimate updates. Second, the group leverages browser-based remote desktop functionality—explicitly citing remote printing—as a mechanism to exfiltrate data when clipboard copy-paste or file-transfer channels are restricted.

Once inside, the actor has been observed enabling a SysAid software update that installs malicious assets on the targeted environment. Check Point highlights the targeting of SysAid servers as one of the overlaps supporting possible links to MOIS-aligned actors such as MuddyWater.

Modular command-and-control: Cavern agent and Cavern modules

At the center of Cavern Manticore’s operations is a previously undocumented, modular command-and-control (C2) framework built on a shared .NET foundation. Check Point describes two core components: the Cavern agent and Cavern modules. The Cavern agent functions as a persistent backdoor and handles core communications with attacker-controlled servers. The agent is implemented using multiple .NET compilation formats—.NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT—techniques that Check Point says are intended to evade detection and complicate analysis.

Cavern modules are specialized, separately compiled post-exploitation tools, each designed for a specific task such as reconnaissance, data theft, tunnelling and lateral movement. The framework uses per-module AppDomain isolation to hinder forensic analysis, limiting defenders’ ability to recover the full capability set from any single compromised host. Check Point concluded that this modularity gives operators operational agility and durability under defensive pressure.

Infrastructure signals and technical overlaps with Lyceum and MuddyWater

Check Point researchers identified a communication module, CAV3RN_Http_Module, that employs a webshell-style ASP.NET handler named cac.aspx hosted on an IIS server. That endpoint was observed on one of two attacker-controlled or attacker-deployed domains used as C2. The campaign also used victim-side infrastructure to proxy C2 traffic and combined XOR-based obfuscation, Base64 encoding, and a fixed verb set per backdoor—techniques the researchers said are consistent with operations previously attributed to the OilRig subgroup Lyceum.

WHOIS analysis of a root domain used in the campaign, hospitalinstallation[.]com, showed it was registered through Fars Data, an Iranian hosting provider, a detail Check Point included as infrastructure-level evidence consistent with Iranian links.

Finally, Check Point noted that the majority of observed Cavern Manticore samples scored zero or very low detection rates on VirusTotal, underscoring the group’s success at avoiding traditional signature-based detection.

What this means for technologists, policymakers, and Israeli government and IT organizations

  • Technologists and security teams: Monitor RMM tool logs, validate update channels (notably SysAid updates), and look for IIS-hosted webshell handlers such as cac.aspx and proxying behavior that could hide C2. Pay special attention to unusual .NET binaries using mixed compilation formats and AppDomain isolation.
  • Policymakers and regulators: Evidence tied to a named hosting provider (Fars Data) and domain registrations provides concrete infrastructure indicators that can inform network-level blocking and information-sharing directives; the report links tactics and infrastructure to operations occurring during "Operation Epic Fury," which the researchers flagged as demonstrating heightened operational tempo.
  • Israeli government and affected IT organizations: Because the campaign specifically targeted government and IT sectors, defenders should prioritize telemetry for RMM abuse, remote desktop print channels, and any SysAid-related update activity; the modular C2 design means compromise on one endpoint may understate the actor’s broader presence.

Conclusion

Check Point’s July 6 report paints a picture of a disciplined, adaptable actor that combines familiar techniques—RMM abuse, webshell-based C2, victim-proxied traffic—with a novel, modular .NET framework that frustrates detection and analysis. The group’s low VirusTotal detection rates, use of mixed .NET compilation formats, and per-module isolation raise a tactical question the report leaves standing: can defenders reliably detect and dismantle an attacker whose mission-specific capabilities are decoupled from a resilient core framework? The answer will depend on rapid sharing of the technical indicators Check Point has published and on defenders’ ability to correlate sparse signals across RMM, IIS, and software-update telemetry.

Source: New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors — Infosecurity Magazine (Check Point Research, July 6, 2026)