At a Glance
- Actor or group: Cavern Manticore APT (suspected Iran-linked)
- Activity type: Cyber-espionage and network infiltration
- Targets or victims: Israeli government and IT sectors
- Scale: Multiple supply-chain intrusions
- Jurisdiction or law-enforcement status: Active investigation
- Source: Check Point Research (CPR)
TL;DR
Security analysts discovered a new campaign by the suspected Cavern Manticore APT. These attackers deploy a highly adaptable modular C2 framework to breach Israeli networks. They primarily abuse legitimate IT management tools to move undetected across targeted environments.
What Happened
The attackers gain initial access by compromising IT service providers. They abuse legitimate Remote Monitoring and Management (RMM) software to push malicious updates. For instance, they hide their payload inside a software update for SysAid. The update replaces a legitimate file with a malicious version. Once inside, they deploy a modular command-and-control (C2) framework. This framework relies on three distinct .NET compilation formats.
These formats include pure .NET Framework, Mixed-Mode C++/CLI, and NativeAOT. This design choice makes detection very difficult. The NativeAOT format hides strings and API calls until the program actually runs. According to the report, “The framework’s anti-analysis posture relies on uncommon .NET compilation formats… that force reverse engineers into multiple toolsets and metadata-reconstruction workflows.”
The core agent hides behind a fake Windows theming library called uxtheme.dll. It exports 83 functions, but 82 are empty traps for security scanners. It uses a unique isolated environment called an AppDomain to run additional modules. These modules disappear from memory immediately after they finish their tasks. This leaves no traces for forensic investigators to find. The malware also features a self-update mechanism to fetch newer versions of itself.

Who is Behind It
Check Point Research links this activity to the Cavern Manticore APT. Analysts assess with high confidence that this group aligns with the Iranian Ministry of Intelligence and Security (MOIS). Researchers found technical overlaps with other suspected Iranian groups like Lyceum and MuddyWater.
The developers left clear human traces inside the malware code. Analysts found frustrated error messages, such as complaints about missing files. They also spotted specific file paths tied to a user named “rick”. These clues suggest human coders actively maintain the project. They likely use AI coding assistants for routine tasks, but human operators direct the main effort.
Impact or Scale
The primary targets are Israeli government agencies and IT providers. The attackers use a supply-chain approach. They compromise an IT supplier and use that access to hit a secondary target. “By abusing these tools, the actor can move laterally between victims and deliver malicious software disguised as legitimate updates,” the researchers noted.
Once entrenched, the hackers deploy specific post-exploitation tools. One tool acts as a file manager. It steals protected credentials using the Windows Data Protection API. It can also compress and steal entire directories. A second module targets SQL databases. It allows the attackers to run arbitrary queries and steal data.
A third module scans Active Directory to map out users and groups. It can launch brute-force password guessing attacks against network accounts. The network reconnaissance module maps out the victim’s internal infrastructure. It finds open file shares and attempts to connect using stolen credentials. Finally, the attackers build hidden tunnels using a custom SOCKS5 proxy module. This allows them to control the compromised network directly from the outside. The full financial scale of the data theft remains unconfirmed by official sources.
What Comes Next
The group frequently updates its tools to avoid detection. They recently shifted away from an older, web-based control system. Their new communication module uses encrypted traffic to hide its commands. It masks its activity as normal web browsing. If an old module remains on the disk, the agent automatically deletes it upon startup. This self-cleaning feature destroys evidence before security teams can respond.
Organizations must tighten control over remote management software. Security teams should monitor network traffic for unexpected connections. Defenders cannot rely on traditional static indicators alone. They must track suspicious behaviors and secure administrative tools to block these intrusions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.