Iran-Linked 'Cavern Manticore' Deploys New Modular C2 Framework Against Israeli Orgs

Check Point Research uncovered Cavern, a previously undocumented .NET-based C2 framework used by an Iranian MOIS-linked group to breach Israeli IT providers and government targets.

Threat Intelligence Incident Response Identity & Access

Check Point Research has disclosed a previously undocumented command-and-control framework, dubbed Cavern (aka Cav3rn), attributed to a threat cluster it tracks as Cavern Manticore — a group linked to Iran’s Ministry of Intelligence and Security with tactical overlaps to MuddyWater and Lyceum/OilRig. The campaign has primarily targeted Israeli organizations in the government and IT sectors.

The framework itself is unusually mature for a newly disclosed toolset. It’s built on a shared .NET foundation but compiles components across multiple formats — standard .NET Framework, Mixed-Mode C++/CLI, and Native AOT — a deliberate anti-analysis choice that forces reverse engineers to juggle several different toolchains and metadata-reconstruction workflows for what is functionally the same malware family. Per-module AppDomain isolation adds an additional anti-forensics layer.

What stands out operationally is the intrusion path: Cavern Manticore has been observed moving from an initially compromised IT provider to a second-hop provider before reaching its actual target, rather than attacking the end organization directly. That reflects detailed knowledge of Israel’s IT supplier relationships and a deliberate strategy of weaponizing trusted vendor access rather than brute-forcing perimeter defenses.

For security teams — especially at Israeli startups and SMBs that outsource IT management — this is a reminder that vendor access is an extension of your own attack surface. Review which external IT providers hold privileged or remote access into your environment, confirm they monitor for anomalous outbound C2-style traffic from their own management infrastructure, and treat unexpected authentication or process activity originating from a vendor account with the same scrutiny you’d apply to an internal admin account.

Why it matters: This is a supply-chain campaign first and an Israel-specific campaign second — the group reaches its real targets by hopping through trusted IT providers. If you're an Israeli startup working with external MSPs or IT vendors, ask them directly what monitoring they have on outbound connections from their management tooling.

Read source →