Full Report
Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore, an Iran-nexus APT group primarily targeting Israeli organizations, with a focus on IT providers, and government sectors. Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum. The framework reflects a…
Analysis Summary
# Threat Actor: Cavern Manticore
## Attribution & Identity
* **Actor Identification:** Cavern Manticore is an Iran-nexus Advanced Persistent Threat (APT) group.
* **Associated Organizations:** Linked to the Iranian Ministry of Intelligence and Security (MOIS).
* **Aliases & Associated Groups:** Known to have links to **Lyceum**, which is a subgroup of **OilRig** (also known as APT34).
## Activity Summary
Check Point Research (CPR) has been tracking this actor since early 2026. The group is currently deploying a newly discovered, modular command-and-control (C2) framework characterized by high adaptability and sophisticated anti-analysis techniques. Their recent operations involve the deployment of "Cavern agents" and mission-specific modules designed for long-term persistence and data theft within targeted networks.
## Tactics, Techniques & Procedures
* **Multi-Format Compilation:** Uses various .NET formats to complicate reverse engineering, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT.
* **Anti-Analysis:** Leverages compilation formats as a layer to force analysts to use multiple toolsets and perform complex metadata reconstruction.
* **Modular Architecture:** Separates core communication ("Cavern agents") from post-exploitation tasks ("Cavern modules") to limit forensic recovery.
* **Post-Exploitation Capabilities:**
* Reconnaissance
* Data Access
* Network Tunneling
* Lateral Movement
* **Tailored Deployment:** Operators customize the specific modules deployed per victim environment to maintain a low profile.
## Targeting
* **Sectors:** Information Technology (IT) providers and Government sectors.
* **Geography:** Primarily targeting Israel.
* **Victims:** Specific Israeli organizations and IT service providers (general categories mentioned).
## Tools & Infrastructure
* **Malware Families:**
* **Cavern Framework:** A modular .NET-based C2 framework.
* **Cavern Agents:** Core communication components.
* **Cavern Modules:** Specialized plugins for specific mission objectives.
* **Infrastructure:**
* Utilizes a shared .NET foundation for cross-component compatibility.
* Modular C2 nodes (specific IPs/Domains were not listed in the provided text; remember to defang if discovered in further technical reporting).
## Implications
The emergence of the Cavern framework indicates an evolution in Iranian cyber capabilities, moving toward more mature, modular software engineering. By isolating functionalities into separate modules, Cavern Manticore reduces the risk of their entire toolkit being burned during a single incident response investigation. Their focus on IT providers suggests a "supply chain" interest, potentially using providers as a springboard to reach final targets in the government sector.
## Mitigations
* **Enhanced .NET Monitoring:** Implement security tooling capable of inspecting and deobfuscating various .NET compilation formats, particularly Native AOT and Mixed-Mode C++.
* **Endpoint Detection:** Deploy EDR/XDR solutions to monitor for the lateral movement and tunneling behaviors characteristic of the Cavern modules.
* **Supply Chain Security:** IT providers should implement strict access controls and monitor for anomalous outbound C2 traffic, given the actor's focus on service providers.
* **Memory Analysis:** Since the actor uses modular components that may be loaded dynamically, regular memory forensics can help identify unauthorized modules that do not reside on disk.