New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

Written by

A new cyber threat group linked to the Iranian government has been targeting Israeli government and IT organizations since early 2026, according to Check Point Research.

The group, tracked by the Tel Aviv-headquartered cybersecurity firm as ‘Cavern Manticore,’ shares technical overlaps with MuddyWater and Lyceum, two threat groups with attributed links to Iran’s Ministry of Intelligence and Security (MOIS).

Check Point researchers also observed the group deploying a previously undocumented modular command-and-control (C2) infrastructure.

“The adversary’s ability to gain access to organizations in the defense and government sectors during the US military campaign ‘Operation Epic Fury’ demonstrates both a high operational tempo and a disciplined approach to target selection,” the researchers wrote in a threat intelligence report published on July 6.

Cavern Manticore’s Modular C2 Infrastructure

According to Check Point, Cavern Manticore typically gains access to its targets’ IT environments by abusing existing remote monitoring and management (RMM) software.

By exploiting these tools, the actor can move laterally between victims and deliver malicious software disguised as legitimate updates.

Another common initial access vector involves abusing browser-based remote desktop tools, such as remote printing, to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted.

Once it has established initial access, the threat actor enables a SysAid’s software update which leads to installing malicious assets on the targeted environment.

To operate malicious campaigns, Cavern Manticore uses its own modular C2 framework, described by the researchers as “a mature and adaptable toolset built around a shared .NET foundation.”

The framework is made of two main components tracked by Check Point as Cavern agent and Cavern modules:

  • Cavern agent is the persistent backdoor that handles core communication with the attackers’ servers, using multiple .NET compilation formats (.NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT) to evade detection and complicate analysis
  • Cavern modules are specialized post-exploitation tools that extend functionality for tasks like reconnaissance, data theft, tunnelling and lateral movement, each compiled separately to tailor attacks per victim

To hinder forensic analysis, the framework uses per-module AppDomain isolation, preventing defenders from recovering full capabilities from a single compromised host.

This modular design allows attackers to minimize footprint, customize attacks and maintain persistence while ensuring that even if one component is detected, others remain hidden.

Cavern Agent execution chain. Source: Check Point Research
Cavern Agent execution chain. Source: Check Point Research

Check Point noted that the majority of observed samples of Cavern Manticore’s C2 framework score zero or very low detection rates on VirusTotal, showing how adept the group is at evading traditional security measures through advanced evasion techniques.

Technical Overlaps with Other Iranian Adversaries

During their analysis, Check Point researchers identified a communication module (CAV3RN_Http_Module) that uses a webshell-style ASP.NET handler, cac.aspx, hosted on a separate IIS server at one of two attacker-controlled or attacker-deployed domains and used as the command-and-control endpoint.

“The use of victim-side infrastructure to proxy C2 traffic, combined with XOR-based obfuscation, Base64 encoding, and a fixed verb set per backdoor, is consistent with techniques we have previously observed in operations attributed to OilRig subgroup named Lyceum,” the researchers wrote.

Other techniques, such as the targeting of SysAid servers, overlap further support possible Iranian links with MOIS-aligned actors, including MuddyWater.

Finally, WHOIS analysis of the root domain observed in the Cavern Manticore campaign, hospitalinstallation[.]com, showed that it was registered through Fars Data, an Iranian hosting provider.

“By decoupling its core infrastructure from mission-specific modules, Cavern Manticore’s operators gain both operational agility and durability under defensive pressure,” said Check Point.

“This modularity allows them to adjust capabilities per campaign while preserving the underlying framework.”

What’s Hot on Infosecurity Magazine?