Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Essential information
- Published
- 06/07/2026 16:02
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- dll sideloading iran modular c2 framework mois nativeaot compilation rmm abuse supply-chain compromise sysaid
- Related entities
- 21 indicators, 7 observables, 1 intrusion sets (apt), 23 techniques (mitre)
Description
Check Point Research tracks Cavern Manticore, an Iran-nexus threat actor targeting Israeli government and IT sectors. The actor deploys a modular C2 framework built on .NET but compiled into different formats including Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. The framework consists of core agents and specialized post-exploitation modules providing capabilities for file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Initial access is achieved through abuse of Remote Monitoring and Management software like SysAid. The actor demonstrates supply-chain compromise tactics, using IT providers as stepping stones to reach higher-value targets. Technical overlaps link Cavern Manticore to Iranian MOIS-aligned groups including MuddyWater and Lyceum subgroup of OilRig.