216.73.216.170

Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

· Published 06/07/2026 16:02

Export JSON

Essential information

Published
06/07/2026 16:02
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
dll sideloading iran modular c2 framework mois nativeaot compilation rmm abuse supply-chain compromise sysaid
Related entities
21 indicators, 7 observables, 1 intrusion sets (apt), 23 techniques (mitre)

Description

Check Point Research tracks Cavern Manticore, an -nexus threat actor targeting Israeli government and IT sectors. The actor deploys a modular C2 framework built on .NET but compiled into different formats including Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. The framework consists of core agents and specialized post-exploitation modules providing capabilities for file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Initial access is achieved through abuse of Remote Monitoring and Management software like SysAid. The actor demonstrates supply-chain compromise tactics, using IT providers as stepping stones to reach higher-value targets. Technical overlaps link Cavern Manticore to Iranian -aligned groups including MuddyWater and Lyceum subgroup of OilRig.

External references