Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Opera GX Flaw Let Sites Auto-Install Mods to Steal Data

July 6, 2026

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

July 6, 2026

New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

July 6, 2026
Facebook X (Twitter) Instagram
Tuesday, July 7
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors
News

New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

Team-CWDBy Team-CWDJuly 6, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A new cyber threat group linked to the Iranian government has been targeting Israeli government and IT organizations since early 2026, according to Check Point Research.

The group, tracked by the Tel Aviv-headquartered cybersecurity firm as ‘Cavern Manticore,’ shares technical overlaps with MuddyWater and Lyceum, two threat groups with attributed links to Iran’s Ministry of Intelligence and Security (MOIS).

Check Point researchers also observed the group deploying a previously undocumented modular command-and-control (C2) infrastructure.

“The adversary’s ability to gain access to organizations in the defense and government sectors during the US military campaign ‘Operation Epic Fury’ demonstrates both a high operational tempo and a disciplined approach to target selection,” the researchers wrote in a threat intelligence report published on July 6.

Cavern Manticore’s Modular C2 Infrastructure

According to Check Point, Cavern Manticore typically gains access to its targets’ IT environments by abusing existing remote monitoring and management (RMM) software.

By exploiting these tools, the actor can move laterally between victims and deliver malicious software disguised as legitimate updates.

Another common initial access vector involves abusing browser-based remote desktop tools, such as remote printing, to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted.

Once it has established initial access, the threat actor enables a SysAid’s software update which leads to installing malicious assets on the targeted environment.

To operate malicious campaigns, Cavern Manticore uses its own modular C2 framework, described by the researchers as “a mature and adaptable toolset built around a shared .NET foundation.”

The framework is made of two main components tracked by Check Point as Cavern agent and Cavern modules:

  • Cavern agent is the persistent backdoor that handles core communication with the attackers’ servers, using multiple .NET compilation formats (.NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT) to evade detection and complicate analysis
  • Cavern modules are specialized post-exploitation tools that extend functionality for tasks like reconnaissance, data theft, tunnelling and lateral movement, each compiled separately to tailor attacks per victim

To hinder forensic analysis, the framework uses per-module AppDomain isolation, preventing defenders from recovering full capabilities from a single compromised host.

This modular design allows attackers to minimize footprint, customize attacks and maintain persistence while ensuring that even if one component is detected, others remain hidden.

Check Point noted that the majority of observed samples of Cavern Manticore’s C2 framework score zero or very low detection rates on VirusTotal, showing how adept the group is at evading traditional security measures through advanced evasion techniques.

Technical Overlaps with Other Iranian Adversaries

During their analysis, Check Point researchers identified a communication module (CAV3RN_Http_Module) that uses a webshell-style ASP.NET handler, cac.aspx, hosted on a separate IIS server at one of two attacker-controlled or attacker-deployed domains and used as the command-and-control endpoint.

“The use of victim-side infrastructure to proxy C2 traffic, combined with XOR-based obfuscation, Base64 encoding, and a fixed verb set per backdoor, is consistent with techniques we have previously observed in operations attributed to OilRig subgroup named Lyceum,” the researchers wrote.

Other techniques, such as the targeting of SysAid servers, overlap further support possible Iranian links with MOIS-aligned actors, including MuddyWater.

Finally, WHOIS analysis of the root domain observed in the Cavern Manticore campaign, hospitalinstallation[.]com, showed that it was registered through Fars Data, an Iranian hosting provider.

“By decoupling its core infrastructure from mission-specific modules, Cavern Manticore’s operators gain both operational agility and durability under defensive pressure,” said Check Point.

“This modularity allows them to adjust capabilities per campaign while preserving the underlying framework.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleSilent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
Next Article Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Team-CWD
  • Website

Related Posts

News

Opera GX Flaw Let Sites Auto-Install Mods to Steal Data

July 6, 2026
News

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

July 6, 2026
News

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

July 6, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why you should never pay to get paid

September 15, 2025

Drowning in spam or scam emails lately? Here’s why

January 27, 2026

Beware of threats lurking in booby-trapped PDF files

October 7, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.