Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

0
Medium
Published: 07/06/2026 (07/06/2026, 14:02:13 UTC)
Source: AlienVault OTX General

Description

Cavern Manticore is an Iran-linked threat actor campaign targeting Israeli government and IT sectors. The actor uses a modular command-and-control (C2) framework built on .NET, compiled into various formats including Mixed-Mode C++/CLI and Native AOT, which complicates analysis. Initial access is gained through abuse of Remote Monitoring and Management (RMM) software such as SysAid, leveraging supply-chain compromise tactics via IT providers. The framework includes core agents and specialized post-exploitation modules enabling file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps connect this actor to Iranian MOIS-aligned groups like MuddyWater and the Lyceum subgroup of OilRig. No known exploits in the wild or patches are indicated.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 14:28:16 UTC

Technical Analysis

Cavern Manticore is a modular C2 framework campaign attributed to an Iran-nexus threat actor targeting Israeli government and IT sectors. The framework is developed in .NET but compiled into multiple formats including Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. The actor achieves initial access by abusing Remote Monitoring and Management software such as SysAid, demonstrating supply-chain compromise tactics by using IT providers as stepping stones to reach higher-value targets. The framework's modular design includes core agents and specialized post-exploitation modules that provide capabilities for file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps link Cavern Manticore to Iranian MOIS-aligned groups including MuddyWater and the Lyceum subgroup of OilRig. There are no known exploits in the wild and no patches or fixes are applicable as this is a threat actor campaign rather than a software vulnerability.

Potential Impact

The campaign enables persistent and stealthy access to targeted Israeli government and IT sector networks through a sophisticated modular C2 framework. The use of supply-chain compromise tactics via IT providers increases the risk of widespread infiltration. The modular post-exploitation capabilities allow extensive reconnaissance and data access within compromised environments. The anti-analysis techniques complicate detection and response efforts. However, no direct software vulnerability or exploit is reported, and no known exploits in the wild have been identified.

Mitigation Recommendations

As this is a threat actor campaign leveraging abuse of Remote Monitoring and Management software like SysAid and supply-chain compromise tactics, mitigation should focus on securing RMM tools, verifying the integrity of IT provider software and updates, and monitoring for suspicious activity related to these vectors. There is no patch or official fix applicable. Organizations should follow vendor guidance for securing RMM platforms and supply-chain risk management. No direct remediation is provided by vendors for the threat actor framework itself.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/"]
Adversary
Cavern Manticore
Pulse Id
6a4bb565cb9499639bf4125b
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainauth.hospitalinstallation.com
domainadserviceupdate.com
domainhospitalinstallation.com
domainhygienehistory.com
domaingoogle.com.hospitalinstallation.com

Hash

ValueDescriptionCopy
hasha9336884e006503bc821f3f0d36f141f
hashd0bba7c040ecffd8cc31a62330a144eb
hash0f57a2bb4c0696170b73e2d35f17c5a6f2f910d7
hash843d2017c4ded1dbb694dd4bf20bcd9e92af92f6
hash0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8
hash2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0
hash30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10
hash37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066
hash5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42
hash541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cb
hash5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18
hash7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a
hash8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a6134
hash92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b
hasha4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41
hashb630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86
hashcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93
hashccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748

Url

ValueDescriptionCopy
urlhttps://adserviceupdate.com/cac.aspx
urlhttps://hygienehistory.com/cac.aspx

Threat ID: 6a4d09cec9d9e3dbe34881ff

Added to database: 07/07/2026, 14:14:38 UTC

Last enriched: 07/07/2026, 14:28:16 UTC

Last updated: 07/08/2026, 01:55:02 UTC

Views: 53

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses