Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Cavern Manticore is an Iran-linked threat actor campaign targeting Israeli government and IT sectors. The actor uses a modular command-and-control (C2) framework built on .NET, compiled into various formats including Mixed-Mode C++/CLI and Native AOT, which complicates analysis. Initial access is gained through abuse of Remote Monitoring and Management (RMM) software such as SysAid, leveraging supply-chain compromise tactics via IT providers. The framework includes core agents and specialized post-exploitation modules enabling file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps connect this actor to Iranian MOIS-aligned groups like MuddyWater and the Lyceum subgroup of OilRig. No known exploits in the wild or patches are indicated.
AI Analysis
Technical Summary
Cavern Manticore is a modular C2 framework campaign attributed to an Iran-nexus threat actor targeting Israeli government and IT sectors. The framework is developed in .NET but compiled into multiple formats including Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. The actor achieves initial access by abusing Remote Monitoring and Management software such as SysAid, demonstrating supply-chain compromise tactics by using IT providers as stepping stones to reach higher-value targets. The framework's modular design includes core agents and specialized post-exploitation modules that provide capabilities for file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps link Cavern Manticore to Iranian MOIS-aligned groups including MuddyWater and the Lyceum subgroup of OilRig. There are no known exploits in the wild and no patches or fixes are applicable as this is a threat actor campaign rather than a software vulnerability.
Potential Impact
The campaign enables persistent and stealthy access to targeted Israeli government and IT sector networks through a sophisticated modular C2 framework. The use of supply-chain compromise tactics via IT providers increases the risk of widespread infiltration. The modular post-exploitation capabilities allow extensive reconnaissance and data access within compromised environments. The anti-analysis techniques complicate detection and response efforts. However, no direct software vulnerability or exploit is reported, and no known exploits in the wild have been identified.
Mitigation Recommendations
As this is a threat actor campaign leveraging abuse of Remote Monitoring and Management software like SysAid and supply-chain compromise tactics, mitigation should focus on securing RMM tools, verifying the integrity of IT provider software and updates, and monitoring for suspicious activity related to these vectors. There is no patch or official fix applicable. Organizations should follow vendor guidance for securing RMM platforms and supply-chain risk management. No direct remediation is provided by vendors for the threat actor framework itself.
Indicators of Compromise
- domain: auth.hospitalinstallation.com
- hash: a9336884e006503bc821f3f0d36f141f
- hash: d0bba7c040ecffd8cc31a62330a144eb
- hash: 0f57a2bb4c0696170b73e2d35f17c5a6f2f910d7
- hash: 843d2017c4ded1dbb694dd4bf20bcd9e92af92f6
- hash: 0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8
- hash: 2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0
- hash: 30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10
- hash: 37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066
- hash: 5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42
- hash: 541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cb
- hash: 5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18
- hash: 7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a
- hash: 8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a6134
- hash: 92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b
- hash: a4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41
- hash: b630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86
- hash: cbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93
- hash: ccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748
- url: https://adserviceupdate.com/cac.aspx
- url: https://hygienehistory.com/cac.aspx
- domain: adserviceupdate.com
- domain: hospitalinstallation.com
- domain: hygienehistory.com
- domain: google.com.hospitalinstallation.com
Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Description
Cavern Manticore is an Iran-linked threat actor campaign targeting Israeli government and IT sectors. The actor uses a modular command-and-control (C2) framework built on .NET, compiled into various formats including Mixed-Mode C++/CLI and Native AOT, which complicates analysis. Initial access is gained through abuse of Remote Monitoring and Management (RMM) software such as SysAid, leveraging supply-chain compromise tactics via IT providers. The framework includes core agents and specialized post-exploitation modules enabling file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps connect this actor to Iranian MOIS-aligned groups like MuddyWater and the Lyceum subgroup of OilRig. No known exploits in the wild or patches are indicated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cavern Manticore is a modular C2 framework campaign attributed to an Iran-nexus threat actor targeting Israeli government and IT sectors. The framework is developed in .NET but compiled into multiple formats including Mixed-Mode C++/CLI and Native AOT, creating significant anti-analysis challenges. The actor achieves initial access by abusing Remote Monitoring and Management software such as SysAid, demonstrating supply-chain compromise tactics by using IT providers as stepping stones to reach higher-value targets. The framework's modular design includes core agents and specialized post-exploitation modules that provide capabilities for file system operations, database browsing, LDAP querying, network reconnaissance, and tunneling. Technical overlaps link Cavern Manticore to Iranian MOIS-aligned groups including MuddyWater and the Lyceum subgroup of OilRig. There are no known exploits in the wild and no patches or fixes are applicable as this is a threat actor campaign rather than a software vulnerability.
Potential Impact
The campaign enables persistent and stealthy access to targeted Israeli government and IT sector networks through a sophisticated modular C2 framework. The use of supply-chain compromise tactics via IT providers increases the risk of widespread infiltration. The modular post-exploitation capabilities allow extensive reconnaissance and data access within compromised environments. The anti-analysis techniques complicate detection and response efforts. However, no direct software vulnerability or exploit is reported, and no known exploits in the wild have been identified.
Mitigation Recommendations
As this is a threat actor campaign leveraging abuse of Remote Monitoring and Management software like SysAid and supply-chain compromise tactics, mitigation should focus on securing RMM tools, verifying the integrity of IT provider software and updates, and monitoring for suspicious activity related to these vectors. There is no patch or official fix applicable. Organizations should follow vendor guidance for securing RMM platforms and supply-chain risk management. No direct remediation is provided by vendors for the threat actor framework itself.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/"]
- Adversary
- Cavern Manticore
- Pulse Id
- 6a4bb565cb9499639bf4125b
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainauth.hospitalinstallation.com | — | |
domainadserviceupdate.com | — | |
domainhospitalinstallation.com | — | |
domainhygienehistory.com | — | |
domaingoogle.com.hospitalinstallation.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha9336884e006503bc821f3f0d36f141f | — | |
hashd0bba7c040ecffd8cc31a62330a144eb | — | |
hash0f57a2bb4c0696170b73e2d35f17c5a6f2f910d7 | — | |
hash843d2017c4ded1dbb694dd4bf20bcd9e92af92f6 | — | |
hash0a3663648a46771a5a5423ad01e91a4e7ba825595e99fa934cb35cbb4848adc8 | — | |
hash2cb1ad3b22db8e3666ea138fee88034a87a87cf43db3d3265a675ebf221379b0 | — | |
hash30cb4679c4b8599eeb3d63a551716475c6332bdc4d4b4e3de0964aadb3092a10 | — | |
hash37e123bd7998af4eae32718ce254776f36365a80ba56952593dab46f536d4066 | — | |
hash5394d3b220de4695f731647e3a70545f951a8912ceb0c6585efab8d6842e8b42 | — | |
hash541b1f417b9e42078c3355693a8a492b6a76048850f6549a429e0be99e6819cb | — | |
hash5dc08bda6919a57a85e5f38b857985fa71529ca39c8299868d5a49a987e19b18 | — | |
hash7d586fb7f94182a8e2a0e53c7e4deb898066da029da5cd9972a94a59ca6d255a | — | |
hash8e9425c0b46eeb516610ae913d13f2b3f44a023043cb099277031d4ec38a6134 | — | |
hash92cae0ad7f98f51a14bcc0ee05e372ebdc29ea96ea7bd161bd3f55198767603b | — | |
hasha4aa217def4c38f4ecacdf47b1cd687f60cc74c18ab75195be3c4357a790bf41 | — | |
hashb630c96d3763182533d4fb9b614134382bd644cb02c6c1c3ade848b6ecc31e86 | — | |
hashcbc9485db715e1b8cc384fe94b4cceadca4006cda8a5e28adc8848529cfafc93 | — | |
hashccf218189c3aadb1c761da14bfda3bae686769031e1e1b10007648bd72e34748 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://adserviceupdate.com/cac.aspx | — | |
urlhttps://hygienehistory.com/cac.aspx | — |
Threat ID: 6a4d09cec9d9e3dbe34881ff
Added to database: 07/07/2026, 14:14:38 UTC
Last enriched: 07/07/2026, 14:28:16 UTC
Last updated: 07/08/2026, 01:55:02 UTC
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.