HomeRisk ManagementsNew Iran-Nexus Hacking Group Attacks Israeli Government and IT Sectors

New Iran-Nexus Hacking Group Attacks Israeli Government and IT Sectors

Published on

spot_img

Emerging Cyber Threat: Iranian-Linked Group Targets Israeli Entities

Recent findings from Check Point Research reveal that a new cyber threat group, identified as “Cavern Manticore,” has been actively engaging in cyberattacks against Israeli government and IT organizations since early 2026. This group has been linked to the Iranian government, drawing attention to the ongoing and evolving cyber landscape in the region.

Operating from Tel Aviv, Check Point Research has characterized Cavern Manticore as sharing numerous technical similarities with other known Iranian-linked threat groups, specifically ‘MuddyWater’ and ‘Lyceum.’ Both of these groups have been previously tied to Iran’s Ministry of Intelligence and Security (MOIS), reinforcing the notion that state-sponsored cyber activities are on the rise, particularly aimed at undermining Israeli security.

A notable aspect of Cavern Manticore’s operations is its use of a novel modular command-and-control (C2) infrastructure, which had not been documented before. According to Check Point’s report published on July 6, the group’s operational capabilities have been markedly impressive. The researchers noted, “The adversary’s ability to gain access to organizations in the defense and government sectors during the US military campaign ‘Operation Epic Fury’ demonstrates both a high operational tempo and a disciplined approach to target selection.”

Overview of Cavern Manticore’s Techniques

Cavern Manticore typically infiltrates its targets through existing remote monitoring and management (RMM) software, exploiting these tools to navigate the victims’ IT environments. This method allows the group to maneuver laterally within networks and deploy malicious software masquerading as legitimate updates. The group also utilizes browser-based remote desktop tools to extract data by circumventing limitations placed on clipboard-based actions or file-transfer functionalities.

Once initial access is secured, the attackers proceed to enable a software update from SysAid, which facilitates the installation of various malicious components within the compromised environment. Central to Cavern Manticore’s operational methodology is a sophisticated and adaptable modular C2 framework, described by researchers as crafted around a shared .NET foundation. This framework consists of two primary elements:

  1. Cavern Agent: This component functions as a persistent backdoor, managing core communication with the attackers’ servers. It employs multiple .NET compilation formats, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT, allowing it to evade detection and complicate forensic analysis.

  2. Cavern Modules: After gaining initial access, these post-exploitation tools take charge of specific tasks such as reconnaissance, data theft, tunneling, and lateral movement. Each module is compiled individually to adapt attacks according to the unique attributes of each victim.

This modular design not only minimizes the footprint of their operations but also enhances their adaptability. The use of per-module AppDomain isolation ensures that even if one module is detected, others remain undetected, complicating efforts for defense teams to neutralize the threat.

Evasion Techniques and Observed Trends

Check Point has emphasized that most samples of Cavern Manticore’s C2 framework exhibit minimal or no detection rates on platforms like VirusTotal. This stark statistic highlights the group’s adeptness at employing advanced evasion techniques, allowing them to dodge traditional security measures.

In an in-depth analysis, the researchers also discovered a communication module named CAV3RN_Http_Module. This module leverages a webshell-style ASP.NET handler, identified as cac.aspx, which operates on a separate IIS server. This domain serves as the command-and-control endpoint, raising suspicions of victim-side infrastructure being used to proxy communications—consistent with tactics previously observed in operations linked to the Iranian subgroup, OilRig, specifically Lyceum.

Furthermore, the particular targeting of SysAid servers by Cavern Manticore reinforces potential connections with MOIS-aligned actors, including MuddyWater. The WHOIS analysis of the root domain utilized in the Cavern Manticore attacks, hospitalinstallation[.]com, revealed that it was registered through Fars Data, an Iranian hosting service, solidifying the likelihood of Iranian involvement.

Check Point noted, “By decoupling its core infrastructure from mission-specific modules, Cavern Manticore’s operators gain both operational agility and durability under defensive pressure.” This modular and flexible approach enables them to customize capabilities according to the specific demands of each campaign while maintaining the robustness of their overarching framework.

Final Thoughts

The emergence of Cavern Manticore marks a significant development in the ongoing cyber conflict, particularly with its sophisticated techniques and strategic targeting. This incident serves as a reminder to organizations, especially those within critical sectors like government and defense, of the pressing need to enhance their cybersecurity posture. The revelations by Check Point Research not only shed light on the tactics of a looming cyber threat but also underline the complexity of the cybersecurity landscape in a region frequently under attack. As threat actors continuously evolve, so too must the strategies employed to combat their advances.

Source link

Latest articles

The AI Vulnerability Storm Is Here: Is Your Security Program Prepared?

Accelerating Vulnerability Discovery: The Impact of AI on Cybersecurity Emerging frontier AI models, epitomized by...

Cyber Briefing – July 6, 2026 – CyberMaterial

Escalating Cyber Threats: A Wake-Up Call for Organizations and Parents Alike In an alarming development,...

Agentic Blind Spots in Your Zero Trust Program

Reevaluating Zero Trust Architectures Amid the Rise of AI Agents In recent discussions surrounding the...

Hackers Exploit Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts

Rising Phishing Threat Exploits Microsoft Authentication Flows A new phishing technique has surfaced, capitalizing on...

More like this

The AI Vulnerability Storm Is Here: Is Your Security Program Prepared?

Accelerating Vulnerability Discovery: The Impact of AI on Cybersecurity Emerging frontier AI models, epitomized by...

Cyber Briefing – July 6, 2026 – CyberMaterial

Escalating Cyber Threats: A Wake-Up Call for Organizations and Parents Alike In an alarming development,...

Agentic Blind Spots in Your Zero Trust Program

Reevaluating Zero Trust Architectures Amid the Rise of AI Agents In recent discussions surrounding the...