Iran-Linked APT Seen Using Modular Command-and-Control Framework in Israel Attacks
Researchers at Check Point say an Iran-linked advanced persistent threat group has been using a modular command-and-control framework in operations aimed at organizations in Israel. The activity has b...
Researchers at Check Point say an Iran-linked advanced persistent threat group has been using a modular command-and-control framework in operations aimed at organizations in Israel. The activity has been attributed to a cluster tracked as Cavern Manticore, which the company says focuses on government entities and IT service providers and may be connected to Iran’s Ministry of Intelligence and Security. Check Point also noted possible overlap with the OilRig ecosystem, including groups known as Lyceum, Hexane, and SiameseKitten.
Modular design complicates analysis
According to the report, the malware framework is written in .NET and uses different compilation styles across its components. Rather than relying on conventional packing or heavy code obfuscation, the attackers appear to use the structure of the build itself to hinder analysis. Each component may require a different toolset or workflow to reverse, forcing analysts to switch methods as they examine the framework.
The system separates core communication functions from post-exploitation modules, allowing operators to load only the tools needed for a specific target. That design gives the attackers flexibility to customize each intrusion and maintain access longer inside compromised environments.
Infection route and post-compromise activity
Check Point said the intrusion chain starts with abuse of SysAid’s software update mechanism, which is used to sideload a WinDirStat DLL and execute the main Cavern agent. Once the agent establishes communication with its controllers, it can retrieve additional modules on demand.
- File and directory operations
- Database discovery and manipulation
- LDAP and SMB brute-force activity
- Network reconnaissance
- SOCKS5 proxying and WebSocket/WSS tunneling
The agent runs both managed and native modules, isolating each one in its own AppDomain before removing it from memory. It also deletes most files in its working directory to reduce forensic artifacts.
In attacks observed against Israeli targets, the group used remote monitoring tools for lateral movement, browser-based remote desktop access, and built-in printing features to move data out of victim networks. Check Point said the campaigns show a strong understanding of supplier relationships in Israel’s IT ecosystem, with attackers sometimes moving from an initial provider to a second-tier provider before reaching the intended target.
The researchers added that the framework may have been assisted by AI tools during development, but human involvement was still evident in code comments, naming choices, and inconsistencies between modules.
