Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 340, Issue 2IT Vendor NewsCheck Point

Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

Check Point, Monday, July 6th, 2026

Check Point Research details Cavern Manticore, an Iran-linked APT's modular .NET command-and-control framework.

Check Point Research documented Cavern Manticore, an Iran-nexus APT group targeting Israeli organizations with a mature, modular .NET-based command-and-control framework.

The malware is compiled into three formats, standard .NET Framework, Mixed-Mode C++/CLI, and NativeAOT, as an anti-analysis technique that forces reverse engineers to use multiple toolsets.

It separates core communications from mission-specific modules handling file management, SQL database access, LDAP reconnaissance, network enumeration, and SOCKS5 tunneling, and uses aggressive anti-forensics via AppDomain isolation and post-execution module unloading. Initial compromise typically occurred through abuse of legitimate remote monitoring and management software.

more →  ·  More from Check Point →