Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
Check Point, Monday, July 6th, 2026
Check Point Research details Cavern Manticore, an Iran-linked APT's modular .NET command-and-control framework.
Check Point Research documented Cavern Manticore, an Iran-nexus APT group targeting Israeli organizations with a mature, modular .NET-based command-and-control framework.
The malware is compiled into three formats, standard .NET Framework, Mixed-Mode C++/CLI, and NativeAOT, as an anti-analysis technique that forces reverse engineers to use multiple toolsets.
It separates core communications from mission-specific modules handling file management, SQL database access, LDAP reconnaissance, network enumeration, and SOCKS5 tunneling, and uses aggressive anti-forensics via AppDomain isolation and post-execution module unloading. Initial compromise typically occurred through abuse of legitimate remote monitoring and management software.