VYPR
researchPublished Jul 6, 2026· 1 source

Cavern Manticore: Iran-Linked APT Uses Modular .NET Framework Against Israeli Targets

Check Point Research has uncovered 'Cavern Manticore,' an Iran-nexus APT group employing a sophisticated, modular .NET command-and-control framework to target Israeli organizations, particularly in the government and IT sectors.

Check Point Research (CPR) is tracking a new, modular command-and-control (C2) framework utilized by Cavern Manticore, an advanced persistent threat (APT) group with ties to Iran's Ministry of Intelligence and Security (MOIS). This group, which shares technical overlaps with other Iran-linked actors such as MuddyWater and Lyceum, has been primarily targeting Israeli organizations, with a notable focus on the IT and government sectors.

The Cavern Manticore framework is built upon a .NET foundation but exhibits a sophisticated anti-analysis strategy by compiling its various components into distinct formats: standard .NET Framework (IL-only), Mixed-Mode C++/CLI (IL + Native), and .NET 8 NativeAOT (Native-only). This deliberate fragmentation forces security researchers to employ multiple toolsets and adapt their reverse engineering workflows for each component, significantly increasing the difficulty of analysis. CPR observed that many of these compiled samples achieve very low detection rates on common malware scanning platforms like VirusTotal.

The framework's architecture is modular, separating core communication capabilities (the Cavern Agent) from specialized post-exploitation functions (Cavern Modules). This design allows the threat actors to tailor their attacks to specific victim environments, potentially limiting the amount of recoverable forensic data from any single compromise. The modularity also enables the deployment of specialized modules for tasks such as file system and database browsing, LDAP querying, network reconnaissance, and establishing secure communication tunnels.

In several observed intrusions, Cavern Manticore gained its initial foothold by exploiting existing Remote Monitoring and Management (RMM) software already deployed within the targeted organizations. This tactic leverages legitimate administrative tools to bypass initial security hurdles and establish a presence within the network.

Technically, the Cavern framework consists of several key components. The Cavern Agent, often disguised as a legitimate DLL like 'uxtheme.dll' and loaded via DLL sideloading, acts as the core backdoor and orchestrator for other modules. It communicates with the C2 server using a dedicated native communication module, 'n-HTCommp.dll,' which employs HTTPS/WebSocket transport with XOR-encrypted traffic.

Additional modules provide diverse functionalities. A File Manager module ('mhm.dll') handles file operations, including decryption of DPAPI-protected data and archive manipulation. A SQL Browser module ('db.dll') enables database enumeration, querying, and data export, while an LDAP Module ('ode.dll') performs Active Directory reconnaissance and user/group enumeration. For network operations, a Network Module ('n-ten.dll') conducts port scanning, share enumeration, and SMB brute-forcing. Finally, a Tunnel Module ('n-sws.dll') facilitates SOCKS5 proxying and WebSocket tunneling, allowing for covert command and control or data exfiltration.

The use of different .NET compilation formats is a central anti-analysis technique. Pure .NET Framework modules retain metadata, making them easily decompilable. Mixed-Mode C++/CLI binaries require analysis of both managed .NET code and native C++ stubs. NativeAOT compiled modules produce standalone native executables, which are harder to reverse engineer than standard .NET binaries. This multi-faceted approach presents a significant challenge for defenders and incident responders.

Cavern Manticore's operations highlight the evolving tactics of Iran-linked APT groups, which are increasingly adopting sophisticated, modular frameworks and advanced anti-analysis techniques to conduct espionage against critical Israeli infrastructure.

Synthesized by Vypr AI