Cyberwarfare

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

Researchers say the Iran-linked threat actor used an adaptable modular malware framework and compromised IT service providers to reach high-value targets in Israel.

Iran

An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports.

Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten).

Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer.

“This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes.

The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments.

The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent.

Advertisement. Scroll to continue reading.

After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator.

Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket/WSS tunneling. The agent uses both managed and native modules.

The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files.

According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process.

As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration.

“Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes.

Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack

Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

Related: Iranian APT Targets Aviation, Software Companies With Updated Tools

Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack

Related Content

ICS/OT

California Water Service says there is no indication of operational disruptions to its water and wastewater systems. 

ICS/OT

The hackers published 5GB of data, including customer personal information and credentials for the RTKBase platform.

Nation-State

The attack was claimed by a hacktivist group, but evidence showed it used infrastructure linked to Iranian government threat actors.

Malware & Threats

Nimbus Manticore has continued its operations during and after the US military campaign against Iran.

Nation-State

Likely perpetrated by MuddyWater, the attack combined social engineering, persistence, credential harvesting, and data theft.

Cyberwarfare

US service members received WhatsApp messages claiming they would be targeted with drones and missiles.

Malware & Threats

It targeted high-precision calculation software to tamper with results and packed a self-propagation mechanism.

ICS/OT

The US government has warned that Iran-linked hackers are manipulating PLCs and SCADA systems to cause disruption.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version