Summary
Key Points:
- A new Iranian-linked hacking group, Cavern Manticore, has been targeting Israeli government and IT sectors since early 2026, utilizing advanced modular command-and-control (C2) infrastructure.
- The group exploits remote monitoring and management (RMM) software for initial access and lateral movement, deploying malicious software disguised as legitimate updates. Their operations have shown low detection rates on security platforms like VirusTotal.
- Recommended actions include enhancing monitoring of RMM tools, implementing strict access controls, and employing advanced threat detection solutions to identify anomalous C2 traffic.
Technical Details: Cavern Manticore employs a modular C2 framework consisting of a persistent backdoor (Cavern agent) and specialized post-exploitation tools (Cavern modules), utilizing .NET technologies to evade detection. The group has been linked to previous Iranian threat actors through shared techniques and infrastructure.
MITRE ATT&CK Techniques:
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1210 - Exploit Public-Facing Application (Initial Access)
- T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)
- T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
IOCs Mentioned:
- hospitalinstallation[.]com (domain used in C2 infrastructure)
Join the discussion — sign up to comment, upvote, and save articles.