Skip to content
Chimera readability score 82 out of 100, Specialist reading level.

An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports.
Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten).
Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer.
“This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes.
The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments.
The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent.
After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator.
Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket/WSS tunneling. The agent uses both managed and native modules.
The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files.
According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process.
As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration.
“Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes.
Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers
Related: Iranian APT Targets Aviation, Software Companies With Updated Tools
Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack

Sentinel — Human

Confidence

The text reads like expert cybersecurity journalism synthesizing specific technical findings attributed to a source, balanced by internal nuance regarding authorship origin.

Signals Detected
low severity: Sentence length variance shows some natural fluctuation; the tone is informational rather than purely metronomic.
low severity: The flow moves logically from attribution to technical detail to methodology without obvious artificial padding.
low severity: Attribution is heavily sourced (Check Point reports), and the narrative builds upon existing specialized terminology, suggesting reporting based on known intelligence.
medium severity: The inclusion of specific, granular technical details (e.g., .NET compilation formats, AppDomain isolation) combined with the internal contradictory evidence ('likely built using an AI model' vs. 'human involvement') suggests a human analyst synthesizing complex source material.
Human Indicators
The nuanced contradiction in the final sentence regarding the framework's development (AI likely vs. significant human involvement) exhibits a complexity often found in human investigative synthesis, rather than simple LLM parroting.
The use of specific organizational names and technical nomenclature grounds the report firmly in specialized threat intelligence reporting.