[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqaJwTFKIlOxad6NRE1jORziGzObDtps5DAE7CVvwOUc":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"d651e435-054f-4b0a-a0dd-1170a7d36d1b","Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks","iran-linked-hackers-using-modular-c-c-framework-in-cyberattacks-e28a41","Researchers say the Iran-linked threat actor used an adaptable modular malware framework and compromised IT service providers to reach high-value targets in Israel. The post Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks appeared first on SecurityWeek.","An Iran-linked APT group, Cavern Manticore, is employing a sophisticated, modular .NET C&C framework to target organizations in Israel, particularly government entities and IT service providers. The framework utilizes unique compilation formats as an anti-analysis layer and allows for tailored deployments. The attackers have been observed compromising IT service providers to gain access to their clients, demonstrating a deep understanding of complex supply chains.","Iran-linked APT uses modular C&C framework and IT providers to target Israeli organizations.","An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports. Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten). Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer. “This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes. The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments. The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent.Advertisement. Scroll to continue reading. After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator. Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket\u002FWSS tunneling. The agent uses both managed and native modules. The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files. According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process. As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration. “Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes. Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers Related: Iranian APT Targets Aviation, Software Companies With Updated Tools Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire North Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Latest News CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsCritical Adobe ColdFusion Vulnerability Exploited in AttacksCISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader and Original ThinkerLinux Kernel Vulnerability Allows VM Escape on Intel and AMD SystemsKeyfactor Scores $1 Billion+ Investment for AI, Post-Quantum SecurityBlogspot-Hosted Payloads Delivered in ‘Veil#Drop’ AttacksThe Shift Toward Business-Aligned Risk ManagementArmored Likho APT Targeting Government, Electric Power Entities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Firan-linked-hackers-using-modular-cc-framework-in-cyberattacks\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F08\u002FIran-Saudi-Arabia-Middle-East-Egypt-Israel.jpeg","2026-07-07T12:21:56+00:00","2026-07-07T14:01:01.863536+00:00",8,[18,21,23,25,27,29],{"name":19,"type":20},"Cavern Manticore","threat_actor",{"name":22,"type":20},"OilRig",{"name":24,"type":20},"Lyceum",{"name":26,"type":20},"Hexane",{"name":28,"type":20},"SiameseKitten",{"name":30,"type":31},"SysAid","vendor","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":32,"icon":34,"name":35,"slug":36},null,"Nation-state","nation-state",[38,43,45,50],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,59,63,66,69,72,75,78,81],{"type":49,"value":57,"context":58},"Cavern agent","Malware agent used in the attack chain",{"type":60,"value":61,"context":62},"mitre_attack","T1071.001","Application Layer Protocol: Web Protocols (used for C2 communication)",{"type":60,"value":64,"context":65},"T1059.001","Command and Scripting Interpreter: PowerShell (implied by .NET framework)",{"type":60,"value":67,"context":68},"T1570","Lateral Tool Transfer (use of modules)",{"type":60,"value":70,"context":71},"T1021.001","Remote Services: Remote Desktop Protocol (used for access)",{"type":60,"value":73,"context":74},"T1041","Exfiltration Over C2 Channel (implied by module functionality)",{"type":60,"value":76,"context":77},"T1003","OS Credential Dumping (LDAP brute-force module)",{"type":60,"value":79,"context":80},"T1566.002","Phishing: Spearphishing Link (implied by initial compromise vector)",{"type":60,"value":82,"context":83},"T1190","Exploit Public-Facing Application (abuse of SysAid software update feature)"]