AN Iran-linked APT actor, tracked as Cavern Manticore, has been utilizing a modular command-and-control (C&C) framework in recent cyberattacks on Israeli organizations. This group appears to have connections to Iran's Ministry of Intelligence and Security and the OilRig subgroup. The Cavern Manticore framework employs a .NET-based toolset designed for anti-analysis, with components for various cyber operations like file management and network reconnaissance.
The attack chain begins with exploiting SysAid software to deploy the Cavern agent, which subsequently fetches additional modules for specific functionalities. The APT demonstrates a sophisticated understanding of Israel's IT supply chains, often moving laterally between compromised entities to reach its final targets.