All incidents

Cavern Manticore APT conducts cyber-espionage campaign against Israeli entities

campaignopenJul 6, 2026 — Jul 13, 2026
Cavern Manticore APT conducts cyber-espionage campaign against Israeli entities

CAVERN Manticore, an Iran‑linked APT group, has been carrying out a cyber‑espionage campaign against Israeli government and IT organisations since early 2026. The group uses a modular command and control framework to remain undetected while exfiltrating sensitive data.

The toolkit relies on .NET components that abuse legitimate IT management tools, as detailed in the modular C2 framework described by researchers. It employs a fake Windows theming library and a self‑updating mechanism to blend with normal admin traffic. These techniques allow the malware to persist without raising alarms.

Modules within the framework can harvest credentials, run arbitrary SQL queries and map internal networks. A separate component creates covert communication channels for data exfiltration. Initial access is often gained through compromised remote monitoring and management or SysAid servers.

Infosecurity Magazine reports that Check Point Research links Cavern Manticore to Iran’s Ministry of Intelligence and Security. The group shares code similarities with older Iranian clusters such as MuddyWater and Lyceum. Activity was observed between 6 July and 13 July 2026.

Defenders should monitor for unusual use of RMM and SysAid binaries, looking for signs of unauthorized execution. Reviewing logs for lateral movement and enforcing strict network segmentation can limit the attacker’s ability to pivot. Applying the latest patches for exposed services reduces the initial infection vector.

Deploying behavioural detection for the Cavern agent helps identify malicious activity that evades signature‑based tools. Sharing identified indicators of compromise with trusted partners and industry groups improves collective defence. Maintaining updated threat intelligence feeds ensures defenders stay ahead of evolving tactics.

Intelligence briefing updated Jul 13, 2026

Cavern Manticore Cavern Manticore APT
Root sourceresearch.checkpoint.com
Timeline Coverage

Swipe to explore timeline