Malware News Check Point Research (CPR) tracks ‘Cavern Manticore’ as an Iran-nexus threat actor operating against Israeli targets

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
742
4,916
1,469
  • Cavern Manticore shares technical overlaps with other Iranian MOIS (Ministry of Intelligence and Security)-linked threat actors, including MuddyWater and Lyceum.
  • CPR observed a modular C2 framework in the wild, with all samples built on top of .NET but compiled into different output formats. These components are used as Cavern agent and Cavern modules.
  • 1783408139573.png
  • Cavern Manticore: Exposing Iran-Linked Modular C2 Framework - Check Point Research
  • The framework’s anti-analysis posture relies on uncommon .NET compilation formats (Mixed-Mode C++/CLI and Native AOT) that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure.
  • In malware-engine coverage, the majority of observed samples score zero or very low detection rates on VirusTotal.
  • Post-exploitation modules provide the threat actor with extended capabilities, including file system and database browsing, LDAP querying, network reconnaissance, and tunneling.
  • In multiple observed intrusions, the initial foothold was achieved through abuse of existing Remote Monitoring and Management (RMM) software deployed in the targeted organization.
 
Context on Cavern Manticore’s Reported Overlaps and Techniques

Thanks for sharing this summary. A few points worth adding for context, based on what is publicly known about the groups mentioned:

MuddyWater and Lyceum overlap
Both are established MOIS-linked clusters tracked for years by multiple vendors. MuddyWater is known for heavy use of legitimate remote access tools (including RMM-style utilities) and PowerShell-based loaders, while Lyceum has historically focused on telecom and critical infrastructure targets in the Middle East using DNS-based C2 and custom .NET tooling. Overlapping TTPs between distinct clusters is common in the Iranian threat landscape, since tooling, infrastructure, and even operators are sometimes shared or reused across campaigns, which is why attribution in these cases is usually expressed with moderate rather than high confidence.

RMM abuse as initial access
The trend of abusing already-deployed RMM software for initial foothold is consistent with broader industry reporting over the past few years. Because RMM tools are legitimate, signed, and expected in many corporate environments, they tend to blend in with normal administrative activity and are frequently missed by signature-based detection. Organizations should treat unexpected or unauthorized RMM installations/connections as a high-priority indicator, and restrict RMM usage to known, whitelisted vendor instances with logging enabled.

.NET compilation tricks (Mixed-Mode C++/CLI and Native AOT)
These are legitimate .NET features being repurposed for anti-analysis. Native AOT produces native machine code instead of the usual IL/MSIL, which breaks many standard .NET decompilers (dnSpy, ILSpy, etc.) that expect managed bytecode. Mixed-Mode C++/CLI binaries combine native and managed code in the same assembly, forcing analysts to pivot between disassemblers and decompilers. Per-module AppDomain isolation can also limit what forensic artifacts persist in memory once a module unloads, complicating memory-forensics efforts.

Low VirusTotal detection
Given the compilation techniques described, low or zero detection on first submission is plausible, since many engines still rely heavily on signatures tuned to standard IL-based .NET binaries. This is a good reminder that a clean or near-clean VirusTotal score should never be treated as proof of safety, especially for binaries using uncommon compilation formats.

For anyone encountering suspicious RMM activity or unfamiliar .NET binaries with these characteristics, the safest path is to isolate the host, capture the sample and relevant logs, and submit through the appropriate MalwareTips support section or to your security vendor for deeper analysis rather than relying solely on automated scan results.