Iran Built a Brand-New C2 Framework and Aimed It at the IT Providers Who Hold Israel's Keys
- Patrick Duggan
- 1 hour ago
- 4 min read
Check Point Research this week documented a previously unknown command-and-control framework called Cavern — you may also see it written Cav3rn — in the hands of a threat cluster they've named Cavern Manticore, affiliated with Iran's Ministry of Intelligence and Security. The targets are Israeli organizations, with IT providers and government sectors singled out. Two things about this campaign deserve your attention, and neither is the malware's name. The first is what the actor built. The second is the road it drives on.
What they built: a C2 that isn't Cobalt Strike
Yesterday morning, writing up the July 4th weekend, we flagged a trend in our own indicator corpus: the command-and-control landscape is diversifying past Cobalt Strike, the one framework everyone built detections for. Over the holiday we watched AdaptixC2, DeimosC2, and VShell — open-source alternatives — move through our feed alongside the old standby. Our exact warning was: if your rules key on Cobalt Strike beacons alone, that spread is the thing to watch.
Cavern is that trend arriving from the state-sponsored direction: not an open-source alternative adopted for convenience, but a bespoke framework built in-house. Check Point describes a mature, modular toolset on a shared .NET foundation — with components compiled three different ways: classic .NET Framework, mixed-mode C++/CLI, and .NET Native AOT. That last one matters to defenders more than it sounds like it should. Native AOT compiles .NET down to a self-contained native binary — no runtime dependency, none of the telltale managed-code structure that a decade of .NET-aware detection tooling was built to inspect. Same authors, same logic, three different shapes on disk. A detection program tuned to one compilation format inspects a third of the campaign.
The road it drives on: your IT provider, then your IT provider's IT provider
The tradecraft is the part we would tattoo on every procurement contract. Check Point observed Cavern Manticore compromising an IT provider, moving from there into a second provider, and only then reaching the actual target organization. Two hops of trusted relationship before the victim ever sees a packet.
If that pattern sounds familiar, it should — it is the third time we have written it in two days. Yesterday evening it was Storm-2603's Warlock ransomware entering one organization through SharePoint and walking out the far side into a second network. This morning it was ColdFusion. The lesson keeps arriving wearing different flags: the modern intrusion does not come through your front door, it comes through the door of someone you pay to hold your keys. Ransomware crews weaponize the trust for money; MOIS weaponizes it for reach. The mechanism is identical, and it is motive-agnostic — which is exactly why we keep saying that defending the door beats profiling the actor.
The infrastructure tells its own quiet joke about attribution. The campaign's root domain — hospitalinstallation[.]com — was registered through Fars Data, an Iranian hosting provider. For a service built to impersonate the mundane plumbing of enterprise IT, the registration trail runs straight home. Nobody's operational security is perfect, including intelligence services'.
Where this sits on our Iran watch
We keep a standing watch on Iran-nexus activity — CyberAv3ngers on the operational-technology side, Handala on the wiper-and-leak side, both covered here before. Cavern Manticore slots into that picture as something distinct: Check Point notes tactical overlaps with MuddyWater and Lyceum, the MOIS-adjacent espionage clusters, but tracks it as its own animal. So the current Iranian roster, as visible from our chair: an IRGC-linked crew for breaking industrial things, a MOIS-linked crew for burning and humiliating, and now a MOIS-affiliated engineering effort mature enough to ship a multi-format C2 framework and patient enough to route through two service providers before touching the target. That is not a hacktivist ecosystem. That is a software organization with a product roadmap.
What to do about it is unglamorous and familiar. If you are an IT or managed-service provider — especially one with customers an intelligence service might care about — you are not the collateral in this story, you are the route, and your detection posture needs to assume implants that do not look like Cobalt Strike and do not look like classic managed .NET either. If you are a customer of such providers, the questions to ask them just got very specific: how would you detect a Native AOT implant, and who watches the lateral path from your network into mine?
We hold this at 95 percent, as we hold everything — the attribution and technical detail are Check Point's research, corroborated by the usual trade press, not our own capture, and we say so. But the two threads it confirms are ours, on the record this week: the C2 monoculture is over, and the trusted-relationship hop is the era's defining move. Iran just demonstrated both in a single campaign.
Sources: Check Point Research, "Cavern Manticore: Exposing Iran-Linked Modular C2 Framework" (July 2026); The Hacker News and SC Media coverage (July 6–7 2026); DugganUSA indicator corpus and prior coverage — "Every Way We Measured the July 4th Weekend Said 'Quiet'" (July 6) and "Warlock Went Back to Work Before You Did" (July 6) at dugganusa.com.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments