Iran-linked group targets Israeli firms with a stealthy new spy toolkit

An Iran-linked espionage group has been quietly breaking into Israeli government bodies and IT providers using a custom, highly evasive hacking toolkit that most antivirus engines fail to detect, according to a new report from Check Point Research. The researchers track the group as Cavern Manticore and say it has operated since early 2026, with technical fingerprints that tie it to Iran's Ministry of Intelligence and Security (MOIS) and to established state crews including MuddyWater and the OilRig subgroup Lyceum.

Who is being targeted

Check Point says the campaign concentrates on Israeli organizations, with a clear focus on government agencies and the IT service providers that support them. Hitting an IT provider is a force multiplier: one foothold there can open a path into every customer it manages. In several intrusions, the attackers did not need an exploit to get in at all. They abused remote monitoring and management (RMM) software already installed in the victim's network, the same admin tooling IT teams rely on to run machines remotely.

How the attack works

The heart of the operation is a modular command-and-control (C2) framework the researchers call Cavern. It is built entirely on Microsoft's .NET platform and split into a core backdoor, the Cavern Agent, plus interchangeable modules the operators push down on demand for tasks such as browsing files and databases, mapping Active Directory, scanning the network, brute-forcing Windows shares, and tunneling traffic back out. One recovered infection chain abused the software-update feature of SysAid IT service software to plant a booby-trapped WinDirStat package, which side-loads a malicious uxtheme.dll (the agent) that then pulls in the rest.

Built to defeat analysts

What sets Cavern apart is how hard it works to stay hidden. Rather than the usual packers or scrambled code, the developers compiled their components into three different .NET binary formats, forcing malware analysts to switch tools and techniques for each piece. The agent masquerades as a legitimate Windows theming library, exposing 83 functions of which 82 are empty decoys so that automated sandboxes see nothing suspicious. Each module runs in its own isolated container and is wiped from disk after use, leaving little for investigators to recover. The payoff, Check Point notes, is that most samples score zero or near-zero detections on VirusTotal.

The analysis also caught the operators being human: buried in the code are first-person, profanity-laced debugging messages that read like a developer griping at their own tooling, a small reminder that a person sits behind the framework.

Indicators and defense

Because the toolkit slips past signature-based antivirus, defenders should hunt for the behavior instead: unexpected use or abuse of RMM software, a uxtheme.dll loading from a non-system path such as C:\ProgramData\WinDir, and beacons to the campaign's infrastructure. Check Point ties the activity to C2 domains including hospitalinstallation[.]com and staging URLs hxxps://adserviceupdate[.]com/cac[.]aspx and hxxps://hygienehistory[.]com/cac[.]aspx. This is the latest chapter in a long run of Iranian operations aimed at Israel, following campaigns we have covered from Iranian groups hitting defense firms with custom spying trojans.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions