Iran-linked hackers develop new framework targeting Israeli IT and government organizations, report reveals
Translated from English, summarized and contextualized by DistantNews.
At a glance
- An Iran-linked hacking group, Cavern Manticore, has developed a new framework to target Israeli government and IT organizations.
- The group, linked to Iran's Ministry of Intelligence and Security, uses malware disguised as IT provider updates to infiltrate systems and expand access.
- Cybersecurity firm Check Point Research warns that the adaptable system highlights the growing threat of Iranian cyber capabilities.
An Iran-linked hacking group has developed a sophisticated new framework to target Israeli organizations, according to a report by Israeli cybersecurity company Check Point. The group, identified as Cavern Manticore and linked to Iran's Ministry of Intelligence and Security, has been monitored by Check Point Research since early 2026. Their new framework allows for tailored attacks, limits the data defenders can recover, and enables expansion within targeted networks through specialized modules. CPR explained that the hackers initially compromised trusted IT providers to distribute their new tool. Once installed, the malware infiltrates programs used for remote access, downloads additional software, searches files and internal networks, tests passwords, and moves deeper into the organization. The tool specifically exploits Remote Monitoring and Management (RMM) solutions, which allow control of a device to be transferred. Check Point found multiple instances where a compromised provider led to further compromises before reaching the intended target. This suggests Cavern Manticore possesses a detailed understanding of IT supplier chains within Israel. The firm warned that Cavern Manticore's rapidly adaptable system demonstrates the strength and danger of Iranian cyber capabilities, capable of quickly adjusting to new campaigns, targets, and operational needs.
This new framework allows hackers to tailor attacks to new environments, limit what defenders and analysts can recover from any single victim, and extend access after the initial attack through specialized modules for expansion and data access.
Originally published by Jerusalem Post in English. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.