An Iran-linked hacking group has created a new framework to attack Israeli organizations in the government and IT sectors while evading traditional detection and analysis systems, Israeli cybersecurity company Check Point disclosed in a report released on Monday.
In the report, Check Point Research (CPR) stated that it had been monitoring a hacking group called Cavern Manticore, linked to the Iranian Ministry of Intelligence and Security, since early 2026.
This new framework allows hackers to tailor attacks to new environments, limit what defenders and analysts can recover from any single victim, and extend access after the initial attack through specialized modules for expansion and data access, CPR explained.
According to the report, the group first attacked and used trusted IT providers to spread their new tool, which then gained access to files on the infected computers, downloaded additional programs, searched files and internal networks, tested passwords, and moved deeper into the targeted organizations.
Malware exploits IT provider tools
Once installed, the tool can infiltrate programs used to access other computers. Malware disguised as legitimate updates from the IT provider can be delivered to the customer.
The tool appeared to be specifically designed to exploit Remote Monitoring and Management (RMM) solutions, in which control of a device can be transferred to another party.
CPR found multiple instances of an initially compromised provider leading to another before the tool reached its intended target, leading to the belief that Cavern Manticore has a detailed understanding of the IT supplier chains within Israel.