Iran-Linked Group Uses Newly Identified Cavern C2 Framework Against Israeli Targets

A hacking cluster linked to Iran’s Ministry of Intelligence and Security is using a previously unreported command-and-control framework called Cavern, or Cav3rn, in intrusions aimed at Israeli organiz...

A hacking cluster linked to Iran’s Ministry of Intelligence and Security is using a previously unreported command-and-control framework called Cavern, or Cav3rn, in intrusions aimed at Israeli organizations, according to Check Point Research. The activity has mainly affected IT service providers and government-related entities.

Researchers say the group, which they track as Cavern Manticore, shows some overlap in tactics with MuddyWater and Lyceum, the latter of which is believed to sit within the OilRig ecosystem. The framework appears designed to support flexible operations, with separate components for core communications and for post-compromise tasks such as reconnaissance, file theft, tunneling, and lateral movement.

How the attacks work

The intrusion chain begins with abuse of SysAid’s software update process. From there, the attackers use DLL side-loading to launch a trojanized file named uxtheme.dll, which contains the main agent. That agent then loads another module to communicate with a server identified as hospitalinstallation[.]com and retrieve additional payloads over HTTPS or WebSocket connections.

  • mhm.dll for file browsing, search, archiving, and transfers
  • db.dll for SQL database enumeration and manipulation
  • ode.dll for Active Directory discovery and LDAP brute-force attempts
  • n-ten.dll for network scanning and SMB brute force
  • n-sws.dll for SOCKS5 proxying and tunneling

Check Point said the framework stands out because it mixes several .NET compilation methods, including standard .NET Framework, Mixed-Mode C++/CLI, and Native AOT. That design can make analysis harder by forcing defenders to use different tools and reconstruction methods for each component. The use of AppDomain isolation for modules may also help limit forensic visibility.

Investigators added that the operators appear to move through trusted service-provider relationships, sometimes jumping from one compromised IT vendor to another before reaching a final target. In some cases, they have also used browser-based remote desktop tools and legitimate printing functions to move data when other transfer options were blocked.

The findings come amid heightened regional tension following the ongoing military campaign involving Israel and the United States against Iran. In a separate set of incidents, MuddyWater has recently been associated with large-scale scanning and follow-on attacks that exploited known flaws in widely used products, including SmarterMail, n8n, N-central, Langflow, and Laravel Livewire, before shifting toward credential theft and data exfiltration in the Middle East.