An Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) is using a previously unknown modular command-and-control (C2) framework called Cavern (aka Cav3RN) to target Israeli organizations.
The activity, which has primarily irked IT providers and government sectors, has been attributed to a threat group tracked by Check Point Research under the pseudonym. Cavern ManticoreWhich is said to share some level of strategic overlap with Muddywater and Lyceum, the latter of which is considered a subgroup within Oilrig.
The cybersecurity company said, “The framework reflects a mature and adaptable toolset built around a shared .NET foundation, using multiple compilation formats across different components, including the .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT.”
“The compilation format itself becomes an anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows.”
Components of the C2 Framework are used such as the Cavern Agent and Cavern Module, demonstrating a clear division of responsibilities between core communications capabilities and mission-specific post-exploitation functionality. This architecture has inherent advantages as it allows operators to customize deployment based on victim profile, reduce forensic visibility, and ensure consistent access through bespoke modules for reconnaissance, data theft, tunneling, and lateral movement.
The attack chain documented by Check Point Research begins with SysAid’s Software Update feature, which is exploited by an adversary to initiate a DLL side-loading chain that leads to the execution of a trojanized DLL (“uxtheme.dll”) containing the Cavern agent. The agent, on its part, loads a standalone communications DLL module (“n-HTCommp.dll”) to contact the C2 server (“HospitalInstallation”)[.]com”) and bring in additional post-exploitation modules on the fly over HTTPS or WebSocket.
At least five DLL modules are exposed –
- mhm.dllFor file operations, calculations, recursive file searches, archive management and bidirectional file transfers.
- db.dllFor SQL database calculations, queries, exports and manipulations
- ode.dllFor Active Directory reconnaissance, user/group enumeration, and LDAP brute-force efforts.
- n-ten.dllFor network reconnaissance, port scanning, share enumeration and SMB brute-force attempts.
- n-sws.dllSOCKS5 for proxy and WebSocket tunneling
A defining feature of the framework is the use of three different .NET compilation targets spread across its components: while mhm.dll, db.dll, and ode.dll are pure .NET Framework modules, n-HTCommp.dll, n-ten.dll, and n-sws.dll use native AOT (Ahead-of-Time) compilation. The main agent, uxtheme.dll, combines managed .NET code with native C++ into a portable executable.
Embedded within the agent is an integrated module dispatcher that treats components whose names begin with n- as native DLLs and is loaded via the LoadLibraryA Windows API, while the rest are interpreted as managed .NET assemblies and loaded via a mechanism called AppDomain Isolation.
Check Point reported, “The framework’s anti-analysis state relies on unusual .NET compilation formats (mixed-mode C++/CLI and native AOT), which forces reverse engineers into multiple toolsets and metadata-reconstruction workflows, along with per-module AppDomain isolation as an anti-forensic measure.”
Attacks perpetrated by Cavern Manticore involve the threat actor moving from the initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization, indicating their ability to weaponize trusted relationships in the software supply chain to their advantage.
“This activity highlights the operational value of trusted service-provider relationships, particularly where remote monitoring and management (RMM) solutions are deployed,” the company said.
“By abusing these tools, the actor can move among victims and distribute malicious software disguised as legitimate updates. It appears that the actor leverages browser-based remote desktop technologies to reach targets of interest and, in some cases, abuses built-in features such as remote printing to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted.”
This development has come in the backdrop of the joint military operation launched by Israel and America against Iran. In recent months, an Iranian state-sponsored threat actor tracked as Muddywater has been observed conducting widespread reconnaissance campaigns across more than 12,000 Internet-exposed systems by exploiting known security vulnerabilities in Internet-exposed SmarterMail, N8N, N-Central, Langflow, and Laravel LiveWire systems.
The list of exploited vulnerabilities is as follows –
The operation is said to have focused on targets ranging from extensive reconnaissance to targeted credential harvesting and data intrusion attacks against aviation, energy and government sectors in the Middle East, including aviation, energy and public sector entities in Egypt, Israel and the United Arab Emirates.
“The operation leveraged a combination of vulnerability exploitation, Outlook Web Access (OWA) brute-force attacks, and newly identified command-and-control (C2) controllers that support multi-protocol communications,” Oasis Security said. “The activity extended beyond reconnaissance and access efforts, resulting in confirmed exfiltration of sensitive data from the compromised environment.”