Iranian Hackers Deploy ‘Cavern’ C2 Framework Against Israeli Targets

An Iranian state-sponsored hacking group, linked to the Ministry of Intelligence and Security (MOIS), has been identified utilizing a new modular command-and-control (C2) framework named ‘Cavern’ (also known as ‘Cav3rn’) to target Israeli organizations. This campaign has primarily focused on IT service providers and government sectors.

Cybersecurity researchers have attributed these activities to a threat cluster dubbed ‘Cavern Manticore,’ noting tactical similarities with other Iranian groups such as MuddyWater and Lyceum. The Cavern framework is built on a .NET foundation and employs multiple compilation formats, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. This diverse compilation strategy complicates analysis efforts by requiring multiple toolsets and metadata reconstruction workflows.

The framework consists of two main components: the Cavern Agent and various Cavern modules. This design allows for a clear separation between core communication functions and specific post-exploitation tasks. Such an architecture enables attackers to customize deployments based on the target’s profile, minimize forensic detection, and maintain persistent access through specialized modules for reconnaissance, data exfiltration, tunneling, and lateral movement.

The attack sequence begins with the exploitation of SysAid’s software update feature. Attackers initiate a DLL side-loading process that executes a trojanized DLL (‘uxtheme.dll’) containing the Cavern Agent. This agent then loads a standalone communication DLL module (‘n-HTCommp.dll’) to connect with the C2 server (‘hospitalinstallation[.]com’) and retrieve additional modules over HTTPS or WebSocket.

Five distinct DLL modules have been identified:

  • mhm.dll: Handles file operations, enumeration, recursive file searches, archive management, and bidirectional file transfers.
  • db.dll: Facilitates SQL database enumeration, querying, exporting, and manipulation.
  • ode.dll: Conducts Active Directory reconnaissance, user and group enumeration, and LDAP brute-force attempts.
  • n-ten.dll: Performs network reconnaissance, port scanning, share enumeration, and SMB brute-force attempts.
  • n-sws.dll: Establishes SOCKS5 proxy and WebSocket tunneling.

A notable feature of the Cavern framework is its utilization of three different .NET compilation targets across its components. While ‘mhm.dll,’ ‘db.dll,’ and ‘ode.dll’ are pure .NET Framework modules, ‘n-HTCommp.dll,’ ‘n-ten.dll,’ and ‘n-sws.dll’ employ Native AOT (Ahead-of-Time) compilation. The main agent, ‘uxtheme.dll,’ integrates managed .NET code with native C++ within a single executable.

The agent includes a unified module dispatcher that loads components prefixed with ‘n-‘ as native DLLs via the LoadLibraryA Windows API. Other components are treated as managed .NET assemblies and loaded using AppDomain isolation, enhancing the framework’s anti-analysis capabilities.

Attacks by Cavern Manticore have demonstrated the group’s ability to exploit trusted relationships within the software supply chain. By compromising an initial IT service provider, the attackers can move laterally to secondary providers and ultimately reach the intended target organizations. This strategy underscores the operational value of trusted service-provider relationships, especially where Remote Monitoring and Management (RMM) solutions are in use. By abusing these tools, attackers can deliver malicious software disguised as legitimate updates and leverage browser-based remote desktop technologies to access targets of interest. In some cases, they exploit built-in features like remote printing to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted.

This development occurs amid ongoing joint military operations by Israel and the U.S. against Iran. In recent months, the Iranian state-sponsored group MuddyWater has been observed conducting extensive reconnaissance across over 12,000 internet-exposed systems by exploiting known vulnerabilities in platforms such as SmarterMail, n8n, N-central, Langflow, and Laravel Livewire. The operation has progressed from broad reconnaissance to targeted credential harvesting and data exfiltration attacks against sectors including aviation, energy, and government in the Middle East, affecting countries like Egypt, Israel, and the United Arab Emirates.

The emergence of the Cavern C2 framework highlights the evolving sophistication of Iranian cyber operations. By developing and deploying advanced, modular toolsets, these groups can tailor their attacks to specific targets, evade detection, and maintain persistent access. Organizations, particularly those in critical sectors, must remain vigilant and implement robust cybersecurity measures to defend against such threats.