- An Iranian state-backed hacking group is using a new modular C2 framework, Cavern, targeting Israeli IT and government sectors.
- The sophisticated framework uses three different .NET compilation formats as an anti-analysis tactic and operates via a core agent that loads mission-specific modules.
- The group exploits trusted software supply chain relationships, moving through IT providers to reach final targets and has pivoted to data exfiltration.
An Iranian hacking group linked to the nation’s Ministry of Intelligence and Security is deploying a previously undocumented modular command-and-control framework called Cavern against Israeli organizations, according to Check Point Research. The activity, attributed to a cluster named Cavern Manticore, primarily singles out IT providers and government sectors.
The framework’s architecture uses a core Cavern Agent and separate modules for post-exploitation tasks like data theft and tunneling. Consequently, this modular design allows operators to tailor attacks, reduce forensic visibility, and maintain persistent access.
The attack chain begins by exploiting SysAid‘s software update feature to execute a trojanized DLL containing the agent. Meanwhile, the agent loads a communication module to contact its C2 server and fetch additional modules over HTTPS or WebSocket.
As many as five specific DLL modules have been uncovered for file operations, SQL database manipulation, Active Directory reconnaissance, network scanning, and proxy tunneling. The framework’s anti-analysis posture relies on uncommon .NET compilation formats, including Mixed-Mode C++/CLI and Native AOT.
Check Point explained “The compilation format itself becomes the anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows.” The group weaponizes trusted relationships, moving from an initial compromised IT provider to a second-hop provider before reaching the final target.
This development unfolds amid ongoing military tensions, as another Iranian state-sponsored actor, MuddyWaterOasis Security noted the activity has progressed beyond reconnaissance to confirmed data exfiltration from sectors like aviation and energy in the Middle East.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
