Attack Chain Overview
An Iranian hacking group tied to the Ministry of Intelligence and Security (MOIS) is deploying a previously undocumented modular command and control framework named Cavern. The campaign has primarily targeted IT providers and government organizations in Israel. Researchers at Check Point have tracked this cluster as Cavern Manticore, noting tactical overlaps with other Iranian state aligned groups such as MuddyWater and Lyceum.
The attack chain begins with an abuse of the SysAid software update mechanism. The adversary uses a DLL side loading technique to execute a trojanized library that contains the Cavern Agent. This agent then loads a communication module to contact the remote C2 server and fetch additional malicious modules as needed.
Framework Architecture and Capabilities
The Cavern framework is built on a shared .NET foundation but uses multiple compilation formats across its components. Some modules use pure .NET Framework compilation, while others rely on Native AOT compilation or mixed mode C++/CLI. This diversity in compilation targets creates an anti analysis layer that complicates reverse engineering efforts.
The framework includes at least five distinct post exploitation DLL modules. These handle file operations, SQL database enumeration and manipulation, Active Directory reconnaissance with LDAP brute force capabilities, network scanning and SMB brute force attacks, and SOCKS5 proxy or WebSocket tunneling. The modular design allows attackers to tailor deployments to specific victims and reduce forensic visibility.
Supply Chain Infiltration and Wider Campaign
Cavern Manticore operators have demonstrated sophisticated supply chain compromise techniques. The group moves from an initial compromised IT provider to a second hop provider before reaching the final intended target. This approach weaponizes trusted relationships, particularly where Remote Monitoring and Management solutions are deployed.
Separately, the MuddyWater subgroup has been conducting broad reconnaissance across more than 12,000 internet exposed systems. They have exploited known vulnerabilities in SmarterMail, n8n, N central, Langflow, and Laravel Livewire platforms. This larger campaign has shifted from reconnaissance to targeted credential harvesting and data exfiltration against aviation, energy, and government sectors in Egypt, Israel, and the United Arab Emirates.
Source: The Hacker News

