Iranian hackers have a new toy. It’s called Cavern — or Cav3rn — and it’s a modular C2 framework aimed at Israeli organizations.
Check Point Research has been tracking this group since early 2026. They call it Cavern Manticore. It’s linked to Iran’s Ministry of Intelligence and Security (MOIS) and shares tactics with MuddyWater and Lyceum. The primary targets: IT providers and government sectors in Israel.
Cavern is built on .NET but compiled in three different formats. Some components are pure .NET Framework, some are Mixed-Mode C++/CLI, and others use .NET Native AOT. That mix makes analysis a nightmare for reverse engineers — you need different tools for each piece.
The attack chain starts with SysAid’s software update feature to drop a DLL side-loading package. A legitimate WinDirStat executable loads a trojanized uxtheme.dll, which is the Cavern agent. That agent connects to a C2 server and pulls down additional modules on demand.
There are five modules identified so far:
- mhm.dll — File operations, search, archive handling, file transfer
- db.dll — SQL database enumeration and manipulation
- ode.dll — Active Directory recon, LDAP brute-force
- n-ten.dll — Network recon, port scanning, SMB brute-force
- n-sws.dll — SOCKS5 proxy and WebSocket tunneling
The modular design lets operators tailor deployments per victim. They only load what’s needed. That reduces forensic visibility and keeps persistence alive.
Most samples score zero or very low detection on VirusTotal. If you’re defending Israeli IT or government networks, this is one to watch.
