Iran-linked hackers use new Cavern C2 against Israeli targets

by

Iran-linked hackers tied to the country’s Ministry of Intelligence and Security have used a previously undocumented modular command and control framework called Cavern against Israeli organizations, with Check Point Research saying the activity mainly targeted IT providers and government sectors.

KEY FACTS

  • Framework Cavern, also called Cav3rn, is built on a shared .NET base and uses several compilation formats.
  • Targeting The activity focused on Israeli organizations, especially IT and government victims.
  • Delivery The attack chain used SysAid update features and DLL side loading to launch a trojanized file.
  • Modules The framework includes files for database work, Active Directory reconnaissance, network scanning and tunneling.

A technical analysis by Check Point Research said the main agent loaded a communication module that contacted a command server at hospitalinstallation[.]com and fetched additional post-exploitation components over HTTPS or WebSocket.

The report said the framework separates core communications from mission-specific modules. It listed tools for file transfer, SQL database enumeration, Active Directory reconnaissance, network scanning, and SOCKS5 proxy tunneling.

Check Point said the malware chain began through SysAid update features and a DLL side-loading sequence that executed a trojanized uxtheme.dll file. It also said the group moved from one compromised IT provider to another before reaching the intended target, which suggests use of trusted service-provider relationships.

The disclosure also said the framework uses uncommon .NET compilation styles, including Mixed-Mode C++/CLI and Native AOT, which can make analysis harder. The main agent also loads modules through AppDomain isolation, which the report described as an anti-forensics measure.

In a separate disclosure, Oasis Security said the broader activity against Middle East targets later shifted from reconnaissance to credential harvesting and data theft, including against aviation, energy and public sector entities in Egypt, Israel and the United Arab Emirates.

WHY IT MATTERS

The findings show how state-linked groups can combine trusted service relationships, software update paths and modular malware to move across victims and stay hidden longer. They also point to growing use of complex .NET techniques that can slow analysis and response.