Iran-Linked Hackers Use Cavern C2 Framework to Target Israeli Organizations
What happened
Check Point Research reported that an Iran-linked threat cluster called Cavern Manticore has been using a previously undocumented modular command-and-control framework called Cavern, also known as Cav3rn, to target Israeli organizations. The group is affiliated with Iran’s Ministry of Intelligence and Security and has primarily targeted IT providers and government-sector organizations.
The attack chain begins by abusing SysAid’s software update feature to launch a DLL side-loading sequence. That process executes a trojanized uxtheme.dll file containing the Cavern Agent, which then loads a communication module to contact attacker infrastructure and retrieve additional post-exploitation modules over HTTPS or WebSocket.
The Cavern framework separates core communication from mission-specific modules, allowing operators to deploy different tools depending on the victim. Researchers identified modules for file operations, SQL database enumeration and manipulation, Active Directory reconnaissance, LDAP brute-force attempts, network scanning, SMB brute-force attempts, SOCKS5 proxying, and WebSocket tunneling.
Check Point said the framework uses multiple .NET compilation formats, including .NET Framework, Native AOT, and Mixed-Mode C++/CLI. This design complicates reverse engineering because analysts must use different tooling and metadata-reconstruction workflows. The broader activity also shows supply-chain risk, with attackers moving from an initially compromised IT provider to a second-hop provider before reaching intended targets.
Who is affected
Israeli organizations are directly affected, especially IT providers and government-sector entities targeted by Cavern Manticore.
Organizations that rely on managed service providers, remote monitoring and management tools, software update mechanisms, or trusted IT service relationships may also be exposed if attackers compromise a provider and use it as a path into downstream customers.
The risk is especially relevant to environments where IT providers have privileged access, remote administration capabilities, software deployment rights, or access to customer networks.
Why CISOs should care
This campaign shows how service-provider trust can be weaponized. Instead of targeting only the final victim directly, attackers can compromise IT providers and use legitimate management or update workflows to reach downstream organizations.
For CISOs, the SysAid abuse is especially important. Software update and remote management features are powerful by design, but if attackers gain access to them, they can deliver malware under the appearance of legitimate administrative activity.
The modular nature of Cavern also matters. Once deployed, the framework can be expanded with modules for reconnaissance, data theft, tunneling, lateral movement, database access, and brute-force activity.
The campaign also reinforces the need to monitor both direct compromise and third-party pathways. A trusted provider, remote desktop workflow, or built-in feature such as remote printing can become part of an attacker’s exfiltration or access strategy.
3 practical actions
Review service-provider access and update channels: Cavern Manticore abused trusted IT provider relationships and SysAid’s software update feature. CISOs should review who can push updates, run remote tools, or administer systems across customer environments.
Monitor for DLL side-loading and suspicious SysAid activity: The attack chain used a trojanized uxtheme.dll and additional DLL modules. Security teams should review software update logs, unexpected DLL loads, unusual SysAid behavior, and outbound connections from management servers.
Hunt for modular post-exploitation behavior: Cavern modules support file transfer, database access, Active Directory enumeration, LDAP and SMB brute-force attempts, network scanning, SOCKS5 proxying, and WebSocket tunneling. Defenders should look for these behaviors across provider-managed and customer environments.
More cybersecurity news:


