Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cavern (Cav3rn) modular C2 framework targeting Israeli organizations

Malware Activity
First reported
Last updated
Happening score
H score 60
1 unique sources, 1 articles

Summary

Hide ▲

A newly documented Cavern (Cav3rn) C2 framework is giving operators a stronger post-exploitation foothold against Israeli organizations. The toolset is tied to an Iranian MOIS-affiliated group tracked as Cavern Manticore. The attack chain abuses SysAid's software update feature and DLL side-loading to launch `uxtheme.dll` and load follow-on modules. Those modules support reconnaissance, data theft, tunneling, and lateral movement while hiding activity behind uncommon .NET build formats.

Timeline

  1. 06.07.2026 21:34 1 articles · 3d ago

    Iran-linked Cavern C2 framework targets Israeli organizations through SysAid updates

    Initial Disclosure

    Check Point Research attributed activity to Cavern Manticore, an Iran's Ministry of Intelligence and Security (MOIS)-linked cluster, and described a previously undocumented modular Cavern (aka Cav3rn) C2 framework used against Israeli organizations and primarily IT providers and government sectors. The attack chain starts with SysAid's software update feature, uses DLL side-loading to execute trojanized `uxtheme.dll`, loads `n-HTCommp.dll` to reach `hospitalinstallation[.]com`, and delivers post-exploitation modules for reconnaissance, data theft, tunneling, and lateral movement. The framework also uses .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT to hinder analysis.

    Show sources