Cavern (Cav3rn) modular C2 framework targeting Israeli organizations
Malware Activity
Summary
Hide ▲
Show ▼
A newly documented Cavern (Cav3rn) C2 framework is giving operators a stronger post-exploitation foothold against Israeli organizations. The toolset is tied to an Iranian MOIS-affiliated group tracked as Cavern Manticore. The attack chain abuses SysAid's software update feature and DLL side-loading to launch `uxtheme.dll` and load follow-on modules. Those modules support reconnaissance, data theft, tunneling, and lateral movement while hiding activity behind uncommon .NET build formats.
Timeline
-
06.07.2026 21:34 1 articles · 3d ago
Iran-linked Cavern C2 framework targets Israeli organizations through SysAid updates
Initial DisclosureCheck Point Research attributed activity to Cavern Manticore, an Iran's Ministry of Intelligence and Security (MOIS)-linked cluster, and described a previously undocumented modular Cavern (aka Cav3rn) C2 framework used against Israeli organizations and primarily IT providers and government sectors. The attack chain starts with SysAid's software update feature, uses DLL side-loading to execute trojanized `uxtheme.dll`, loads `n-HTCommp.dll` to reach `hospitalinstallation[.]com`, and delivers post-exploitation modules for reconnaissance, data theft, tunneling, and lateral movement. The framework also uses .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT to hinder analysis.
Show sources
- Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations — thehackernews.com — 06.07.2026 21:34