An Iranian hacking group associated with Iran's Ministry of Intelligence and Security has been utilizing a newly discovered command-and-control framework named Cavern to target Israeli organizations. This sophisticated framework has primarily focused on IT providers and government sectors in Israel. The threat actor, identified as Cavern Manticore by Check Point Research, shares similarities with known groups such as MuddyWater and Lyceum. Cavern is a modular toolset that employs various .NET compilation formats, making it challenging for reverse engineers to analyze its components.
The framework comprises Cavern Agent and several modules, each designed for specific functions such as communication, reconnaissance, data theft, and lateral movement. This modular architecture allows attackers to customize deployments for different victims while maintaining stealth and persistent access. The attack chain begins with the exploitation of SysAid's software update feature, leading to the execution of a trojanized DLL containing the Cavern Agent. This agent then loads additional modules from a command-and-control server.
The framework's reliance on uncommon .NET compilation formats acts as an anti-analysis measure, complicating the work of security researchers. Cavern Manticore's attacks have demonstrated their capability to move through trusted service-provider relationships, particularly where Remote Monitoring and Management solutions are used. By exploiting these trusted relationships, attackers can distribute malicious software under the guise of legitimate updates.
These developments occur amid heightened tensions, with ongoing military operations by Israel and the U.S. against Iran. Recent activities by the MuddyWater group, another Iranian state-sponsored actor, have included reconnaissance campaigns targeting systems in the Middle East by exploiting known vulnerabilities. Their operations have evolved to include credential harvesting and data exfiltration from sectors such as aviation, energy, and government.


