An Iranian hacking group linked to MOIS has been using the modular Cavern (Cav3rn) C2 framework to target Israeli organizations, especially IT providers and government sectors. The campaign uses trojanized SysAid updates, DLL side-loading, and multiple anti-analysis .NET components to enable reconnaissance, lateral movement, and data theft. #Cavern #Cav3rn #CavernManticore #MuddyWater #Lyceum #OilRig #MOIS #SysAid #hospitalinstallation
Keypoints
- Cavern is a previously undocumented modular C2 framework used against Israeli organizations.
- The operation is attributed to Cavern Manticore, a cluster with overlaps to MuddyWater and Lyceum.
- Attackers abused SysAid update features and DLL side-loading to deploy a trojanized uxtheme.dll.
- Modules support file operations, SQL access, Active Directory reconnaissance, network scanning, and tunneling.
- The framework uses Mixed-Mode C++/CLI and Native AOT to hinder analysis and maintain persistence.
Read More: https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html