TTP Advisory: Iran Cavern C2 Framework | No CVE | Threat Actor: Cavern Manticore (Iran, MOIS-affiliated) | Overlaps: MuddyWater, Lyceum, OilRig | Targets: Israeli IT providers and government sectors | Status: Active
What Happened
Check Point Research has identified a previously undocumented modular command-and-control (C2) framework dubbed ‘Cavern’ (aka Cav3rn) being used by an Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The framework targets Israeli organizations, primarily singling out IT providers and government sectors. The activity is attributed to a threat cluster tracked as Cavern Manticore, which shares tactical overlaps with MuddyWater and Lyceum (the latter assessed to be a subgroup within OilRig).
Technical Details
The Cavern framework reflects a mature and adaptable toolset built around a shared .NET foundation. It uses multiple compilation formats across different components: .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. The compilation format itself becomes an anti-analysis layer that forces reverse engineers into multiple toolsets and methodologies. The framework is modular, allowing operators to deploy different capabilities as needed.
Targets
- Israeli IT providers — primary target
- Israeli government organizations — secondary target
The campaign has been active and ongoing, with the group demonstrating persistence and evolving capabilities.
Mitigation
- Monitor for .NET-based C2 infrastructure: The Cavern framework uses .NET across multiple compilation formats.
- Review inbound/outbound connections: Look for anomalous connections to unknown or suspicious endpoints from IT provider networks.
- Implement network segmentation: Ensure IT provider networks are segmented from customer environments.
Recommendations
- Israeli organizations: IT providers and government entities should treat this as an active threat.
- Monitor threat intelligence: Check Point Research indicators of compromise should be incorporated into detection systems.
- Review access controls: Ensure administrative access to IT provider infrastructure is tightly controlled and monitored.
References
- The Hacker News: Iran Cavern C2 Framework
- Check Point Research: Cavern Manticore Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.
