Iran-Linked Cavern C2 Framework: New Modular Command-and-Control Platform Targeting Israeli IT Providers and Government Organizations

Iran-Linked Cavern C2 Framework: New Modular Command-and-Control Platform Targeting Israeli IT Providers and Government Organizations

TTP Advisory: Iran Cavern C2 Framework | No CVE | Threat Actor: Cavern Manticore (Iran, MOIS-affiliated) | Overlaps: MuddyWater, Lyceum, OilRig | Targets: Israeli IT providers and government sectors | Status: Active


What Happened

Check Point Research has identified a previously undocumented modular command-and-control (C2) framework dubbed ‘Cavern’ (aka Cav3rn) being used by an Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The framework targets Israeli organizations, primarily singling out IT providers and government sectors. The activity is attributed to a threat cluster tracked as Cavern Manticore, which shares tactical overlaps with MuddyWater and Lyceum (the latter assessed to be a subgroup within OilRig).


Technical Details

The Cavern framework reflects a mature and adaptable toolset built around a shared .NET foundation. It uses multiple compilation formats across different components: .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. The compilation format itself becomes an anti-analysis layer that forces reverse engineers into multiple toolsets and methodologies. The framework is modular, allowing operators to deploy different capabilities as needed.


Targets

  • Israeli IT providers — primary target
  • Israeli government organizations — secondary target

The campaign has been active and ongoing, with the group demonstrating persistence and evolving capabilities.


Mitigation

  • Monitor for .NET-based C2 infrastructure: The Cavern framework uses .NET across multiple compilation formats.
  • Review inbound/outbound connections: Look for anomalous connections to unknown or suspicious endpoints from IT provider networks.
  • Implement network segmentation: Ensure IT provider networks are segmented from customer environments.

Recommendations

  • Israeli organizations: IT providers and government entities should treat this as an active threat.
  • Monitor threat intelligence: Check Point Research indicators of compromise should be incorporated into detection systems.
  • Review access controls: Ensure administrative access to IT provider infrastructure is tightly controlled and monitored.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!