← All stories
● Covered by 1 source Β· 1 reportHigh impact

Iran-Linked Hackers Deploy Cavern C2 Framework Against Israeli Targets

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

An Iranian hacking group linked to the MOIS has begun targeting Israeli organizations using the new Cavern C2 framework, which enables sophisticated post-exploitation functionalities. This development signifies an evolution in cyber threats against critical sectors in Israel, particularly focused on IT and government services.

Key points

Overview of the Cavern C2 Framework

An Iranian hacking group associated with the Ministry of Intelligence and Security (MOIS) has initiated operations employing a new command-and-control (C2) framework named Cavern. This framework has primarily been directed at Israeli organizations, specifically in the IT and government sectors, indicating a clear focus on critical infrastructure.

Technical Features of Cavern

The Cavern framework, also referred to as Cav3rn, is characterized by its modular and adaptive architecture built on a shared .NET foundation. It utilizes multiple compilation formats, such as .NET Framework and Mixed-Mode C++/CLI, to complicate reverse engineering efforts, adding an anti-analysis layer that challenges cybersecurity professionals attempting to dissect its operations.

This architecture provides operational advantages, enabling precise targeting and mission-specific functions while minimizing detection risks.

Attack Methodology

According to Check Point Research, the attack sequence begins with the exploitation of SysAid's software update mechanism. This process involves a DLL side-loading attack that triggers the execution of a tainted DLL, 'uxtheme.dll', which is embedded with the Cavern Agent. Once deployed, this agent imports a communication module ('n-HTCommp.dll') that connects to the specified C2 server to download further malicious components.

Post-Exploitation Capabilities

The Cavern framework comprises at least five specific DLL modules that equip hackers with various capabilities:

- 'mhm.dll' for file operations and transfer;

- 'db.dll' for database access and manipulation;

- 'ode.dll' for Active Directory interaction;

- 'n-ten.dll' for network reconnaissance and port scanning;

- 'n-sws.dll' for tunneling operations. This suite of tools underscores the operators' capacity to exploit and navigate the victim's environment extensively.

Significance of the Emerging Threat

The emergence of the Cavern framework exemplifies the evolving tactics of cyber adversaries targeting national infrastructure and highlights the need for enhanced security measures. With the framework's modular design and operational flexibility, it poses a significant threat not only to Israeli entities but could potentially be adapted for wider malicious use, stressing the importance of vigilance in cybersecurity practices.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2025-5269110.0 CRITICAL CVE CVE-2025-686139.9 CRITICAL CVE CVE-2025-93166.9 MEDIUM CVE CVE-2025-342918.8 HIGH CVE CVE-2025-540689.8 CRITICAL CVE CVE-2026-552008.1 HIGH

Reporting from

An Iranian hacking group linked to the MOIS has begun targeting Israeli organizations using the new Cavern C2 framework, which enables sophisticated post-exploitation functionalities. This development signifies an evolution in cyber threats against critical sectors in Israel, particularly focused on IT and government services.