Executive Summary
A newly identified Iranian threat actor, tracked as Cavern Manticore and exhibiting strong overlaps with the MuddyWater and Lyceum (OilRig) advanced persistent threat (APT) groups, has been observed targeting Israeli organizations using a sophisticated, modular command-and-control (C2) framework named Cavern (also referenced as Cav3rn). This campaign leverages advanced anti-analysis techniques, supply chain compromise, and a suite of post-exploitation modules to achieve persistent access, data theft, and lateral movement within targeted environments. The attack chain is notable for its abuse of trusted IT management software, particularly the SysAid update mechanism, and its use of custom .NET-based malware components that complicate detection and analysis. The campaign demonstrates a high level of operational security and technical innovation, posing a significant threat to organizations in Israel and the broader Middle East.
Threat Actor Profile
The threat actor behind the Cavern framework is designated as Cavern Manticore by Check Point Research and is assessed to be affiliated with the Iranian Ministry of Intelligence and Security (MOIS). This group shares technical and tactical overlaps with the well-documented MuddyWater (MITRE G0069) and Lyceum (MITRE G0098, OilRig subgroup) APTs, both of which have a history of targeting Middle Eastern government, defense, and IT sectors. Cavern Manticore distinguishes itself through its use of a highly modular, .NET-based C2 architecture, advanced anti-forensics, and a focus on supply chain and IT provider compromise. The group’s operational objectives appear to include persistent espionage, credential harvesting, and exfiltration of sensitive data from high-value Israeli targets.
Technical Analysis of Malware/TTPs
The Cavern C2 framework is a multi-component, modular malware platform built primarily on the .NET Framework, with components compiled using Mixed-Mode C++/CLI and .NET Native AOT. The attack chain typically begins with the abuse of the SysAid software update feature, which is leveraged to sideload a trojanized uxtheme.dll (the Cavern Agent) via a legitimate process such as WinDirStat.exe. This agent then loads a standalone communication module (n-HTCommp.dll) responsible for establishing encrypted C2 communications over HTTPS or WebSocket protocols, often using XOR encryption for payload obfuscation.
The core agent dynamically fetches and loads additional post-exploitation modules, each designed for specific operational tasks. These include mhm.dll for file operations and DPAPI decryption, db.dll for SQL database enumeration and manipulation, ode.dll for Active Directory reconnaissance and LDAP brute-force, n-ten.dll for network reconnaissance and SMB brute-force, and n-sws.dll for SOCKS5 proxy and WebSocket tunneling. The modular architecture allows the threat actor to tailor capabilities to the target environment and evade detection by only loading necessary components.
Anti-analysis features are deeply embedded in the framework. The use of multiple compilation formats (IL-only, Mixed-Mode, NativeAOT) forces defenders to employ a diverse set of reverse engineering tools. Each module is loaded into a separate AppDomain for isolation, complicating memory forensics and impeding static analysis. The malware also employs mutexes (e.g., MYMUTEX123HELLP) and custom configuration files (e.g., config.txt, Cvn.cfg.A) to manage execution and persistence.
The campaign’s Tactics, Techniques, and Procedures (TTPs) align with several MITRE ATT&CK techniques, including supply chain compromise (T1195), DLL sideloading (T1574.002), defense evasion via obfuscated files and information (T1027), credential access through LDAP brute-force (T1110.003), lateral movement using RMM tools and SMB brute-force (T1021.002), and exfiltration over alternative protocols (T1048.003).
Exploitation in the Wild
The Cavern campaign has been observed in active exploitation against Israeli IT providers, government agencies, and organizations with complex supply chains. The initial access vector is typically a supply chain compromise, where the SysAid update mechanism is abused to deploy the malicious DLL sideloading package. Once inside the network, the attackers leverage trusted IT provider relationships and remote monitoring and management (RMM) tools to move laterally and escalate privileges.
C2 communications are established with domains such as hospitalinstallation[.]com, auth.hospitalinstallation[.]com, and google.com.hospitalinstallation[.]com, with traffic encrypted and obfuscated to evade network detection. The attackers have demonstrated the ability to exfiltrate data using browser-based remote desktop, remote printing, and custom tunneling modules, even in environments with strict egress controls.
The campaign has also been linked to the exploitation of recent remote code execution vulnerabilities in widely used enterprise software, including SmarterMail (CVE-2025-52691), n8n (CVE-2025-68613), N-Central (CVE-2025-9316), Langflow (CVE-2025-34291), and Laravel Livewire (CVE-2025-54068). These exploits are used to gain initial footholds or escalate privileges within targeted networks.
Victimology and Targeting
The primary targets of the Cavern campaign are Israeli government entities, IT providers, and organizations operating in critical infrastructure sectors such as aviation, energy, and public services. There is evidence of activity extending to organizations in Egypt, the United Arab Emirates, and other Middle Eastern countries with strategic ties to Israel. The attackers prioritize organizations with complex IT supply chains and those that rely heavily on third-party IT management and RMM solutions, exploiting the inherent trust and access these providers possess.
Victimology analysis indicates a focus on entities with access to sensitive government data, intellectual property, and critical infrastructure operations. The attackers’ use of supply chain compromise and lateral movement through trusted IT providers underscores the importance of robust third-party risk management and continuous monitoring of privileged access.
Mitigation and Countermeasures
Organizations are strongly advised to audit and monitor all instances of SysAid and other IT management software for unauthorized or suspicious DLLs, particularly uxtheme.dll and related modules. Outbound network connections to known C2 domains, including hospitalinstallation[.]com and its subdomains, should be blocked and closely monitored for anomalous activity.
It is critical to patch all systems for the enumerated CVEs, especially those affecting SmarterMail, n8n, N-Central, Langflow, and Laravel Livewire. Security teams should review the usage of RMM tools, restricting remote printing, clipboard, and file transfer features wherever possible. Enhanced monitoring for unusual DLL sideloading activity, .NET mixed-mode binaries, and the presence of suspicious mutexes or configuration files is recommended.
Detection strategies should focus on behavioral indicators, such as the loading of unauthorized modules, anomalous network traffic to rare domains, and the abuse of trusted administrative channels. Organizations should also implement robust third-party risk management practices, ensuring that IT providers adhere to strict security controls and are regularly audited for compromise.
References
The Hacker News: Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations Check Point Research – Cavern Manticore: Exposing Iran-Linked Modular C2 Framework Oasis Security MITRE ATT&CK - MuddyWater MITRE ATT&CK - Lyceum NVD - CVE-2025-52691 NVD - CVE-2025-68613 NVD - CVE-2025-9316 NVD - CVE-2025-34291 NVD - CVE-2025-54068
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their supply chain and vendor ecosystem. Our platform leverages cutting-edge threat intelligence and automation to deliver actionable insights, helping organizations stay ahead of emerging threats and maintain robust cyber resilience. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, we are happy to answer questions at info@rescana.com.



