A hacking group linked to Iran’s Ministry of Intelligence and Security has been identified using a previously undocumented modular command and control framework called Cavern, also known as Cav3rn, to target organizations across the regional government and information technology sectors. According to findings published by Check Point Research, the activity has been attributed to a threat cluster tracked as Cavern Manticore, which shares tactical similarities with MuddyWater and Lyceum, with the latter assessed as a subgroup within OilRig. Researchers stated that the framework demonstrates a mature and adaptable architecture built on a shared .NET foundation while incorporating multiple compilation formats, including .NET Framework, .NET Mixed Mode C++ CLI, and .NET Native Ahead of Time compilation. This design complicates malware analysis by requiring security researchers to rely on multiple reverse engineering techniques and metadata reconstruction workflows, increasing the complexity of technical investigations.
Check Point Research explained that the framework is divided into Cavern Agent and separate Cavern modules, creating a clear distinction between communication functions and post exploitation capabilities. This modular approach allows operators to customize deployments according to the targeted environment while reducing forensic visibility and maintaining persistent access through specialized modules dedicated to reconnaissance, data theft, tunneling, lateral movement, and other operational tasks. The documented attack chain begins by exploiting SysAid’s software update feature to trigger a DLL side loading sequence that executes a trojanized uxtheme.dll file containing the Cavern Agent. Once active, the agent loads a communication module named n HTCommp.dll to establish encrypted connections with its command and control server at hospitalinstallation.com through HTTPS or WebSocket protocols before retrieving additional payloads as needed. Researchers identified five separate DLL modules within the framework that perform file operations, SQL database interaction, Active Directory reconnaissance, network discovery, SMB brute force attempts, SOCKS5 proxy capabilities, and WebSocket tunneling. The framework further distinguishes between native and managed components by loading modules beginning with the prefix n through the Windows LoadLibraryA API, while other modules are executed as managed .NET assemblies using AppDomain isolation, a method that also serves as an anti forensics mechanism.
Researchers observed that the threat activity frequently abuses trusted service provider relationships by compromising an initial IT provider before moving to another provider and eventually reaching the intended target organization through software supply chain access. The report noted that Remote Monitoring and Management solutions are leveraged to distribute malicious software disguised as legitimate updates, allowing the attackers to move laterally across interconnected environments. In several cases, browser based remote desktop technologies were used to access targeted systems, while built in features such as remote printing were reportedly abused to exfiltrate sensitive information when conventional clipboard sharing or file transfer capabilities were restricted. Check Point Research stated that these techniques demonstrate how trusted administrative tools can be misused to extend unauthorized access while reducing suspicion during malicious operations.
The findings were published amid heightened regional geopolitical tensions and coincide with separate research describing recent activity linked to MuddyWater. According to Oasis Security, the group conducted broad reconnaissance against more than 12,000 internet exposed systems by exploiting known vulnerabilities affecting SmarterMail, n8n, N Central, Langflow, and Laravel Livewire deployments. The campaign reportedly used vulnerabilities identified as CVE 2025 52691, CVE 2025 68613, CVE 2025 9316, CVE 2025 34291, and CVE 2025 54068 to gain initial access before progressing to Outlook Web Access brute force attacks, credential harvesting, and data exfiltration. Oasis Security stated that the operation evolved beyond reconnaissance into confirmed theft of sensitive information affecting aviation, energy, and government organizations across the Middle East, including entities in Egypt and the United Arab Emirates, while also relying on newly identified command and control infrastructure capable of supporting multiple communication protocols.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.