Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Iranian Hackers Deploy Cavern C2 Framework on Israel

Iranian Hackers Deploy Cavern C2 Framework on Israel

Posted on July 6, 2026 By CWS

An Iranian cyber espionage group, linked to Iran’s Ministry of Intelligence and Security, has been discovered using a new command-and-control (C2) framework named Cavern to target Israeli entities. Primarily focusing on IT service providers and government sectors, this activity has been traced to a threat cluster identified by Check Point Research as Cavern Manticore. This group shares tactical similarities with the known groups MuddyWater and Lyceum, a subgroup within OilRig.

Advanced Framework Architecture

The Cavern C2 framework is a sophisticated toolset developed using a .NET foundation, employing various compilation formats such as .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. The choice of compilation formats serves as an anti-analysis mechanism, complicating reverse engineering efforts. The framework is divided into Cavern Agent and Cavern modules, which separate core communication from specific post-exploitation tasks. This modularity allows attackers to customize their strategy based on the target, enhancing stealth and persistence.

Exploitation Techniques

Check Point Research uncovered that attacks start with exploiting SysAid’s software update feature, leading to a DLL side-loading chain. This process executes a trojanized DLL, ‘uxtheme.dll’, which loads a communication DLL module to connect with the C2 server. The server then deploys additional modules tailored for activities such as file operations, SQL database manipulation, Active Directory reconnaissance, and network reconnaissance.

Significantly, the framework uses three distinct .NET compilation targets, with specific modules employing Native AOT compilation for enhanced stealth. The primary agent combines .NET and native C++ code, employing AppDomain isolation to further obscure its operations from forensic analysis.

Implications and Strategic Context

The attackers have demonstrated the ability to exploit trusted relationships in software supply chains, moving laterally within networks using compromised IT providers. This approach underscores the operational value of Remote Monitoring and Management (RMM) tools, which can be manipulated to deliver malicious updates that appear legitimate. Additionally, the use of browser-based remote desktop technologies facilitates access to targeted environments, even exploiting remote printing features to bypass data transfer restrictions.

This cyber campaign occurs amid a broader geopolitical context of tension, particularly involving joint military operations by Israel and the U.S. against Iran. The Iranian state-sponsored group MuddyWater has been actively conducting reconnaissance across thousands of internet-exposed systems, capitalizing on known vulnerabilities. Their focus has recently shifted to targeted attacks on sectors including aviation, energy, and government within the Middle East.

Conclusion and Future Outlook

The findings illustrate a continued evolution of cyber threats from state-sponsored actors, emphasizing the need for robust cybersecurity measures. Organizations should prioritize securing supply chain interactions and enhancing threat detection capabilities. With the ongoing geopolitical tensions, it is crucial for nations and companies to remain vigilant against such sophisticated cyber operations.

The Hacker News Tags:Cavern C2, Check Point Research, cyber attack, cyber threat, Cybersecurity, data exfiltration, Iranian hackers, Israel, IT security, MOIS, MuddyWater, network security, OilRig, vulnerability exploitation

Post navigation

Previous Post: Flaw in Gemini API Exposes AI Voice Sessions to Risks
Next Post: Top NGFW Solutions for 2026: Best Picks and Features

Related Posts

Critical Linux Kernel Bug Allows Unauthorized Root Access Critical Linux Kernel Bug Allows Unauthorized Root Access The Hacker News
CISOs Tackle Burnout and Reduce MTTR Without Extra Staff CISOs Tackle Burnout and Reduce MTTR Without Extra Staff The Hacker News
Langflow Vulnerability Exploited Within Hours of Revelation Langflow Vulnerability Exploited Within Hours of Revelation The Hacker News
AI Slashes Workloads for vCISOs by 68% as SMBs Demand More – New Report Reveals AI Slashes Workloads for vCISOs by 68% as SMBs Demand More – New Report Reveals The Hacker News
See Threats to Your Industry & Country in Real Time See Threats to Your Industry & Country in Real Time The Hacker News
Global SMS Scams Exploit Fake CAPTCHA and Keitaro Tools Global SMS Scams Exploit Fake CAPTCHA and Keitaro Tools The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Ubiquiti Exposes 25 Critical UniFi Security Flaws
  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Ubiquiti Exposes 25 Critical UniFi Security Flaws
  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark