**Iranian Hackers Weaponize .NET Framework in New C2 Attack Campaign Targeting Israeli Organizations**
Check Point Research has uncovered an active cyber-espionage campaign waged by an Iranian state-sponsored threat actor against Israeli targets. The operation, attributed to a cluster tracked as **Cavern Manticore**, relies on a custom, modular command-and-control (C2) framework called **Cavern (or Cav3rn)**. This framework marks a significant evolution in the group’s capabilities, leveraging uncommon .NET compilation techniques to complicate forensic analysis and evade detection.
The campaign’s primary targets are **IT providers and government-sector organizations**, suggesting a sophisticated supply-chain strategy. Check Point notes strong tactical overlaps between this cluster and known groups like **MuddyWater** and **Lyceum**, the latter being a subgroup of the prolific Iran-based actor OilRig.
### Technical Sophistication: A .NET-Based Arsenal
The core of Cavern’s technical innovation lies in its deliberate use of multiple .NET compilation formats. This approach acts as a built-in anti-analysis layer, forcing reverse engineers to use a variety of tools and reconstruction workflows to understand the malware. The framework is composed of:
* **Pure .NET Framework components** (e.g., `mhm.dll`, `db.dll`, `ode.dll`) used for core functions like file operations, database manipulation, and Active Directory reconnaissance.
* **Native AOT (Ahead-of-Time) compiled components** (e.g., `n-ten.dll`, `n-sws.dll`) which offer enhanced performance and harder detection for network reconnaissance and proxy/tunneling tasks.
* A **mixed-mode C++/CLI loader** (`uxtheme.dll`) that combines managed and native code to initialize the entire system.
The framework employs a **unified module dispatcher** within the agent. Components prefixed with “n-” are treated as native DLLs and loaded via the `LoadLibraryA` API, while others are interpreted as managed .NET assemblies and loaded through **AppDomain isolation**, a technique used as an anti-forensic measure to obscure memory artifacts.
### The Attack Chain: From Software Updates to Data Theft
The attack initiates through a compromised software update mechanism. Check Point details a chain starting with **SysAid’s software update feature**, which is exploited to perform **DLL side-loading**. This results in the execution of a trojanized DLL named `uxtheme.dll`. Once loaded, the agent fetches its main communication DLL (`n-HTCommp.dll`) and contacts a hardcoded C2 server (`hospitalinstallation[.]com`) over HTTPS or WebSocket.
The framework deploys a suite of five specialized modules for post-exploitation:
* **`mhm.dll`**: File operations, enumeration, recursive search, archiving, and bidirectional file transfer.
* **`db.dll`**: SQL database enumeration, querying, export, and manipulation.
* **`ode.dll`**: Active Directory reconnaissance, user/group enumeration, and LDAP brute-forcing.
* **`n-ten.dll`**: Network reconnaissance, port scanning, share enumeration, and SMB brute-forcing.
* **`n-sws.dll`**: SOCKS5 proxy and WebSocket tunneling for command routing and data exfiltration.
### Supply Chain and Cross-Regional Pivoting
A critical operational pattern observed by researchers is the **movement from a compromised IT provider to a second-hop provider** before reaching the final intended target. This technique weaponizes trusted business relationships, allowing the attackers to deliver malicious payloads disguised as legitimate software updates. Once inside a provider’s network, they can pivot to downstream clients.
The Cavern framework grants operators significant control, enabling them to abuse legitimate remote management features. For example, they can leverage **browser-based remote desktop technologies** to interact with compromised systems and, in some instances, abuse built-in remote printing capabilities to exfiltrate data when traditional copy-paste or file-transfer methods are restricted.
### Broader Regional Context
This operation is unfolding within a heightened threat landscape in the Middle East. Concurrently, another Iranian-aligned group tracked as **MuddyWater** has been conducting broad reconnaissance campaigns across more than 12,000 internet-exposed systems. These initial intrusions have exploited known vulnerabilities in platforms such as SmarterMail, n8n, N-central, Langflow, and Laravel Livewire. Following this access phase, the group has pivoted toward targeted **credential harvesting and data exfiltration** against aviation, energy, and government sectors in Israel, Egypt, and the United Arab Emirates.
Check Point’s analysis indicates the Cavern Manticore activity represents a parallel, focused effort within this wider regional campaign, showcasing Iran’s diversified and evolving offensive cyber capabilities.
—
**Source:** Check Point Research. “Cavern Manticore: Iran’s .NET Framework-Based Modular C2 Framework.” Check Point Blog. Original article and technical analysis available at the source.



