Iran’s MOIS-Linked Group Deploys Cavern in Targeted Campaign
An Iranian hacking group tied to the country’s Ministry of Intelligence and Security (MOIS) has been using a previously unknown modular command-and-control (C2) framework called Cavern — also spelled Cav3rn — to zero in on Israeli organizations. The campaign, uncovered by Check Point Research, has primarily hit IT providers and government entities.
This isn’t just another phishing spree. The attackers built a custom C2 infrastructure from scratch. Cavern is modular, meaning it can swap out components on the fly. That flexibility makes it harder to detect and even harder to shut down.
Who’s Behind Cavern? A MOIS-Linked Threat Cluster
Check Point attributes the activity to a threat cluster that operates under the umbrella of Iran’s MOIS. The group has a track record of targeting Israeli infrastructure, but Cavern marks a technical leap. It’s not a repurposed tool — it’s purpose-built for this campaign.
The victims are telling. IT providers serve as a gateway: compromise one, and you can pivot to dozens of downstream clients. Government targets offer intelligence value. The attackers seem to want both access and information.
How Cavern Works: A Modular C2 Framework
Cavern’s architecture is what makes it stand out. It uses encrypted channels to communicate with implants on compromised machines. Each module handles a specific task — data exfiltration, keylogging, lateral movement — and can be updated or replaced without redeploying the entire framework.
- Encrypted C2 traffic: Blends in with normal HTTPS, making network monitoring harder.
- Modular plugins: Attackers can add or remove capabilities on demand.
- Persistence mechanisms: Uses scheduled tasks and registry modifications to survive reboots.
This modularity is a double-edged sword for defenders. It means the framework can evolve quickly. But it also means that if you spot one module, you might not see the full picture — and the next variant could look completely different.
Targeting Israeli IT Providers and Government Agencies
The campaign’s focus on IT providers is strategic. By compromising a managed service provider (MSP), the attackers can piggyback on legitimate remote administration tools to reach the provider’s clients. That’s a supply chain attack, and it’s been a rising trend globally.
Government targets are more direct: espionage. The attackers appear interested in policy documents, internal communications, and possibly diplomatic cables. Check Point’s report notes that the group used spear-phishing emails with malicious attachments to gain initial access.
Once inside, they deployed Cavern’s implants to establish a persistent foothold. From there, they could move laterally, escalate privileges, and siphon data without triggering alarms.
Technical Deep Dive: Cavern’s Implant and C2 Communication
The Cavern implant is a lightweight executable that phones home to the C2 server using HTTP or HTTPS. The C2 server itself is a PHP-based panel that manages infected machines and issues commands.
Key technical details from Check Point’s analysis:
- Implant size: Roughly 50 KB, compiled with MinGW to avoid common antivirus signatures.
- C2 panel: Hosted on compromised servers in multiple countries, including the Netherlands and the United States.
- Command set: Includes file upload/download, shell execution, process listing, and screen capture.
The attackers also used a custom DNS tunneling technique to bypass network filters. That’s a newer trick: encode data in DNS queries, which many organizations don’t monitor closely.
What This Means for Israeli Cybersecurity Teams
For defenders in Israel — and anyone watching Iranian cyber activity — Cavern is a wake-up call. It shows that MOIS-linked groups are investing in bespoke tooling, not just repurposing existing malware.
Check Point recommends organizations review their network logs for unusual DNS traffic, especially to domains registered in Iran or with suspicious patterns. They also advise tightening access controls on IT provider connections — because a breach at the provider could cascade to your own network.
The Cavern C2 framework is still active, and Check Point expects more variants. This isn’t a one-off operation. It’s a sustained campaign with a dedicated toolkit.
Israeli IT providers and government agencies should treat any unusual system behavior — even seemingly minor anomalies — as a potential sign of Cavern activity. The framework’s modular nature means the attackers can adapt faster than traditional signature-based defenses can keep up.