Back to Intelligence

Detecting the Cavern C2 Framework: Iranian MOIS Campaign Targeting Israeli Sectors

SA
Security Arsenal Team
July 6, 2026
6 min read

Check Point Research has uncovered a new campaign orchestrated by an Iranian threat cluster affiliated with the Ministry of Intelligence and Security (MOIS). This group is actively deploying a previously undocumented modular command-and-control (C2) framework, dubbed Cavern (aka Cav3rn), against Israeli organizations.

The primary targets include IT service providers and government agencies—a classic supply-chain approach designed to maximize lateral movement and intelligence gathering. As this framework is new and undocumented, signature-based defenses may initially fail. Defenders must shift to behavioral detection and threat hunting to identify the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with this intrusion set.

Technical Analysis

The Cavern Framework

Cavern represents a shift in tooling for this threat actor, moving away from well-known, commercial, or open-source C2 frameworks to a custom, modular architecture. This "modular" designation suggests a core loader/stager capable of fetching and executing arbitrary plugins (e.g., keyloggers, screenshot tools, lateral movement utilities) on demand.

Attack Chain and Targeting

  1. Initial Access: While the specific initial access vector (e.g., phishing, exploit) was not detailed in the disclosure, campaigns against IT providers frequently rely on credential harvesting or supply chain compromise.
  2. Execution and Persistence: The Cavern loader is likely deployed via PowerShell or a malicious binary. Once executed, it establishes a C2 channel.
  3. C2 Communications: As a new framework, Cavern likely uses custom encryption or encoding for network traffic, potentially masquerading as legitimate web traffic (HTTP/HTTPS) to blend in with standard corporate traffic.

Exploitation Status

  • Status: Confirmed Active Exploitation (2026)
  • Attribution: Iran-linked MOIS-affiliated cluster
  • Affected Sectors: Information Technology (Managed Service Providers), Government/Public Sector

Detection & Response

Given the novelty of the Cavern framework, we must prioritize hunting for the explicit naming conventions mentioned in the reporting while covering the likely behavioral patterns of modular malware.

SIGMA Rules

These rules target the explicit framework naming and common behavioral patterns associated with modular C2 loaders.

YAML
---
title: Potential Cavern C2 Framework Process Execution
id: 88c4d1a2-5b6e-4f8c-9a1b-2c3d4e5f6789
status: experimental
description: Detects execution of processes or command lines referencing the Cavern (Cav3rn) C2 framework attributed to Iranian MOIS actors.
references:
  - https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: process_creation
  product: windows
detection:
  selection_main:
    Image|contains:
      - 'Cavern'
      - 'Cav3rn'
    CommandLine|contains:
      - 'Cavern'
      - 'Cav3rn'
  selection_path:
    CurrentDirectory|contains:
      - 'Cavern'
      - 'Cav3rn'
  condition: 1 of selection_*
falsepositives:
  - Legitimate software using similar naming (unlikely in enterprise environments)
level: high
---
title: Suspicious PowerShell C2 Stager Behavior
id: 99a5e2b3-6c7f-5g9d-0b2c-3d4e5f6a7890
status: experimental
description: Detects suspicious PowerShell usage often associated with modular C2 loaders, such as downloading strings or encoded commands.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_powershell:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_suspicious:
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'Invoke-Expression'
      - 'FromBase64String'
  condition: all of selection_*
falsepositives:
  - System administration scripts
  - Legitimate software installation
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for process creation events containing the Cavern artifacts and correlates them with network connections to identify potential C2 callbacks.

KQL — Microsoft Sentinel / Defender
// Hunt for Cavern related processes and network connections
let ProcessEvents = 
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where ProcessCommandLine has "Cavern" 
     or ProcessCommandLine has "Cav3rn" 
     or FileName has "Cavern" 
     or FileName has "Cav3rn" 
     or FolderPath has "Cavern";
let NetworkEvents = 
  DeviceNetworkEvents
  | where Timestamp > ago(7d)
  | where InitiatingProcessFileName has "Cavern" 
     or InitiatingProcessFileName has "Cav3rn";
union ProcessEvents, NetworkEvents
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of files or processes matching the Cavern naming convention on the endpoint.

VQL — Velociraptor
-- Hunt for Cavern C2 artifacts on disk and in memory
SELECT 
  Sys.OSPath.Path AS FullPath,
  Sys.Size AS Size,
  Sys.ModTime AS ModifiedTime,
  Sys.MD5 AS HashMD5
FROM glob(globs="/*Cavern*", root="/")
WHERE NOT FullPath =~ "\\Windows\\"

SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "Cavern" 
   OR Name =~ "Cav3rn"
   OR CommandLine =~ "Cavern"
   OR CommandLine =~ "Cav3rn"

Remediation Script (PowerShell)

Use this script to scan endpoints for the specific artifacts associated with the Cavern framework and terminate suspicious activity.

PowerShell
# Cavern C2 Framework - Incident Response Script
# Run as Administrator

Write-Host "[+] Starting hunt for Cavern (Cav3rn) artifacts..." -ForegroundColor Cyan

# 1. Terminate suspicious processes
$suspiciousProcesses = Get-Process | Where-Object { 
    $_.ProcessName -like "*Cavern*" -or 
    $_.ProcessName -like "*Cav3rn*" -or
    $_.MainWindowTitle -like "*Cavern*"
}

if ($suspiciousProcesses) {
    foreach ($proc in $suspiciousProcesses) {
        Write-Host "[!] Terminating process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Yellow
        Stop-Process -Id $proc.Id -Force
    }
} else {
    Write-Host "[-] No suspicious processes found running." -ForegroundColor Green
}

# 2. Scan for files on C: Drive (excluding Windows directory)
$excludedPaths = @("$env:SystemRoot", "$env:ProgramData", "$env:ProgramFiles")
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($drive in $drives) {
    Write-Host "[+] Scanning drive $drive for Cavern files..." -ForegroundColor Cyan
    try {
        $files = Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | 
            Where-Object { 
                $_.FullName -notmatch "$($excludedPaths -join '|')" -and
                ($_.Name -like "*Cavern*" -or $_.Name -like "*Cav3rn*")
            }
        
        if ($files) {
            foreach ($file in $files) {
                Write-Host "[!] Suspicious file found: $($file.FullName)" -ForegroundColor Red
                # Quarantine/Delete logic would go here
                # Remove-Item -Path $file.FullName -Force -WhatIf
            }
        }
    } catch {
        Write-Host "[-] Error scanning $drive : $_" -ForegroundColor DarkGray
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Cyan

Remediation

Immediate containment and eradication are required given the active targeting of critical sectors.

  1. Isolate Affected Hosts: Immediately disconnect identified compromised endpoints from the network to prevent further C2 communication or lateral movement.
  2. Block C2 Infrastructure: If Indicators of Compromise (IoCs) such as domain names or IP addresses are available via threat intelligence feeds (e.g., Check Point Research), block these at the perimeter firewall and proxy servers.
  3. Credential Reset: Because IT providers are a primary target, assume credential theft has occurred. Force a reset of all privileged credentials and service accounts on affected networks.
  4. Supply Chain Audit: IT providers identified in the blast radius must audit their jump servers and remote access tools (e.g., VPN, RDP) for signs of unauthorized access.
  5. Threat Hunt Expansion: Expand the hunt beyond the specific "Cavern" strings. Look for anomalous PowerShell usage and unexpected processes spawning from common productivity applications, which may indicate the initial dropper.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemcavern-c2iranian-moisaptc2-frameworkthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Detecting the Cavern C2 Framework: Iranian MOIS Campaign Targeting Israeli Sectors | Security Arsenal | Security Arsenal