Iranian Spies Target Israeli IT Firms With a New Custom Toolkit Called Cavern

A hacking crew tied to Iran's intelligence ministry is running a previously unseen command-and-control framework against Israeli government bodies and their IT suppliers.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a dimly lit server room in an Israeli office building, blue and amber indicator lights reflecting on polished floor, a f
Share

Key points

  • Check Point Research has linked a new hacking toolkit called Cavern, also written Cav3rn, to a group tied to Iran's Ministry of Intelligence and Security.
  • The campaign is aimed at Israeli organisations, mostly IT service providers and government departments.
  • Cavern is a modular framework, meaning the attackers can bolt on different pieces depending on what they want to steal or do next.
  • The activity was reported by The Hacker News based on Check Point's findings.

Israeli government offices and the IT companies that keep them running are being hit by a fresh wave of Iranian spying, according to researchers at Check Point.

The attackers are using a custom piece of software the researchers call Cavern. It is a command-and-control framework, which is the remote control panel hackers use to send orders to computers they have already broken into.

Check Point says the group behind it works for Iran's Ministry of Intelligence and Security. That is the civilian spy agency, roughly the Iranian equivalent of a foreign intelligence service.

The campaign was first reported by The Hacker News.

Who is being targeted and why?

The main victims are Israeli IT providers and government bodies. That mix is not random.

IT providers are the plumbers of the internet. They hold the keys to dozens or hundreds of client networks. Break into one of them and you often get a shortcut into everyone they serve.

In practice, this is the same playbook we have seen from state-linked groups for years. Go after the supplier, ride the trust into the real target. The failure mode here is the one every managed service provider knows in their bones: one set of stolen admin credentials can cascade across every customer tenant they touch.

Government departments are the obvious prize for an intelligence agency. Emails, policy drafts, personnel files, anything that gives Tehran a clearer picture of what Israel is planning.

What is Cavern and why does it matter?

Cavern is described as modular. Think of it as a toolbox with swappable heads on the same handle.

One module might quietly copy files. Another might record keystrokes. Another might open a hidden tunnel so the attackers can log in whenever they like. The operator picks what to load based on the victim.

That design matters for two reasons. It makes the software harder for antivirus tools to spot, because each victim can see a slightly different version. And it lets the group keep the core framework alive for years while swapping out the noisy parts that get burned.

This is not a smash-and-grab. It is patient espionage.

Should ordinary people be worried?

If you are not an Israeli civil servant or working at an Israeli IT firm, this specific campaign is not aimed at you. The goals here are intelligence, not your bank account.

But the wider lesson is worth holding onto. When an IT supplier gets breached, the pain lands on their customers. If you deal with a company that has been named in a breach notice, take any password reset request seriously and turn on two-factor authentication, which is the second code sent to your phone when you log in.

Check Point has not publicly named every victim, and Iran has not commented.

One thing the post-mortem will say: the initial foothold was probably boring. A phished password, an unpatched public server, a forgotten admin account. The exotic Cavern toolkit is what came after.

Operational takeaway: if you are a managed service provider, assume you are on somebody's target list this quarter and act like it.

© 2026 Threat Vectr