- I finally found a high-quality multitool for under $30
- Palo Alto expands secure private 5G network partnerships
- Tired of waiting for Siri 2.0? Use these AI voice assistants on your iPhone today
- The smartest power bank I've tested has a 'Beast Mode' for multi-device charging
- Samsung will give you up to $250 off a new Galaxy Ring with a smartwatch or ring trade-in right now
Phishing Campaign Uses Havoc Framework to Control Infected Systems
A new phishing campaign leveraging the open-source Havoc command-and-control (C2) framework has been discovered.
Attackers are using modified versions of Havoc Demon Agent alongside Microsoft Graph API to control infected systems through SharePoint.
According to a new advisory by FortiGuard Labs, the campaign begins with a phishing email that includes an HTML attachment named “Documents.html.” The attachment contains a ClickFix attack – a social engineering tactic that deceives users into copying and executing a malicious PowerShell command. Once executed, this command downloads a remote PowerShell script from a SharePoint-hosted URL.
This script first checks for sandbox environments before modifying system registry entries to establish infection markers. If a Python interpreter is not found, the script downloads one before retrieving and executing a hidden Python shellcode loader.
This loader contains debug messages in Russian. It is designed to execute shellcode in memory and allow attackers to maintain persistence.
Hiding in Plain Sight
A crucial component of the attack is the use of KaynLdr, a GitHub-hosted shellcode loader that employs API hashing to obscure its execution. Once loaded, the modified Havoc Demon DLL initiates communication with the C2 server through the Microsoft Graph API, embedding its activity within legitimate SharePoint functions.
“This phishing campaign, which employs ClickFix and multi-stage malware to operate a modified Havoc Demon Agent, reflects the increasing complexity of cyber-attacks,” commented Eric Schwake, director of cybersecurity strategy at Salt Security.
“The tactic of concealing malware stages within SharePoint sites and using the Microsoft Graph API to mask C2 communications is particularly alarming. This method takes advantage of the trust in well-established services, thus complicating detection significantly.”
The malware creates two files within SharePoint’s document library using victim-specific identifiers:
- {VictimID}pD9-tKout – Transmits stolen data
- {VictimID}pD9-tKin – Receives commands from the C2 server
All communications are encrypted using AES-256 in CTR mode, ensuring that transmitted data remains obfuscated. The malware regularly checks for new instructions, allowing attackers to execute commands, exfiltrate data, manipulate user tokens and conduct Kerberos attacks.
Implications and Precautions
Thomas Richards, principal consultant at Black Duck, pointed out that “these bad actor groups aim for obfuscation [to] achieve their goals. It’s not unusual to see them use open-source frameworks. However, using legitimate Microsoft services shows a level of sophistication that is concerning.”
More generally, this attack highlights how threat actors continue to exploit publicly available tools and services to evade detection. By leveraging Microsoft Graph API and SharePoint, attackers blend malicious traffic with legitimate enterprise activity, making conventional detection methods less effective.
To mitigate their risk, organizations should:
- Train employees to recognize phishing attempts
- Restrict the execution of unauthorized PowerShell scripts
- Monitor SharePoint activity for unusual file creations
- Implement advanced threat detection capable of identifying C2 traffic
“By proactively addressing API security risks, organizations can diminish their attack surface and thwart malicious actors from exploiting their API vulnerabilities, as seen in this attack that utilized the Microsoft Graph API,” Schwake concluded.
Image credit: JarTee / Shutterstock.com
