By Yurren Wan | March 03, 2025
Affected platforms: Microsoft Windows
Impacted parties: Any organization
Impact: Attackers gain control of the infected systems
Severity level: High
Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection.
FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services. Figure 1 shows the attack chain.
Figure 1: Attack flow
Initial Access
The attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in Figure 2. It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment immediately.
Figure 2: The phishing e-mail
The attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in HTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or PowerShell, ultimately executing malicious code.
