Havoc: SharePoint with Microsoft Graph API turns into FUD C2

March 4, 2025, 9:34 a.m.

Description

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.

External References

https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
https://otx.alienvault.com/pulse/67c5eea6bb77c4b4d02e4ca0
Tags
phishing
clickfix
havoc
sharepoint
2025-03-03
kaynldr
c2 framework
havoc demon agent
multi-stage malware

Date

  • Created: March 3, 2025, 6:02 p.m.
  • Published: March 3, 2025, 6:02 p.m.
  • Modified: March 4, 2025, 9:34 a.m.

Indicators

  • a5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da
  • cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3
  • 51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330
  • 989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd
  • hao771.sharepoint.com
Download all indicators here!

Attack Patterns

  • KaynLdr
  • Havoc
  • T1021.002
  • T1021.001
  • T1059.006
  • T1059.001
  • T1012
  • T1071.001
  • T1016
  • T1518
  • T1082
  • T1057
  • T1566.001
  • T1083
  • T1134
  • T1140
  • T1033
  • T1027
  • T1053
  • T1558