Tag: havoc

15 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Poisson – Analyzing a Cybercriminal’s Entire Operation

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking a…
openssh
credential-theft
keylogger
tailscale
havoc
france
rustdesk
2026-06-19
fileless-attack
havoc-c2
poisson
vpn-mesh-persistence
Published: June 19, 2026
Downloadable IOCs: 9

Hacktivists are broadening their scope beyond political motivation

Kaspersky researchers uncovered interconnected hacktivist campaigns attributed to groups including 4BID, Hakerskii Kit, and C.A.S., targeting organizations primarily in Russia and Belarus, but expanding to Kazakhstan, UAE, Syria, and Egypt. Attackers exploited ProxyShell vulnerabilities in Microsof…
sliver
valleyrat
havoc
CVE-2023-44976
adaptixc2
edr killers
ghostdriver
abcdoor
2026-06-08
blackout locker
blackreaperrat
blacksalt
byovd techniques
clearwater
clearwater ransomware
cross-border targeting
hacktivist campaigns
mythic apollo
post-exploitation frameworks
proxyshell exploitation
warp rat
Published: June 8, 2026
Linked vulnerabilities : CVE-2023-44976 (CVSS 3.2)
Downloadable IOCs: 6

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious Z…
havoc
kongtuke
banana rat
2026-06-03
brazil tax lure
invoice phishing
Published: June 3, 2026
Linked vulnerabilities : CVE-2026-45585 (CVSS 6.8)
Downloadable IOCs: 23

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

A zero-day vulnerability in the TrueConf client application, CVE-2026-3502, was exploited in a targeted campaign against government entities in Southeast Asia. The flaw allows attackers controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. …
zero-day
dll sideloading
havoc
government targets
southeast asia
CVE-2026-3502
2026-03-31
trueconf
Published: March 31, 2026
Downloadable IOCs: 0

Fake Tech Support Delivers Havoc Command & Control

A sophisticated cyber attack campaign combines social engineering and advanced malware techniques. Attackers pose as IT support to gain initial access, then deploy a modified version of the Havoc C2 framework. The malware uses DLL sideloading, indirect syscalls, and custom loaders to evade detectio…
social engineering
dll sideloading
lateral movement
havoc
evasion techniques
havoc demon
remote monitoring tools
havoc c2
2026-03-05
syscalls
Published: March 5, 2026
Downloadable IOCs: 11

SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh

An extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeted government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026. The campaign used two attack vectors: PDF lures with ClickOnce execution chains and m…
pakistan
cyber espionage
dll sideloading
cloudflare workers
havoc
geopolitical conflict
2026-03-03
bangladesh
burrowshell
clickonce
rust rat
Published: March 3, 2026
Downloadable IOCs: 19

The Shadow Campaigns: Uncovering Global Espionage

This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies…
phishing
cobalt strike
government
exploitation
sliver
cyberespionage
godzilla
behinder
sparkrat
infrastructure
havoc
neo-regeorg
asia
vshell
global
CVE-2019-11580
2026-02-05
diaoyu loader
shadowguard
Published: February 5, 2026
Linked vulnerabilities : CVE-2019-11580
Downloadable IOCs: 22

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like…
apt
discord
telegram
havoc
government targets
adaptixc2
2025-11-28
jlorat
tomiris powershell telegram backdoor
multi-language malware
tomiris c# reverseshell
tomiris c/c++ reverseshell
tomiris python telegram reverseshell
reverse shells
tomiris python discord reverseshell
tomiris c# telegram reverseshell
tomiris rust downloader
tomiris python filegrabber
distopia backdoor
tomiris go reversesocks
tomiris go reverseshell
tomiris rust reverseshell
tomiris c++ reversesocks
Published: November 28, 2025
Downloadable IOCs: 66

BRONZE BUTLER exploits Japanese asset management software vulnerability

In mid-2025, a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. The vulnerability, CVE-2025-61932, allowed remote attackers to execute arbitrary commands with SYSTEM privilege…
zero-day
havoc
CVE-2025-61932
2025-10-31
oaed loader
gokcpdoor
lanscope
Published: October 31, 2025
Downloadable IOCs: 0

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc D…
phishing
clickfix
havoc
sharepoint
2025-03-03
kaynldr
c2 framework
havoc demon agent
multi-stage malware
Published: March 3, 2025
Downloadable IOCs: 5

Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…
loader
phishing
havoc
2024-10-08
demon
havoc framework
cybersecurity evasion
demon implant
post-exploitation
Published: October 8, 2024
Downloadable IOCs: 0

Unraveling SloppyLemming’s Operations Across South Asia

An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energ…
cobalt strike
havoc
2024-09-27
nekrowire
Published: September 27, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 96

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and th…
havoc
phantomcore
2024-09-03
brute ratel
vba macros
macropack
Published: September 3, 2024
Downloadable IOCs: 16

Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys

Seqrite Labs APT-Team discovered a sophisticated malware campaign targeting government and military officials in the Czech Republic. The campaign leveraged NATO-themed decoy documents to lure victims and employed a multistage attack chain involving a malicious batch script, a Rust-based loader, and…
evasion
persistence
injection
rust
2024-08-28
havoc
nato
czech republic
decoy
freeze
Published: August 28, 2024
Downloadable IOCs: 13
Click here to see more Attack Reports