Hackers start using Havoc post-exploitation framework in attacks


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.

Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.
An unknown threat group recently deployed this post-exploitation kit in early January as part of an attack campaign targeting an undisclosed government organization.

As the Zscaler ThreatLabz research team that spotted it in the wild observed, the shellcode loader dropped on compromised systems will disable the Event Tracing for Windows (ETW) and the final Havoc Demon payload is loaded without the DOS and NT headers, both to evade detection.

The framework was also deployed via a malicious npm package (Aabquerys) typosquatting legitimate module, as revealed in a report from ReversingLabs' research team earlier this month.

"Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc," ReversingLabs threat researcher Lucija Valentić said. "It supports building malicious agents in several formats including Windows PE executable, PE DLL and shellcode."

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.