Unlike standard Havoc implementations, this variant uses Microsoft Graph API endpoints to communicate with attacker-controlled SharePoint files, blending malicious traffic with legitimate cloud service requests. A sophisticated phishing campaign in which threat actors are utilizing a multi-stage attack chain that combines social engineering tactics with modified open-source tools to compromise Windows systems. FortiGuard researchers note that the malware supports over 50 commands, including file exfiltration, lateral movement, and Kerberos ticket manipulation, mirroring capabilities in Havoc’s public repository. The firm’s Content Disarm and Reconstruction (CDR) service neutralizes malicious macros, while the Backdoor.Havoc.Agent IPS signature targets C2 communications. As open-source offensive frameworks like Havoc gain traction, continuous monitoring of API-driven cloud platforms becomes critical to identifying stealthy C2 channels. This attack highlights evolving threats that blend psychological manipulation with cloud service abuse to evade detection. Attached to these emails is an HTML file named Documents.html, which displays a fabricated error message instructing users to copy and paste a PowerShell command into their terminal. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The final payload is a modified version of Havoc, an open-source post-exploitation framework akin to Cobalt Strike. KaynLdr uses API hashing and direct memory manipulation to load a malicious DLL without leaving disk artifacts1.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 03 Mar 2025 16:13:15 +0000