Threat actors are reportedly using a new command-and-control (C2) framework called Havoc, which is open-source and offers great web-based management of compromised devices.

Aside from having all the regular capabilities, this new tool is seen as a better alternative to the current options due to its additional features like sleep obfuscation, return address stack spoofing, and indirect syscalls. Also, it comes with a Demon RAT by default to let hackers perform more malicious operations.

A Better Post-Exploitation Tool

With regular tools like Cobalt Strike beacons being easily detected by antivirus software, hackers are moving to novel alternatives – like Brute Ratel and Sliver. But since they’re paid and have been extensively tested by a range of threat actors, security solutions are updated to catch them too.

Thus, threat actors are now flocking around a new C2 framework called Havoc – as reported by the Zscaler ThreatLabz researchers. The team spotted an unknown threat group deploying this post-exploitation kit in early January – in their attack against an undisclosed government organization.

They’re seen dropping this shellcode loader on the compromised systems and disabling the Event Tracing for Windows (ETW) – without DOS and NT headers, thus evading detection from both. Also, researchers note this framework was sometimes deployed through a malicious npm package (Aabquerys) via the typosquatting technique.

However, Havoc is seen as a much more viable option for hackers now – with more and more threat actors switching to this open-source C2 framework noted in recent weeks. It’s said to bypass the Microsoft Defender on up-to-date Windows 11 devices by techniques like sleep obfuscation, return address stack spoofing, and indirect syscalls.

Also, it’d be coming with a Remote Access Trojan called Demon.bin – aside from supporting the building of other malicious agents in the form of Windows PE executable, PE DLL, and shellcode.

With a web interface showcasing all the compromised devices, this new framework allows threat actors to perform various modules like executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.


Please enter your comment!
Please enter your name here