Contact

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

NetmanageIT OpenCTI - opencti.netmanageit.com

Havoc: SharePoint with Microsoft Graph API turns into FUD C2



SUMMARY :

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.

OPENCTI LABELS :

phishing,clickfix,havoc,sharepoint,kaynldr,havoc demon agent,c2 framework,multi-stage malware


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Havoc: SharePoint with Microsoft Graph API turns into FUD C2