Havoc: SharePoint with Microsoft Graph API turns into FUD C2
NetmanageIT OpenCTI - opencti.netmanageit.com

SUMMARY :
A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.
OPENCTI LABELS :
phishing,clickfix,havoc,sharepoint,kaynldr,havoc demon agent,c2 framework,multi-stage malware
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Havoc: SharePoint with Microsoft Graph API turns into FUD C2