Threat Actors Leverage Windows Task Scheduler to Embed Malware and Maintain Persistence

A comprehensive follow-up analysis to the FortiGuard Incident Response Team’s (FGIR) investigation titled “Intrusion into Middle East Critical National Infrastructure” has revealed a protracted cyberattack that targeted critical national infrastructure (CNI) in the Middle East. This is a startling revelation.

The report, part of the 2025 Global Threat Landscape Report, exposes how threat actors exploited the Windows Task Scheduler to embed malicious software and ensure persistence on compromised systems.

This sophisticated operation utilized a variant of the Havoc framework, a notorious post-exploitation command and control (C2) backdoor, to infiltrate and manipulate Windows environments with alarming precision.

Sophisticated Intrusion Targets Middle East

The attackers ingeniously disguised a remote injector as “conhost.exe,” a legitimate Windows Console Window Host process, to evade detection.

Launched via Task Scheduler with the command line C:WindowsSystem32driversconhost.exe -f conhost.dll -ER --ln --path cmd.exe, this injector decrypted an encrypted Havoc payload from a DLL file (“conhost.dll”) and injected it into a newly created “cmd.exe” process.

This process involved creating the target process using the CreateProcessA() API, decrypting the payload with shellcode embedded in the DLL, and utilizing APIs like ZwAllocateVirtualMemory() and ZwWriteVirtualMemory() to embed the malicious code.

A remote thread was then initiated with ZwCreateThreadEx() to execute the Havoc agent, also known as a “demon,” within the compromised system.

This demon communicated with a hardcoded C2 server, identified as “apps[.]gist[.]githubapp[.]net,” using protocols such as HTTP and HTTPS to receive commands and exfiltrate data.

During analysis, researchers simulated a C2 environment by switching to HTTP for plaintext traffic capture, revealing the demon’s registration process involving AES-encrypted metadata about the host system, including hostname, IP address, and process details.

Havoc Framework’s Modular Design

The Havoc framework, an open-source Remote Access Trojan (RAT) developed in 2022 by C5pider, showcases a modular architecture written in languages like C++, Go, and Python.

It features a “teamserver” for C2 operations and a client dashboard for interaction, supporting a vast array of control commands, sub-commands, and in-memory execution of Beacon Object Files (BOFs).

Commands like COMMAND_FS for file system manipulation and COMMAND_INJECT_DLL for code injection enable attackers to perform actions ranging from directory creation to process enumeration without updating the demon itself.

This flexibility was evident in packet structures, such as the “demon-init” packet for system registration and heartbeat packets sent every few seconds to maintain connection with the C2 server.

Fortinet’s protective measures, including AntiVirus signatures like W64/Havoc.d16b!tr and IPS detection via “Backdoor.Havoc.Agent,” have been deployed to counter this threat across FortiGate, FortiMail, FortiClient, and FortiEDR platforms, alongside blocking the malicious domain through Anti-Botnet and Web Filtering services.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates