Havoc: SharePoint with Microsoft Graph API turns into FUD C2

216.73.216.36

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

· Published 03/03/2025 18:02 · Modified 04/03/2025 09:34

Essential information

Published: 03/03/2025 18:02
Modified: 04/03/2025 09:34
Tags: 2025-03-03 c2 framework clickfix havoc havoc demon agent kaynldr multi-stage malware phishing sharepoint
Related entities: 5 observables, 18 techniques (mitre), 2 malware

Description

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.