{ "name": "Havoc: SharePoint with Microsoft Graph API turns into FUD C2", "slug": "havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2", "description": "A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.", "published": "2025-03-03T17:02:14+00:00", "created_at": "2025-03-03T17:02:14+00:00", "modified_at": "2025-03-04T08:34:16+00:00", "created_at_opencti": "2025-03-03T17:02:14+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-03-03", "c2 framework", "clickfix", "havoc", "havoc demon agent", "kaynldr", "multi-stage malware", "phishing", "sharepoint" ], "related_entities": { "observables": [ { "id": "", "name": "hao771.sharepoint.com" }, { "id": "", "name": "a5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da" }, { "id": "", "name": "cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3" }, { "id": "", "name": "51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330" }, { "id": "", "name": "989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd" } ], "malware": [ { "id": "aafd91be-9421-4f66-bab8-6db6db6a37a0", "name": "KaynLdr", "slug": "kaynldr" }, { "id": "b09f5343-ec83-482b-86c5-eb6ecc13eeec", "name": "Havoc", "slug": "havoc" } ], "attack_patterns": [ { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266", "name": "T1134" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "5d4ae945-eb29-4b3b-aa69-bc32dc769878", "name": "T1558" } ] }, "external_refs": [ "https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2", "https://otx.alienvault.com/pulse/67c5eea6bb77c4b4d02e4ca0" ] }