The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
Essential information
- Published
- 04/06/2026 00:14
- Modified
- 04/06/2026 09:10
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- banana rat brazil tax lure havoc invoice phishing kongtuke
- Tags
- 2026-06-03 banana rat brazil tax lure havoc invoice phishing kongtuke
- Related entities
- 1 vulnerabilities (cve), 27 indicators, 27 observables, 18 techniques (mitre), 3 malware, 5 others
Description
Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl...