An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel.
Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc.
“While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation,” researchers Niraj Shivtarkar and Niraj Shivtarkar said.
The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that’s designed to download and launch the Havoc Demon agent on the infected host.
images from Hacker News