Full Report
Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack. The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from
Analysis Summary
# Tool/Technique: Havoc C2 (Demon Agent)
## Overview
Havoc is a modern, open-source post-exploitation command-and-control (C2) framework. In this specific campaign, threat actors utilized customized "Demon" payloads—the framework’s primary implant—to gain initial access and move laterally within victim networks. The tool serves as an alternative to Cobalt Strike, providing a sophisticated interface for managing compromised endpoints, exfiltrating data, and deploying further payloads like ransomware.
## Technical Details
- **Type:** Command-and-Control (C2) Framework / Post-Exploitation Tool
- **Platform:** Windows (Implant); Linux (Teamserver)
- **Capabilities:** Remote shell execution, file system manipulation, credential harvesting, lateral movement, and EDR evasion.
- **First Seen:** Campaign identified by Huntress in February 2026 (Havoc framework itself has been active since approx. 2022).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment/Link]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1140 - Deobfuscate/Decode Files or Information]
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (EDR Bypass)
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0008 - Lateral Movement]**
- [T1021.001 - Remote Services: Remote Desktop Protocol]
## Functionality
### Core Capabilities
- **Beaconing:** The Demon agent communicates back to the C2 server at defined intervals to receive tasks.
- **Remote Access:** Provides a "hands-on-keyboard" capability for attackers to execute commands and scripts.
- **DLL Side-Loading:** Utilizes legitimate binaries (e.g., `ADNotificationManager.exe`, `DLPUserAgent.exe`) to load malicious libraries and evade signature-based detection.
- **Credential Harvesting:** Employs fake login overlays to capture user passwords under the guise of "anti-spam rule" updates.
### Advanced Features
- **EDR Bypass Techniques:** Incorporates **Hell's Gate** and **Halo's Gate** to invoke direct system calls, bypassing hooks placed by security software in `ntdll.dll`.
- **Obfuscation:** Uses control flow obfuscation and timing-based delay loops to frustrate sandbox analysis and automated detection.
- **Stealthy Thread Injection:** Executes shellcode by spawning new threads within legitimate processes to hide its presence.
## Indicators of Compromise
- **File Names:**
- `ADNotificationManager.exe` (Legitimate host)
- `DLPUserAgent.exe` (Legitimate host)
- `Werfault.exe` (Legitimate host)
- `vcruntime140_1.dll` (Malicious sideloaded DLL)
- **Network Indicators:**
- Fake Microsoft landing pages hosted on AWS: `[h]xxp[://]amazon-aws-instance-url/` (Defanged)
- C2 Traffic: Communication via various encrypted ports to actor-controlled infrastructure.
- **Behavioral Indicators:**
- Rapid lateral movement (9 endpoints in 11 hours).
- Creation of Scheduled Tasks to maintain persistence for the Demon payload.
- Unusual browser activity navigating to high-reputation cloud hosting (AWS) immediately following a Quick Assist session.
## Associated Threat Actors
- **Black Basta Affiliates:** The TTPs align closely with historical Black Basta playbooks (email bombing followed by "IT Support" phone calls).
- **Unidentified Cybercrime Groups:** Potential rivals or former members of disbanded ransomware operations adopting proven methodologies.
## Detection Methods
- **Behavioral Detection:** Monitoring for suspicious child processes of legitimate Windows binaries (e.g., `Werfault.exe` spawning network connections or shellcode-like behavior).
- **Memory Scanning:** Scanning for "Demon" agent strings or reflective loading signatures in process memory.
- **Network Monitoring:** Detection of unauthorized RMM tools (AnyDesk, Quick Assist) being used in environments where they are not standard.
## Mitigation Strategies
- **User Training:** Educate employees on "Help Desk" social engineering scams and verify IT requests through official internal channels.
- **Technical Restrictions:** Use Application Control policies to block known RMM tools (AnyDesk, TeamViewer) unless explicitly authorized.
- **Hardening:** Disable or restrict the use of Windows **Quick Assist** via Group Policy or Intune if not required for business operations.
- **Credential Protection:** Implement Multi-Factor Authentication (MFA) to mitigate the impact of harvested credentials.
## Related Tools/Techniques
- **AnyDesk / Quick Assist:** Legitimate remote desktop software abused for initial access.
- **Qakbot / Black Basta Playbook:** The overarching strategy of "Email Bombing" used to distract users before the social engineering call.
- **Cobalt Strike:** A tiered C2 framework with similar post-exploitation capabilities.