Full Report
In Brazil, Nota Fiscal eletrônica (NF-e) is the everyday name for an official electronic invoice. Real ones often arrive as a ZIP whose long number looks like paperwork. Criminals reused that habit: their email attachment can look boring and “normal,” like another vendor bill. Behind that disguise, they install Havoc. Havoc began as free software for penetration tests; in the wild, attackers bend it into a tool that lets them watch the screen, run commands, or attempt to compromise other PCs in the network.
Analysis Summary
# Tool/Technique: Havoc Framework (Demon) & Brazilian NF-e Stager
## Overview
This attack campaign utilizes a highly customized stager that masquerades as Microsoft Defender Data Loss Prevention (DLP) components to deploy the Havoc Framework's "Demon" agent. The campaign specifically targets Brazilian organizations by weaponizing the "Nota Fiscal eletrônica" (NF-e) electronic invoice system as a lure, timed to coincide with the Brazilian tax season.
## Technical Details
- **Type:** Malware family (Havoc Framework/Demon) and custom Downloader/Stager.
- **Platform:** Windows
- **Capabilities:** Screen monitoring, remote command execution, lateral movement, persistence via logon scripts, and anti-forensics.
- **First Seen:** May 2026 (specifically May 2, 2026).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment (ZIP mimicking invoice)
- **TA0003 - Persistence**
- T1037.001 - Boot or Logon Initialization Scripts: Logon Script (UserInitMprLogonScript)
- **TA0005 - Defense Evasion**
- T1036 - Masquerading (Fake Microsoft Defender DLP branding)
- T1574.002 - Hijack Execution Flow: DLL Side-Loading (`endpointdlp.dll` beside signed `mpextms.exe`)
- T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
## Functionality
### Core Capabilities
- **Advanced Payload Delivery:** Uses a VBScript dropper that fetches an MSI installer from Google Cloud Storage to set up the environment.
- **DLL Side-Loading:** The MSI drops a legitimate, signed Microsoft executable (`mpextms.exe`) alongside a malicious DLL (`endpointdlp.dll`). When the executable runs, it loads the malicious stager.
- **Havoc Integration:** The stager fetches the "Demon" agent shellcode from the C2 server at runtime, ensuring the actual malware is never stored directly in the initial lure archive.
### Advanced Features
- **Themed Indicators:** The stager uses specific User-Agents like `Microsoft-Delivery-Optimization/10.1` to blend in with legitimate Windows update traffic.
- **Anti-Forensics:** Includes toggles within the Havoc configuration to detect sandboxes and avoid analyst environments.
- **Persistence:** Modifies the registry to ensure the malware executes every time a user logs in via the `UserInitMprLogonScript` registry key.
## Indicators of Compromise
- **File Hashes:**
- *Note: Specific SHA256 hashes for the MSI/DLL were truncated in the source text, but the campaign identifies `endpointdlp.dll` as the primary stager.*
- **File Names:**
- `NFE-43250902055205000108550010000269881023835318-1.zip`
- `update.msi`
- `endpointdlp.dll` (Malicious)
- `mpextms.exe` (Legitimate signed binary used for side-loading)
- **Registry Keys:**
- `HKCU\Environment\UserInitMprLogonScript`
- **Network Indicators:**
- `hxxps://storage[.]googleapis[.]com/nodesdownload/update.msi`
- Attacker C2 server (using `Microsoft-Delivery-Optimization/10.1` User-Agent).
- **Behavioral Indicators:**
- `msiexec.exe` running with `/quiet` flags triggered by `cscript.exe`.
- Legitimate Microsoft binaries spawning unusual network connections to non-Microsoft IPs.
## Associated Threat Actors
- **Unidentified Brazilian-focused actors:** Similar TTPs to actors deploying "Banana RAT," but utilizing the Havoc Framework instead.
## Detection Methods
- **Signature-based:** Scan for the specific `UserInitMprLogonScript` registry modification.
- **Behavioral:** Monitor for `mpextms.exe` (or other Defender components) loading unsigned or unexpected DLLs from non-standard directories.
- **YARA Detection:** LevelBlue provides rules focusing on the stager template and the specific HTTP headers used during the fetch phase.
## Mitigation Strategies
- **Email Security:** Implement strict filtering for ZIP files containing VBS, MSI, or LNK files.
- **User Training:** Educate staff on the structure of legitimate NF-e invoices (which should contain XML/PDF, never VBS/MSI).
- **Attack Surface Reduction:** Block the use of `UserInitMprLogonScript` through GPO if not required for business operations.
- **Application Whitelisting:** Use Windows Defender Application Control (WDAC) to prevent unauthorized DLLs from loading.
## Related Tools/Techniques
- **Banana RAT:** Another Brazilian banking trojan using identical NF-e lure themes.
- **Havoc Framework:** An open-source command-and-control framework used as an alternative to Cobalt Strike.