Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

Built for red teamers but abused by threat actors, this sample goes full dark mode:

• Shellcode loader in C++
• AES-encrypted payload
• XOR junk code to slow reverse engineering
• Dynamic API resolving
• LOLBin delivery via regsvr32

It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample

TL;DR for blue teamers:

• Havoc ≠ harmless just because it’s open source
• Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
• Watch for process injection + thread creation anomalies
• Memory analysis > file-based detection here
• Don’t assume your EDR is catching every beacon on port 443

Is it threat emulation or a real attack?

— Blue teamer having a full-blown identity crisis at 2am

Shoutout to @xpzhang and team for their amazing work!

#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint
A recent ClickFix phishing campaign tricks users into executing malicious PowerShell commands via fake OneDrive error messages in HTML attachments. This tactic deploys the Havoc post-exploitation framework, granting attackers remote access to compromised systems.
https://www.bleepingcomputer.com/news/security/new-clickfix-attack-deploys-havoc-c2-via-microsoft-sharepoint/

#Infosec #Security #Cybersecurity #CeptBiro #ClickFixAttack #HavocC2 #MicrosoftSharepoint

Let's try this again

Listen to this riskybusiness discussion about the availability of spyware leading to more abuse (~24:55 to ~28:00)

https://overcast.fm/+It0j7YDrs/24:55

Then tell me why offensive security tooling #ost isn't exactly the same thing? And why #metasploit and #HavocC2 shouldn't be banned and restricted like pegasus?

My guess is that it will be, it's just a matter of time.

Will it make it go away? No of course not but at least it will be harder and riskier to get.

https://github.com/icyguider/UAC-BOF-Bonanza

"This repository serves as a collection of public UAC bypass techniques that have been weaponized as BOFs. A single module which integrates all techniques has been provided to use the BOFs via the Havoc C2 Framework. A extension.json file has also been provided for each bypass technique for use in Sliver."

#hacking #pentesting #redteam #sliverc2 #sliver #BOF #Havoc #havocC2

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2