Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

Built for red teamers but abused by threat actors, this sample goes full dark mode:

• Shellcode loader in C++
• AES-encrypted payload
• XOR junk code to slow reverse engineering
• Dynamic API resolving
• LOLBin delivery via regsvr32

It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample

TL;DR for blue teamers:

• Havoc ≠ harmless just because it’s open source
• Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
• Watch for process injection + thread creation anomalies
• Memory analysis > file-based detection here
• Don’t assume your EDR is catching every beacon on port 443

Is it threat emulation or a real attack?

— Blue teamer having a full-blown identity crisis at 2am

Shoutout to @xpzhang and team for their amazing work!

#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

Skitnet is shaking up the cybercrime scene—this stealthy ransomware tool is now powering high-stakes attacks by notorious groups. Ever wonder how hackers pull off such seamless heists? Dive into the story behind the tool that's rewriting the rules.

https://thedefendopsdiaries.com/skitnet-a-new-era-in-ransomware-tools/

#skitnet
#ransomware
#cybersecurity
#postexploitation
#blackbasta

Skitnet is shaking up the ransomware scene with stealthy tactics and jaw-dropping capabilities—already in use by notorious gangs. What does this mean for our digital defenses? Dive into the details.

https://thedefendopsdiaries.com/skitnet-a-new-era-in-ransomware-tools/

#skitnet
#ransomware
#cybersecurity
#postexploitation
#blackbasta

They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitch

http://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/

⚠️ Nouvelle vulnérabilité Zero-Day ciblant les VPN Ivanti Connect Secure (CVE-2025-0282)

#Mandiant a publié les premiers signes d'exploitation (avec une première attribution à UNC5337) :

🔍 Étapes courantes identifiées lors de l'exploitation :
1️⃣ Désactive SELinux
2️⃣ Bloque le transfert des journaux syslog
3️⃣ Re-monte le disque en lecture-écriture
4️⃣ Écrit un script malveillant
5️⃣ Exécuter ce script
6️⃣ Déploie un ou plusieurs web shells
7️⃣ Modifie les journaux pour cacher l'activité
8️⃣ Réactive SELinux
9️⃣ Re-monte le disque

🛑 Techniques de dissimulation post-exploitation :

• Suppression des messages kernel avec dmesg et modification des journaux de débogage.
• Effacement des dumps de l'état et des core dumps des crashs.
• Suppression des entrées liées aux échecs syslog, erreurs ICT internes, traces de crash et erreurs de certificat.
• Modification du journal d’audit SELinux pour masquer les commandes exécutées.

💡 Observations supplémentaires :

CVE-2025-0282 affecte plusieurs niveaux de patch d’ICS release 22.7R2.

Exploitation réussie dépendante de la version spécifique.

Des requêtes répétées au VPN sont observées avant exploitation, probablement pour identifier la version.

🗂️ Fichiers ciblés :
/dana-cached/hc/hc_launcher.22.7.2.2615.jar
/dana-cached/hc/hc_launcher.22.7.2.3191.jar
/dana-cached/hc/hc_launcher.22.7.2.3221.jar
/dana-cached/hc/hc_launcher.22.7.2.3431.jar

⚠️Mandiant informe avoir observé des signes d'exploitation active en nature depuis mi-décembre 2024.

"Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation"
👇
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/?hl=en

#CyberVeille #Ivanti #IoC #postexploitation
#attribution
#CVE_2025_0282 #CVE_2025_0283

Now that you’ve seen #WhatTheVuln Episode 2 featuring Lindsay Von Tish and Allan Cecil, check out the corresponding technical write-up where you can take a deep dive into how to use #LoLBins to bypass #EDR protection and install a #C2 agent for advanced #postexploitation control.

And don’t fret if you missed the initial livestream – you can watch the recording on demand! https://bfx.social/3K4T1mS

P.S. Episode 3 is on the way!

Check out this list of #postexploitation tools we enjoy using in our #pentesting work, such as:

- Mimikatz
- PowerHub
- Bashark
- And Metasploit of course!

See the full list: https://bishopfox.com/blog/post-exploitation-tools-for-pen-test