Threat Research

World Agricultural Cycling Competition (WACC) Participants Targeted for Havoc C2 Distribution

Cyble

Cyble researchers uncovered a phishing site that imitates the World Agricultural Cycling Competition (WACC) website to trick users into downloading a ZIP file, which delivers a Havoc C2 framework via a PowerShell-driven loader. The campaign targets French agriculture and sports stakeholders and uses Azure Front Door as a C2 relay to conceal communications. #WACC #Havoc #AzureFrontDoor #PowerShell

Keypoints

  • Phishing site mimicking WACC identified and linked to a deception campaign.
  • Target audience appears to be stakeholders in the agriculture and sports sectors in France.
  • Victims are lured to download a ZIP file that claims to contain event photos.
  • The ZIP contains three .lnk shortcuts disguised as images; clicking them triggers PowerShell-based execution.
  • PowerShell decoy uses Start-BitsTransfer to fetch legitimate images while also downloading and executing a malicious DLL loader (KB.dll).
  • Loaded shellcode activates Havoc C2, which attempts to contact an Azure Front Door domain as a redirector to the C2 server (down during analysis).
  • The phishing site hosts an open directory with multiple payloads, suggesting payload swapping to target victims.

MITRE Techniques

  • [T1566] Phishing – The attack uses a phishing website to lure victims. “Uses phishing website.”
  • [T1204.002] User Execution: Malicious File – The user executes a .LNK file disguised as an image. “The user executes a .LNK file disguised as an image.”
  • [T1059.001] PowerShell – Embedded PowerShell commands executed. “Embedded PowerShell commands executed.”
  • [T1036.008] Masquerading: Masquerade File Type – LNK file disguised as a JPG file. “LNK file disguised as a JPG file.”
  • [T1027] Obfuscated Files or Information – Contains obfuscated shellcode. “Contains obfuscated shellcode.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP to communicate. “Uses HTTP to communicate.”

Indicators of Compromise

  • [SHA256] Artifacts – 7566a8bce13dcbf1137b44776711ac2c471cf54a8bd7891c5b00b091f2aaa796, da9122c56c0da8f4e336f811435783b22994a9109162f3be6558aed7ac1c08da, and 3 more hashes
  • [File name] 1.jpg.lnk, KB.dll – and 2 more file names
  • [Domain] wacc.photo – Phishing site domain hosting the fake WACC site
  • [Domain] egzklpzltbptmgnnevne.azurefd.net – Azure Front Door domain used as C2 redirector

Read more: https://cyble.com/blog/world-agricultural-cycling-competition-wacc-participants-targeted-for-havoc-c2-dissemination/