Threat Research

Havoc Demon Targeting Pakistan International Airlines

DmpDump
Havoc Demon Targeting Pakistan International Airlines

A malicious Word document containing macros was identified as delivering the Havoc Demon malware to targets in Pakistan, continuing a campaign previously observed in Bangladesh, Pakistan, and China. The threat actor exploits Microsoft’s dev tunnels for command and control communication to evade detection. #HavocDemon #MicrosoftDevTunnels #PakistanInternationalAirlines

Keypoints

  • A malicious macro-enabled Word document titled “TMS Data – June 2025” was uploaded from Pakistan and likely targets Pakistan International Airlines (PIA).
  • The document uses obfuscated macros employing concatenation of hex-encoded data blobs and base64 decoding to deliver a shellcode payload.
  • Upon enabling macros, the document executes process injection by allocating executable memory in a WINWORD.exe process.
  • The shellcode functions as a reflective loader that loads an embedded portable executable (demon.x64.dll) identified as Havoc Demon malware.
  • The Havoc Demon malware uses the djb2 hashing algorithm to resolve native Windows APIs dynamically during execution.
  • The malware’s command and control (C2) infrastructure is hosted on Microsoft’s dev tunnels service, leveraging legitimate infrastructure to evade detection and blocking.
  • This campaign shares significant overlap with a previously documented January 2025 campaign, strongly linking it to the same threat actor.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The macro code uses VBA scripting to execute obfuscated payloads within Word documents (‘…it has macros and a lure… executes payload from memory…’).
  • [T1041] Exfiltration Over C2 Channel – The malware communicates with C2 servers hosted on Microsoft dev tunnels to evade detection (‘…the C2 configured in the demon is hxxp://djlmwd9b-80.euw.devtunnels[.]ms/’).
  • [T1055] Process Injection – Execution of shellcode occurs by allocating RWX memory in the WINWORD.exe process and injecting the portable executable (‘…a new WINWORD.exe process is created, with allocated RWX memory containing a portable executable’).
  • [T1106] Execution through API – The shellcode uses native Windows APIs via dynamically resolved addresses with djb2 API hashing to perform memory allocation and execution (‘…djb2 algorithm to resolve APIs via hashes’).
  • [T1218] Signed Binary Proxy Execution – Abuse of Microsoft dev tunnels, a legitimate developer service, as C2 infrastructure (‘…using Microsoft’s dev tunnels… leveraging legitimate Microsoft infrastructure’).

Indicators of Compromise

  • [File Hashes] Word document SHA256 hash – a27f2936eb86674120cd54f293670362d51f4784cecb7cf60bf8b78752f24b70
  • [File Hashes] Shellcode hash – b0af124bf9643b0c0af2eceafc0b45e84ce19ea4f6f02cdc978afe80b1180730
  • [File Hashes] Havoc Demon DLL hash – fc43e225568af992cf9784fba4d5c2288bf013a5a22b0fc11cf9502dad3c9292
  • [Domains] C2 server domain – djlmwd9b-80.euw.devtunnels[.]ms (Microsoft dev tunnels service used for C2 communication)
  • [File Names] Document file names – HTCL_Report.doc, Aircraft_Modification.doc

Read more: https://dmpdump.github.io/posts/Havoc-Demon-Targeting-Pakistan-International-Airlines/