Hackers start using Havoc post-exploitation framework in attacks


Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.

Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.

Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers (and hackers) to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.

All of this is done through a web-based management console, allowing the “attacker” to see all of their compromised devices, events, and output from tasks.

Havoc user interfaceHavoc user interface (C5pider)

Havoc abused in attacks

An unknown threat group recently deployed this post-exploitation kit in early January as part of an attack campaign targeting an undisclosed government organization.

As the Zscaler ThreatLabz research team that spotted it in the wild observed, the shellcode loader dropped on compromised systems will disable the Event Tracing for Windows (ETW) and the final Havoc Demon payload is loaded without the DOS and NT headers, both to evade detection.

The framework was also deployed via a malicious npm package (Aabquerys) typosquatting legitimate module, as revealed in a report from ReversingLabs’ research team earlier this month.

“Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc,” ReversingLabs threat researcher Lucija Valentić said.

“It supports building malicious agents in several formats including Windows PE executable, PE DLL and shellcode.”

Havoc command listHavoc command list (Zscaler)

More Cobalt Strike alternatives deployed in the wild

​While Cobalt Strike has become the most common tool used by various threat actors to drop “beacons” on their victims’ breached networks for later movement and delivery of additional malicious payloads, some of them have also recently begun looking for alternatives as defenders have gotten better at detecting and stopping their attacks.

As BleepingComputer previously reported, other options that help them evade antivirus and Endpoint Detection and Response (EDR) solutions include Brute Ratel and Sliver. 

These two C2 frameworks have already been field tested by a wide range of threat groups, from financially motivated cybercrime gangs to state-backed hacking groups.

Brute Ratel, a post-exploitation toolkit developed by Mandiant and CrowdStrike ex-red teamer Chetan Nayak, has been used in attacks suspected to be linked to Russian-sponsored hacking group APT29 (aka CozyBear). At the same time, some Brute Ratel licenses have likely also landed in the hands of ex-Conti ransomware gang members.

In August 2022, Microsoft also noted that multiple threat actors, from state-sponsored groups to cybercrime gangs (APT29, FIN12, Bumblebee/Coldtrain), are now using the Go-based Sliver C2 framework developed by researchers at cybersecurity firm BishopFox in their attacks as an alternative to Cobalt Strike.


  • AutomaticJack Photo AutomaticJack – 4 days ago

    You take away their toys, they’ll find something else to play with.

  • DyingCrow Photo DyingCrow – 2 days ago

    Brute Ratel, a post-exploitation toolkit developed by Mandiant and CrowdStrike ex-red teamer Chetan Nayak…;
    …the Go-based Sliver C2 framework developed by researchers at cybersecurity firm BishopFox …

    This is the sort of stuff that can lead to all kinds of conspiracy theories. Some do gooder researchers develop a tool that is used to set the world on fire. What could go wrong?

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.22 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,233 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 52,910 Downloads


Related posts

Moobot botnet is coming for your unpatched D-Link router

Sarah Henriquez

US govt warns Americans of escalating SMS phishing attacks

Sarah Henriquez

US offers $10M bounty for Hive ransomware links to foreign governments

Sarah Henriquez

Leave a Comment