BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Havoc

havoc
119
Global rank
78 infographic chevron month
Month rank
64 infographic chevron week
Week rank
0
IOCs

Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.

C2 Framework
Type
Unknown
Origin
1 October, 2022
First seen
20 November, 2024
Last seen

How to analyze Havoc with ANY.RUN

C2 Framework
Type
Unknown
Origin
1 October, 2022
First seen
20 November, 2024
Last seen

IOCs

IP addresses
20.49.161.16
172.67.155.126
34.146.54.108
103.29.189.125
93.113.25.40
98.66.210.39
20.90.112.111
139.59.237.172
101.34.217.130
20.56.14.162
104.194.134.254
145.239.43.135
38.180.91.21
64.176.165.233
89.35.131.96
20.73.47.175
45.79.221.12
138.197.105.230
74.119.193.28
3.136.231.230
Domains
dms.x-pt.net
140.ip-176-31-163.eu
103-152-255-69.cprapid.com
iglensonc2.com
vks18885.ip-176-31-163.eu
cohorts.xyz
if00d.com.br
fmmudancas.com.br
charlie-twice.suiteb.io
nginx-imfi.fcv3.1197883384467965.cn-hangzhou.fc.devsapp.net
wellsfararoo01.duckdns.org
dns1.s-logistics.net
inforussia.org
td.tula-steel.ru
share.dedesignanddev.com
wacc.photo
vmi1110375.contaboserver.net
zzdl.com
ns1.kangndo.com
fra.aled93.ru
Last Seen at
17 November, 2024
Malicious activity
notepad.exe
havoc
backdoor
framework
15 November, 2024
Malicious activity
c8c8d9baffd6ebfe015490f08ff6c93793c31706f4cf5dc868ad560fbbdff24f
havoc
backdoor
framework
15 November, 2024
Malicious activity
64.95.10.2
loader
sliver
backdoor
havoc
framework
14 November, 2024
Malicious activity
i
havoc
backdoor
framework
13 November, 2024
Malicious activity
demon.x64.exe
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.MalwareX-gen.15798.11018
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.Evo-gen.19321.5552
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932
sliver
backdoor
havoc
framework
loader
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.Evo-gen.19321.5552
sliver
backdoor
havoc
framework
29 August, 2024
Malicious activity
71f409086f2c11bc9736d54810300bd3d5ea8e35f1f8610ca164440deb828de5
havoc
backdoor
framework
TRACK THEM ALL AT
Public Submissions
Last Seen at
17 November, 2024
Malicious activity
notepad.exe
havoc
backdoor
framework
15 November, 2024
Malicious activity
c8c8d9baffd6ebfe015490f08ff6c93793c31706f4cf5dc868ad560fbbdff24f
havoc
backdoor
framework
15 November, 2024
Malicious activity
64.95.10.2
loader
sliver
backdoor
havoc
framework
14 November, 2024
Malicious activity
i
havoc
backdoor
framework
13 November, 2024
Malicious activity
demon.x64.exe
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.MalwareX-gen.15798.11018
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.Evo-gen.19321.5552
sliver
backdoor
havoc
framework
28 September, 2024
Malicious activity
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932
sliver
backdoor
havoc
framework
loader
28 September, 2024
Malicious activity
SecuriteInfo.com.Win64.Evo-gen.19321.5552
sliver
backdoor
havoc
framework
29 August, 2024
Malicious activity
71f409086f2c11bc9736d54810300bd3d5ea8e35f1f8610ca164440deb828de5
havoc
backdoor
framework
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

Contents

  • What is Havoc malware?
  • Havoc malware technical details
  • Havoc malware execution process
  • Havoc malware distribution methods
  • Gathering Threat Intelligence on Havoc Malware
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

What is Havoc malware?

Havoc is a post-exploitation framework used by cybercriminals and penetration testers to perform a variety of attacks and gain deeper control over compromised systems. It is developed by C5pider, written in Golang, C++, and C.

First observed in 2022, it has become notable for its stealth, flexibility, and use of encrypted communications to avoid detection. The malware is used in advanced campaigns, often by threat actors conducting highly targeted attacks.

It has been linked to attacks targeting corporate networks, critical infrastructure, and government entities.

Key technical details include its ability to use reflective DLL injection and direct memory manipulation to execute payloads. It maintains persistence on compromised systems through registry modifications and scheduled tasks, while its communication with command-and-control (C2) servers is highly encrypted

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Havoc malware technical details

Havoc malware has several powerful and dangerous capabilities, making it a significant post-exploitation tool. Some of its primary technical features include:

  • Uses reflective DLL injection to inject its payloads directly into the memory of a process without writing to disk, minimizing the risk of detection.
  • Can perform direct memory manipulation to execute malicious code.
  • Supports multiple communication channels (HTTP/HTTPS, DNS, SMB), all encrypted using TLS, making it difficult to intercept and analyze its traffic.
  • Includes a shellcode loader, capable of disabling Event Tracing for Windows (ETW) and performing system reconnaissance.
  • Can establish persistence using methods such as registry modifications, scheduled tasks, and service creation.
  • Allows operators to upload, download, and manipulate files remotely, which is a key post-exploitation feature for attackers.

Havoc operates primarily as an open-source framework and is typically distributed through phishing campaigns or malicious downloads. Its advanced features include payload generation, encryption (using algorithms like AES and RSA), process injection techniques, and multiple communication channels (HTTP, HTTPS, DNS, and SMB).

Havoc malware execution process

To see how Havoc operates, let’s upload a Havoc sample to the ANY.RUN sandbox.

After executing the sample in the sandbox, the first thing that stands out is the red label in the upper right corner of the screen. This label provides a quick way to determine whether the activity is malicious. In our case, it’s highlighted in red, confirming that the behavior is indeed malicious.

Havoc in ANY.RUN sandbox Analysis of Havoc in the ANY.RUN sandbox

The ANY.RUN sandbox provides a Suricata rule flagging Havoc’s suspicious network activity, which is further evidence of its malicious behavior.

Havoc Suricatain ANY.RUN Malicious network activity detected by Suricata IDS in the ANY.RUN sandbox

The Havoc framework establishes a Command and Control (C2) channel using encrypted protocols such as HTTPS and SMB to evade detection. Its modular architecture allows for functionalities like privilege escalation, lateral movement, and data exfiltration. The core agent, "Demon," written in C and Assembly, uses techniques like indirect syscalls for Nt* APIs, x64 return address spoofing, and sleep obfuscation to bypass defenses.

Havoc offers capabilities such as:

  • Stagers: Lightweight payloads that establish a foothold.
  • Shellcode injectors: Inject shellcode into remote processes, allowing execution without disk traces.
  • Reflective DLL loaders: Bypass traditional antivirus by loading DLLs directly into memory.
  • Custom plugins: Support for credential harvesting, keylogging, and system information gathering.

It supports execution with Beacon Object Files (BOFs), enabling direct memory interaction, and can execute commands using cmd.exe and powershell.exe and is capable of deploying additional payloads to infected systems. Havoc employs advanced evasion techniques, such as process injection and anti-VM/sandbox checks.

For persistence, Havoc can modify system settings, create scheduled tasks, or alter startup configurations, ensuring continued control over compromised systems.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Havoc malware distribution methods

Havoc malware is distributed through a variety of methods that are commonly seen in advanced cyber threats:

  • Phishing emails: Havoc can be delivered via phishing campaigns, where malicious attachments or links are included in seemingly legitimate emails. These attachments often contain malicious macros or scripts that launch the malware once opened by the victim.
  • Malicious downloads: Attackers may trick users into downloading Havoc through fake software updates, cracked software, or malicious files hosted on compromised websites. These files may appear harmless but execute the malware when run.
  • Exploitation of vulnerabilities: Havoc can be deployed by exploiting known software vulnerabilities in operating systems or third-party applications, allowing attackers to gain access to systems remotely.
  • Malvertising: Havoc could be spread via malicious advertisements that redirect users to compromised or malicious websites where the malware is downloaded.

Gathering Threat Intelligence on Havoc Malware

To collect the latest intelligence on Havoc malware, utilize Threat Intelligence Lookup.

This service allows you to access a vast database with insights from millions of malware analysis sessions in the ANY.RUN sandbox. You can customize your search using over 40 different parameters, such as IP addresses, file names, command line artifacts, and process indicators, to find relevant details on Havoc and its behavior.

Havoc in TI Lookup ANY.RUN Search results for Havoc in Threat Intelligence Lookup

For example, by searching for Havoc's threat name (threatName:"Havoc"), you can uncover related samples and sandbox analysis results. This helps security professionals stay up to date on malware's evolution and techniques.

Start exploring these capabilities with a 14-day free trial of Threat Intelligence Lookup, alongside the ANY.RUN sandbox for deep, real-time analysis.

Conclusion

Havoc poses a significant threat due to its advanced evasion techniques, process manipulation, and ability to execute malicious payloads, making it highly dangerous for businesses. To protect against such threats, it’s important to carry out proactive malware analysis of suspicious files and URLs.

ANY.RUN provides real-time threat detection, allowing users to explore malware behavior, gather detailed reports on malware, such as Havoc.

Sign up for a free ANY.RUN account today and start analyzing threats in real-time!

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Bluesky Ransomware screenshot
Bluesky Ransomware
bluesky
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More