The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that’s capable of launching an embedded DLL, in this the Havoc Demon agent on the infected host.

“The threat actor uses Havoc in conjunction with the MicrosoQ Graph API to conceal C2 communication within well-known services,” Fortinet said, adding the framework supports features to gather information, perform file operations, as well as carry out command and payload execution, token manipulation, and Kerberos attacks.

The development comes as Malwarebytes revealed that threat actors are continuing to exploit a known loophole in Google Ads policies to target PayPal customers with bogus ads served via advertiser accounts that may have been compromised.