{"id":207745,"date":"2025-03-04T03:22:58","date_gmt":"2025-03-04T09:22:58","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/03\/hackers-use-clickfix-trick-to-deploy-powershell-based-havoc-c2-via-sharepoint-sites"},"modified":"2025-03-04T03:22:58","modified_gmt":"2025-03-04T09:22:58","slug":"hackers-use-clickfix-trick-to-deploy-powershell-based-havoc-c2-via-sharepoint-sites","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/03\/hackers-use-clickfix-trick-to-deploy-powershell-based-havoc-c2-via-sharepoint-sites","title":{"rendered":"Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-use-clickfix-trick-to-deploy-powershell-based-havoc-c2-via-sharepoint-sites2.jpg\"><\/a><\/p>\n<p>The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for <a href=\"https:\/\/github.com\/Cracked5pider\/KaynLdr\" rel=\"noopener\" target=\"_blank\">KaynLdr<\/a>, a reflective loader written in C and ASM that\u2019s capable of launching an embedded DLL, in this the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor\" rel=\"noopener\" target=\"_blank\">Havoc Demon agent<\/a> on the infected host.<\/p>\n<p>\u201cThe threat actor uses Havoc in conjunction with the MicrosoQ Graph API to conceal C2 communication within well-known services,\u201d Fortinet said, adding the framework supports features to gather information, perform file operations, as well as carry out command and payload execution, token manipulation, and Kerberos attacks.<\/p>\n<p>The development comes as Malwarebytes revealed that threat actors are <a href=\"https:\/\/thehackernews.com\/2025\/01\/google-ads-users-targeted-in.html\" rel=\"noopener\" target=\"_blank\">continuing to exploit a known loophole<\/a> in Google Ads policies to target PayPal customers with bogus ads served via advertiser accounts that may have been compromised.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that\u2019s capable of launching an embedded DLL, in this the Havoc Demon agent on the infected host. \u201cThe threat actor uses Havoc in conjunction [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-207745","post","type-post","status-publish","format-standard","hentry","category-futurism"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/207745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=207745"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/207745\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=207745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=207745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=207745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}