Havoc

Havoc is an open-source C2 framework by C5pider. It allows to build agents in multiple formats: Windows PE executables, PE DLLs and shellcode. Its modular design allows to customize payloads for multiple purposes, making it a swiss army knife for ops.

Key Insights

Havoc is very modular, you can load and execute multiple plugins and commands for specific tasks. This flexibility allows the adaptation of the framework to different environments and purposes, making it more effective in post-exploitation.

Evasion

The framework has advanced evasion techniques like indirect system calls and sleep obfuscation to bypass AV and EDR. These make it hard for traditional security tools to detect and block Havoc.

Protocols

Havoc uses encrypted channels (HTTPS and SMB) to communicate with the command server from compromised systems. This encrypted traffic hides the malicious activity from network monitoring tools.

Known Variants

Havoc is still in development, the functionality is evolving and you can create custom agents and plugins for different attack scenarios. The variants may differ based on the plugins and configuration used by the attacker.

Mitigation Strategies

Perform threat hunting and continuous network monitoring to detect anomalies.
Deploy EDR to detect and block suspicious activity.
Perform regular penetration testing and vulnerability assessment to find and fix security weaknesses.
Keep all software and systems updated with the latest security patches to reduce the attack surface.

Targeted Industries or Sectors

Havoc targets enterprises with valuable IP or critical infrastructure. It's a threat to any sector depending on the attacker's purpose.

Associated Threat Actors

The operators are unknown, but Havoc is used in targeted attacks, probably by APT groups or sophisticated cybercriminals to use its features for evil.