⚠️ Overview

Havoc is a modern, open-source command-and-control (C2) framework first publicly released in June 2022 by the developer known as C5pider on GitHub. It is categorized as a post-exploitation and reconnaissance tool, similar to Cobalt Strike, and is actively used by advanced persistent threat (APT) groups including Lazarus (APT38) and TA444 (also tracked as UNC2165) according to reports from Mandiant and SentinelOne. The framework is written primarily in Go and C, with a Python-based interface, and is designed to evade detection while providing extensive remote access capabilities.

🔧 Technical Capabilities

Havoc supports multiple C2 protocols including HTTP, HTTPS, SMB, and raw TCP, and it leverages direct syscalls and indirect syscalls to bypass user-mode API hooking by security products. The agent (called the "demon") uses process injection via techniques like process hollowing and thread hijacking, and it can dynamically resolve system calls using hellsjng’s HellsGate and HalosGate techniques. Persistence is achieved through scheduled tasks, registry run keys, or WMI event subscriptions. Havoc also implements encrypted C2 communication using a custom encryption scheme based on AES-128 in CTR mode and CRC32 checksums, and it can spoof network traffic to mimic legitimate SSL/TLS sessions. The framework includes built-in modules for keylogging, screen capture, file exfiltration, Kerberos ticket manipulation (DPAPI), and privilege escalation via UAC bypass and token theft, as detailed in MITRE ATT&CK techniques T1055 (Process Injection), T1059 (Command and Scripting Interpreter), and T1574 (Hijack Execution Flow).

📜 History & Notable Incidents

Havoc was first observed in the wild in July 2022, shortly after its source code was published, and Mandiant’s 2023 report identified UNC2165 using Havoc in campaigns targeting telecommunications and technology sectors. In August 2023, CrowdStrike attributed a series of intrusions against cryptocurrency exchanges to Lazarus Group using Havoc as a secondary C2 after initial access via ProxyShell exploits (CVE-2021-31207, CVE-2021-34473). The framework has been linked to at least five distinct threat clusters across North America and Asia, according to a 2024 joint advisory by CISA and the FBI.

🔍 Detection Indicators

Network indicators include C2 traffic to unusual high-ports (e.g., 8443, 8888) with HTTP POST requests containing base64-encoded blobs and a specific User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 (non‑standard spacing). File‑based IOCs include a mutex named Havoc or {8A5C3D9E-1F2B-4C6D-8E7F-9A0B1C2D3E4F} created by the agent, and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value svchost.dll or runtimebroker.exe. Behavioral signatures include the spawning of rundll32.exe or regsvr32.exe from non‑standard parent processes.

☠️ Risk & Impact

Havoc enables threat actors to perform full remote control of compromised systems, leading to data exfiltration of sensitive intellectual property, credentials, and financial records. In campaigns by Lazarus Group, losses exceeded $200 million in cryptocurrency theft where Havoc was used as a pivot point to access cold‑wallet systems. The primary affected sectors are telecommunications, financial services, and technology, with secondary impacts on energy and government entities, as documented in CISA’s #StopRansomware guidance.

🛡️ Mitigation

Defenders should enable advanced endpoint detection and response (EDR) rules that monitor for direct syscall sequences, implement network‑based detection of the specific User‑Agent string and high‑port POST patterns, and apply patches for ProxyShell and other initial access vectors. Blocking known Havoc C2 IP addresses published in feeds from CrowdStrike and Mandiant, and requiring signed script execution via AppLocker or WDAC, significantly reduces risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.