C2 Havoc: A Command and Control Framework
C2 Havoc is primarily a command and control (C2) framework rather than a Remote Access Trojan (RAT).
It is used mostly to manage compromised systems during cyber operations. And, more about coordinating and directing the activities of already compromised systems.
C2 Havoc, in particular, is noted for its capabilities in post-exploitation scenarios, allowing attackers to control systems, execute commands, and maneuver within a network after initial access has been gained.
A RAT on the other hand is a type of malware that provides backdoor access to a system, allowing an attacker to remotely control it. RATs are typically used for initial access and control, offering features like keylogging, file manipulation, and camera/microphone access.
That is, a C2 framework like Havoc is more about command, control, and communication with compromised systems, while a RAT is more focused on the initial breach and establishing remote access.
Indeed, C2 Havoc is highly regarded for its comprehensive feature set, making it a favorite tool for conducting penetration tests and red team engagements. And, has been increasingly adopted by threat actors as an alternative to paid C2 frameworks available on the dark web.
The framework is capable of bypassing the most current and updated version of Windows 11 Defender – through advanced evasion techniques, such as indirect syscalls and sleep obfuscation.
It is also actively maintained and developed to ensure it remains up-to-date with the latest cybersecurity challenges and methods​.
Known Havoc C2 Attacks
In early January 2023, a new campaign was observed by Zscaler’s ThreatLabz, which reportedly targeted an unnamed government organization. This attack involved the deployment of the Havoc Demon agent, an implant generated via the Havoc Framework.
The framework has also been deployed via a malicious npm package named ‘Aabquerys,’ which was a case of typosquatting a legitimate module. Once installed, this package triggered a three-stage process to retrieve the Demon implant.
In these attacks, the Havoc Demon payload was noted for its use of advanced evasive techniques. For instance, it was loaded without the DOS and NT headers, and utilized a modified DJB2 hashing algorithm to resolve virtual addresses of disparate NT APIs.