Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations

Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control C2 framework as a precursor to data exfiltration or ransomware attack. The intrusions, identified by Huntress last month across five partner...

CVE-2024-41570

An Unauthenticated Server-Side Request Forgery SSRF in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server...

Tomiris wreaks Havoc: New tools and techniques of the APT group

While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic...

ZTaint-Havoc: from Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference

Fuzzing is a widely used technique for discovering software vulnerabilities, but identifying hot bytes that influence program behavior remains challenging. Traditional taint analysis can track such bytes white-box, but suffers from scalability issue. Fuzzing-Driven Taint Inference FTI offers a...

Exploit for Server-Side Request Forgery in Havocframework Havoc

Havoc-C2-SSRF-to-RCE This is a modified version of the CVE-202...

Exploit for Server-Side Request Forgery in Havocframework Havoc

Havoc-C2-RCE CVE-2024-41570 This is a Chained RCE CVE-2024-...

Loki: a new private agent for the popular Mythic framework

In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework. One of the agent's decrypted strings O...

Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCore

Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos. The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows...

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called "MacroPack." MacroPack is a framework designated for Red Team exercises, but w...

CVE-2024-41570

An Unauthenticated Server-Side Request Forgery SSRF in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server...

CVE-2024-41570

An Unauthenticated Server-Side Request Forgery SSRF in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server...

PT-2024-29448 · Havoc · Havoc

The affected software is Havoc 2, specifically version 0.7. This version is affected by an Unauthenticated Server-Side Request Forgery SSRF issue in demon callback handling, allowing attackers to send arbitrary network traffic from the team server, potentially leading to Remote Code Execution RCE...

CVE-2024-41570

An Unauthenticated Server-Side Request Forgery SSRF in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server...

CVE-2024-41570

CVE-2024-41570 describes an unauthenticated SSRF in Havoc 2 (team server) demon callback handling, enabling attackers to cause arbitrary network traffic to be emitted from the Havoc team server. Connected sources confirm visible exploit PoCs and chained RCE narratives in Havoc C2-related reposito...

Exploit for Heap-based Buffer Overflow in Microsoft

Firebeam CVE-2024-26229 plugin A small firebeam kaine's risc...

Havoc C2 0.7 Server-Side Request Forgery

Exploit Title: Havoc C2 0.7 Unauthenticated SSRF Date: 2024-07-13 Exploit Author: @chebuya Software Link: https://github.com/HavocFramework/Havoc Version: v0.7 Tested on: Ubuntu 20.04 LTS CVE: ? Description: This exploit works by spoofing a demon agent registration and checkins to open a TCP sock...

Exploit for Server-Side Request Forgery in Havocframework Havoc

CVE-2024-41570: Havoc-C2-SSRF-poc This vulnerability is exploi...

BIT-REDASH-2020-12725

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

DllNotificationInjection - A POC Of A New "Threadless" Process Injection Technique That Works By Utilizing The Concept Of DLL Notification Callbacks In Local And Remote Processes

DllNotificationInection is a POC of a new “threadless” process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes. An accompanying blog post with more details is available here: https://shorsec.io/blog/dll-notification-injection/ Ho...

Researchers Uncover Grayling APT's Ongoing Attack Campaign Across Industries

A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat APT it...