{ "id": "26eec98a-5180-4852-9f8e-7b6a447e0a9a", "created_at": "2026-04-06T03:37:59.948833Z", "updated_at": "2026-04-10T03:32:50.062169Z", "deleted_at": null, "sha1_hash": "22fd1b7a25724aeb2ead2ba7307e9713bad8cf9a", "title": "Havex", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97585, "plain_text": "Havex\r\nBy Contributors to Wikimedia projects\r\nPublished: 2018-04-14 ยท Archived: 2026-04-06 02:58:24 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nHavex\r\nMalware details\r\nTechnical name\r\nBKDR_HAVEX.[letter] (Trend Micro)\r\nBackdoor:Win32/Havex.[letter] Microsoft\r\nBackdoor:W32/Havex (F-Secure)\r\nAlias Oldrea\r\nType RAT\r\nAuthor Energetic Bear\r\nTechnical details\r\nPlatforms Windows, Linux, iOS, Android\r\nPorts used 44818, 105 and 502\r\nWritten in PHP\r\nHavex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian\r\nattributed APT group \"Energetic Bear\" or \"Dragonfly\".[1][2] Havex was discovered in 2013 and is one of five\r\nknown ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy,\r\nIndustroyer/CRASHOVERRIDE, and TRITON/TRISIS.\r\n[3]\r\n Energetic Bear began utilizing Havex in a widespread\r\nespionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors.[1] The\r\ncampaign targeted victims primarily in the United States and Europe.[2]\r\nThe Havex malware was discovered by cybersecurity researchers at F-Secure and Symantec and reported by ICS-CERT utilizing information from both of these firms in 2013.[4][5]\r\n The ICS-CERT Alert reported analyzing a new\r\nmalware campaign targeting ICS equipment via several attack vectors and using OPC to conduct reconnaissance\r\non industrial equipment on the target network.[2]\r\nThe Havex malware has two primary components: A RAT and a C\u0026C server written in PHP.\r\n[4]\r\n Havex also\r\nincludes an OPC (Open Platform Communications) scanning module used to search for industrial devices on a\r\nhttps://en.wikipedia.org/wiki/Havex\r\nPage 1 of 3\n\nnetwork.[2]\r\n The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105 and\r\n502.[6] Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and\r\nRockwell Automation.[6] By abusing the OPC protocol, Havex mapped industrial networks once inside victim\r\nsystems.[7] Researchers note the OPC scanning module only operated on the older DCOM-based (Distributed\r\nComponent Object Model) OPC standard and not the more recent OPC Unified Architecture (UA).[2] Havex joins\r\nthe category of ICS tailored malware because it is written to conduct information gathering on these specific\r\nsystems. Havex also exploited supply chain and watering-hole attacks on ICS vendor websites in addition to spear\r\nphishing campaigns to gain access to victim systems.[5][6] The watering-hole and supply chain attacks were\r\ntwofold in methodology. In the first method, victims were redirected from legitimate vendor websites to corrupted\r\npages containing the Havex malware.[1] In the second method, the attackers compromised vulnerable vendor\r\nwebsites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the\r\nmalware when downloading otherwise legitimate software from vendor websites.[6] This method allowed the\r\nmalware to bypass traditional security measure because software was downloaded by users with authorization to\r\ninstall programs onto the network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB\r\nConnect Line.[8] While the attack vectors were aimed at business networks, the lack of robust airgaps in many ICS\r\nenvironments could allow malware like Havex to jump easily from business networks to industrial networks and\r\ninfect ICS/SCADA equipment. Havex, like other backdoor malwares, also allows for the injection of other\r\nmalicious code onto victim devices. Specifically, Havex was often used to inject the Karagany payload onto\r\ncompromised devices. Karagany could steal credentials, take screenshots, and transfer files to and from Dragonfly\r\nC\u0026C servers.[6]\r\nAffected Regions \u0026 Victims\r\n[edit]\r\nThe Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical,\r\ndefense, and petrochemical victims in primarily the United States and Europe.[1] Cybersecurity researchers at\r\nDragos estimated the campaign targeted over 2,000 sites in these regions and sectors.[9] Researchers at Symantec\r\nobserved Havex malware began seeking energy infrastructure targets after initially targeting US and Canadian\r\ndefense and aviation sectors.[10] Through the discovery process, researchers examined 146 C\u0026C servers\r\nassociated with the Havex campaign and 88 variants of the malware.[11]\r\nWebsite Redirect Injection\r\n[edit]\r\nHavex infected systems via watering hole attacks redirecting users to malicious websites.[1] Corrupted websites in\r\nthis campaign used the LightsOut and Hello exploit kits to infect systems with the Havex and Karagany trojans.\r\n[10]\r\n The LightsOut exploit kit abused Java and browser vulnerabilities to deliver the Havex and Karagany\r\npayloads.[10] The Hello exploit kit is an updated version of the LightsOut exploit kit and came into use in 2013.\r\n[10]\r\n The updated Hello exploit kit uses footprinting to determine target OS versions, fonts, browser add-ons, and\r\nhttps://en.wikipedia.org/wiki/Havex\r\nPage 2 of 3\n\nother user information.[10]\r\n Once this information is gathered, the exploit kit redirects the victim to a malicious\r\nURL based on the most efficient exploits to gain access to the target.[10]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \"Havex\". NJCCIC. Retrieved 2018-04-18.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \"ICS Focused Malware | ICS-CERT\". ics-cert.us-cert.gov. Retrieved 2018-04-18.\r\n3. ^ \"Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical\r\nInfrastructure | FireEye\". Retrieved 2018-05-14.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \"ICS Focused Malware (Update A) | ICS-CERT\". ics-cert.us-cert.gov. Retrieved 2018-04-\r\n18.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \"Cyber espionage campaign based on Havex RAT hit ICS/SCADA systems\". Security\r\nAffairs. 2013-06-25. Retrieved 2018-04-18.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Nelson, Nell (18 January 2016). \"The Impact of Dragonfly Malware on Industrial\r\nControl Systems\". SANS Institute.\r\n7. ^ \"CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations\" (PDF).\r\n8. ^ \"Full Disclosure of Havex Trojans - NETRESEC Blog\". Netresec. 27 October 2014. Retrieved 2018-04-\r\n15.\r\n9. ^ \"CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations\" (PDF).\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \"Dragonfly: Cyberespionage Attacks Against Energy Suppliers\" (PDF). 7 July\r\n2014. Archived from the original (PDF) on August 1, 2014.\r\n11. ^ \"Attackers Using Havex RAT Against Industrial Control Systems | SecurityWeek.Com\".\r\nwww.securityweek.com. Retrieved 2018-04-18.\r\nSource: https://en.wikipedia.org/wiki/Havex\r\nhttps://en.wikipedia.org/wiki/Havex\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Havex" ], "report_names": [ "Havex" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446679, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22fd1b7a25724aeb2ead2ba7307e9713bad8cf9a.pdf", "text": "https://archive.orkl.eu/22fd1b7a25724aeb2ead2ba7307e9713bad8cf9a.txt", "img": "https://archive.orkl.eu/22fd1b7a25724aeb2ead2ba7307e9713bad8cf9a.jpg" } }