{
	"id": "faa8d4b9-09d2-4d6f-aee6-e17b2ca2fdc7",
	"created_at": "2026-04-06T00:19:27.742747Z",
	"updated_at": "2026-04-10T03:36:07.182097Z",
	"deleted_at": null,
	"sha1_hash": "ed4271ba549c36b21245109b4f6c10dbb4df729d",
	"title": "Havoc C2: First look",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1668382,
	"plain_text": "Havoc C2: First look\r\nBy Nee\r\nPublished: 2022-10-05 · Archived: 2026-04-05 21:27:27 UTC\r\nHavoc is a modern and malleable post-exploitation command and control framework, created by @C5pider. I first\r\ncame into contact with Havoc C2 in April 2022 when it was still a private tool under development. C5pider went\r\non Flangvik's stream to discuss about development in general and demoed this awesome tool. Back in May it was\r\nannounced that Havoc would be released in about 3-5 months and here we are!\r\nI'm gona deploying this into my infra and playing around with it in this post! Been wanting to test out the Sleep\r\nObfuscation implementation on the Demon for a while now.\r\nSidenote: You'll notice a lot of similarities between Havoc and Cobalt Strike and that's not necessarily a downside\r\nIMO!\r\nPrerequisites\r\nDebian-Based Host (C2 Server)\r\nDebian-Based Host (C2 Client)\r\nTarget Host (Windows 7/10/11)\r\nSetup \u0026 Installation\r\n(C2 Server)\r\nInstallation\r\nPrerequisites Packages\r\n┌──(nee㉿4pfsec)-[~]\r\n└─$ sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libsp\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 1 of 15\n\nSetting up the bookworm repo for Python 3.10.\r\n┌──(nee㉿4pfsec)-[~]\r\n└─$ echo 'deb http://ftp.de.debian.org/debian bookworm main' \u003e\u003e /etc/apt/sources.list sudo apt update sudo apt\r\nSetup\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 2 of 15\n\nGit Clone\r\n┌──(nee㉿4pfsec)-[~]\r\n└─$ git clone https://github.com/HavocFramework/Havoc.git\r\nBuilding the Client\r\ncd Havoc/Client mkdir Build cd Build cmake .. cd .. ./Install.sh\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 3 of 15\n\nBuilding the Teamserver\r\ncd Havoc/Teamserver go mod download golang.org/x/sys\r\ngo mod download github.com/ugorji/go\r\n┌──(nee㉿4pfsec)-[~/Havoc/Teamserver] └─$ ./teamserver\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 4 of 15\n\nWith that, Havoc is installed and ready to go!\r\nHavoc Framework\r\nThe C2 consists of 2 main parts. The client and the team server. Let's start off with the Teamserver.\r\nTeamserver\r\nThe teamserver allows us to specify a profile or use the default one. The profile allows us to edit configs of the\r\nfollowing domains:\r\nTeamserver\r\nOperator\r\nListener\r\nService\r\nPayload\r\nThe default profile is located at Havoc/Teamserver/profiles\r\nRunning the teamserver with a profile\r\n┌──(nee㉿4pfsec)-[~/Havoc/Teamserver]\r\n└─$ ./teamserver server --profile profiles/havoc.yaotl\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 5 of 15\n\nClient\r\nRunning the Client\r\n┌──(kali㉿kali)-[~]\r\n└─$ Havoc/Client/Havoc\r\nConnecting to the teamserver\r\nName\r\nC2 Host\r\nC2 port\r\nC2 User:Password\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 6 of 15\n\nAnd we're in! The Dracula theme on the client looks really good. Let's check out some of the functionalities!\r\nConfiguring Listeners\r\nView-\u003eListeners-\u003eAdd\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 7 of 15\n\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 8 of 15\n\nLet's configure our listener and point the host to c2.4pfsec.com . This is the domain proxied through Cloudflare.\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 9 of 15\n\nGenerating Payload (UNDETECTED BY Windows Defender)\r\nAs of writing, the payload is not detected by Microsoft Defender. (05/10/22)\r\nAttack-\u003ePayload-\u003eGenerate\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 10 of 15\n\nCallback to C2 (UNDETECTED BY Windows Defender)\r\nAs of writing, the callback method is not picked up by Microsoft Defender. (05/10/22)\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 11 of 15\n\nNow that we have our payload, lets deliver and execute it. [You're free to use any delivery method]\r\nI simply hosted an SMB share and transferred the payload to the target. As shown in the demo below, I was able to\r\nget a call back from a fully patched Windows 11 Pro Machine using the generated payload.\r\nInteracting with Target\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 12 of 15\n\nThere's a whole list of commands that you're able to run on the target once it calls back to your C2. The target will\r\nfetch the C2 for jobs based on the given sleep duration during payload generation.\r\nshell\r\nYou're able to run shell commands directly on the target with the help of Havoc\r\n\\\u003e\u003e\u003e shell [command]\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 13 of 15\n\nScreenshot\r\nThe screenshot command takes a snapshot of the target's desktop and send it back to the C2.\r\n\\\u003e\u003e\u003e screenshot\r\nSeen on Host\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 14 of 15\n\nSeen on C2\r\nThese were just some of Post exploitation offered by Havoc.\r\nHavoc looks to have great potential and I hope to continue this series by exploring the C2 in-depth real soon!\r\nSource: https://4pfsec.com/havoc-c2-first-look/\r\nhttps://4pfsec.com/havoc-c2-first-look/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://4pfsec.com/havoc-c2-first-look/"
	],
	"report_names": [
		"havoc-c2-first-look"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99",
			"created_at": "2022-10-25T16:07:23.414558Z",
			"updated_at": "2026-04-10T02:00:04.588816Z",
			"deleted_at": null,
			"main_name": "Bookworm",
			"aliases": [],
			"source_name": "ETDA:Bookworm",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Scieron",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"ffrat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434767,
	"ts_updated_at": 1775792167,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed4271ba549c36b21245109b4f6c10dbb4df729d.pdf",
		"text": "https://archive.orkl.eu/ed4271ba549c36b21245109b4f6c10dbb4df729d.txt",
		"img": "https://archive.orkl.eu/ed4271ba549c36b21245109b4f6c10dbb4df729d.jpg"
	}
}