SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havoc (Back to overview)

Havoc

aka: Havokiz
VTCollection    

First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.

References
2026-01-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2025
Coper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm
2025-07-14SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2025
Coper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm
2025-06-04ThreatrayAbdallah Elshinbary, Jonas Wagner, Konstantin Klinger, Nick Attfield
The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two
AlmondRAT AlmondRAT Artra Downloader BDarkRAT Havoc KiwiStealer KugelBlitz MiyaRAT ORPCBackdoor WmRAT ZxxZ
2025-06-04ProofpointAbdallah Elshinbary, Jonas Wagner, Konstantin Klinger, Nick Attfield
The Bitter End: Unraveling Eight Years of Espionage Antics—Part One
Artra Downloader Havoc
2025-05-02KrollDave Truman, George Glass, Marc Messer
Prelude: Crypto Heist Causes HAVOC
Havoc
2025-05-01FortinetFaisal Abdul Malik Qureshi, Fred Gutierrez, Hossein Jazi, John Simmons, Mark Robson, Said Wali, Xiaopeng Zhang
FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure
Havoc
2025-03-07FortinetFaisal Abdul Malik Qureshi, Fred Gutierrez, Hossein Jazi, John Simmons, Mark Robson, Said Wali, Xiaopeng Zhang
Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure
Havoc
2025-01-10SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc
2024-08-28SeqriteSathwik Ram Prakki, Subhajeet Singha
Operation Oxidový: Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys
Havoc Sliver
2024-07-09SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver
2024-06-11Invoke REJosh Reynolds
Parser Script for Havoc Config
Havoc
2024-04-09Immersive LabsImmersive Labs
Havoc C2 Framework – A Defensive Operator’s Guide
Havoc
2024-01-25JSAC 2024Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-10SymantecThreat Hunter Team
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan
Cobalt Strike Havoc MimiKatz Grayling
2023-07-21CheckmarxTzachi Zornstein
First Known Targeted OSS Supply Chain Attacks Against the Banking Sector
Havoc
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-02-14ZscalerNiraj Shivtarkar, Shatak Jain
Havoc Across the Cyberspace
Havoc
2022-10-11Twitter (@embee_research)Embee_research, Huntress Labs
Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes
Havoc
2022-10-054pfsec4pfsec
Havoc C2: First look
Havoc
2022-10-04YouTube (John Hammond)John Hammond
HAVOC C2 - Demon Bypasses Windows 11 Defender
Havoc
2022-09-11Github (HavocFramework)C5pider
Havoc
Havoc
Yara Rules
[TLP:WHITE] win_havoc_auto (20251219 | Detects win.havoc.)
rule win_havoc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.havoc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7512 31c0 80bc245e01000001 0f94c0 }
            // n = 4, score = 800
            //   7512                 | mov                 edx, dword ptr [esp + 0x24]
            //   31c0                 | dec                 eax
            //   80bc245e01000001     | mov                 edx, dword ptr [edx + 0x20]
            //   0f94c0               | dec                 ecx

        $sequence_1 = { 4489c0 4501c0 c0e807 4531cf 448a4afe }
            // n = 5, score = 800
            //   4489c0               | mov                 eax, 0xffff
            //   4501c0               | xor                 edx, edx
            //   c0e807               | je                  0x130e
            //   4531cf               | dec                 eax
            //   448a4afe             | mov                 edi, dword ptr [eax + 0x2dc]

        $sequence_2 = { 884c2439 8a4c243a 8844243a 8a442436 884c2432 8a4c243e 8844243e }
            // n = 7, score = 800
            //   884c2439             | dec                 eax
            //   8a4c243a             | mov                 edx, esi
            //   8844243a             | mov                 dword ptr [esp + 0x30], 0x20
            //   8a442436             | call                dword ptr [eax + 0x274]
            //   884c2432             | dec                 esp
            //   8a4c243e             | mov                 eax, dword ptr [eax + 0x294]
            //   8844243e             | mov                 dword ptr [esp + 0x30], 0x20

        $sequence_3 = { 4154 55 89cd b940000000 }
            // n = 4, score = 800
            //   4154                 | dec                 ecx
            //   55                   | mov                 esp, eax
            //   89cd                 | dec                 eax
            //   b940000000           | lea                 eax, [eax + esi]

        $sequence_4 = { 83f902 7512 31c0 80bc245e01000001 0f94c0 }
            // n = 5, score = 800
            //   83f902               | dec                 eax
            //   7512                 | sub                 esp, 0x500
            //   31c0                 | dec                 eax
            //   80bc245e01000001     | mov                 ecx, ebx
            //   0f94c0               | dec                 eax

        $sequence_5 = { 488b01 ff5018 85c0 75e2 488b0b }
            // n = 5, score = 800
            //   488b01               | mov                 dword ptr [esp + 0x20], 0
            //   ff5018               | call                dword ptr [eax + 0x564]
            //   85c0                 | test                eax, eax
            //   75e2                 | js                  0x1646
            //   488b0b               | mov                 dword ptr [esp + 0x20], 0

        $sequence_6 = { 4889cb 4883ec78 4885c9 7507 31c0 e9???????? 4889d1 }
            // n = 7, score = 800
            //   4889cb               | dec                 esp
            //   4883ec78             | mov                 dword ptr [eax + esi*8], eax
            //   4885c9               | mov                 dword ptr [edi + 0x5c], eax
            //   7507                 | dec                 eax
            //   31c0                 | mov                 eax, dword ptr [ebx]
            //   e9????????           |                     
            //   4889d1               | dec                 eax

        $sequence_7 = { 4883ec20 e8???????? 488b06 488b5608 488983f0000000 488993f8000000 488d65f0 }
            // n = 7, score = 800
            //   4883ec20             | mov                 dword ptr [esp + 0x40], edx
            //   e8????????           |                     
            //   488b06               | dec                 eax
            //   488b5608             | mov                 eax, dword ptr [esi]
            //   488983f0000000       | movzx               edx, word ptr [edx + 2]
            //   488993f8000000       | dec                 eax
            //   488d65f0             | shl                 edx, 4

        $sequence_8 = { 4989d0 31d2 4c898c2488000000 498b0424 4c8d8c2480000000 4c894c2438 4c894c2428 }
            // n = 7, score = 800
            //   4989d0               | je                  0xf6d
            //   31d2                 | call                dword ptr [eax + 0x11c]
            //   4c898c2488000000     | dec                 eax
            //   498b0424             | mov                 eax, dword ptr [ebx]
            //   4c8d8c2480000000     | dec                 eax
            //   4c894c2438           | mov                 edx, dword ptr [eax + 0x6b0]
            //   4c894c2428           | dec                 eax

        $sequence_9 = { 7407 488b442428 eb1b 488b06 4883c9ff }
            // n = 5, score = 800
            //   7407                 | mov                 ecx, dword ptr [esp + 0x68]
            //   488b442428           | dec                 esp
            //   eb1b                 | mov                 eax, dword ptr [eax + 0x5dc]
            //   488b06               | inc                 esp
            //   4883c9ff             | mov                 dword ptr [esp + 0x28], ecx

    condition:
        7 of them and filesize < 164864
}
[TLP:WHITE] win_havoc_w0   (20221012 | No description)
rule win_havoc_w0 {
	//Detects ntdll API hashes used in Havoc C2 Demon payloads
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemons.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		// Syscall Hashes
		$nt_hash1 = {53 17 e6 70} //0x70e61753 == ntdll.dll
		$nt_hash2 = {43 6a 45 9e} //0x9e456a43 == LdrLoadDll
		$nt_hash3 = {ec b8 83 f7} //0xf783b8ec == NtAllocateVirtualMemory
		$nt_hash4 = {88 28 e9 50} //0x50e92888 == NtProtectVirtualMemory
        
        
		$nt_hash5 = {f6 99 5a 2e} //0x2e5a99f6 == LdrGetProcedureAddress
		$nt_hash6 = {da 81 b3 c0} //0xc0b381da == NtAllocateHeap
		$nt_hash7 = {d7 71 ba 70} //0x70ba71d7 == RtlFreeHeap
		$nt_hash8 = {88 2b 49 8e} //0x8e492b88 == RtlExitUserThread
		$nt_hash9 = {ef f0 a1 3a} //0x3aa1f0ef == RtlExitUserProcess
		$nt_hash10 = {f5 39 34 7c} //0x7c3439f5 == RtlRandomEx
		$nt_hash11 = {70 f2 ab 35} //0x35abf270 == RtlNtStatusToDosError
		$nt_hash12 = {1d aa a3 3c} //0x3ca3aa1d == RtlGetVersion
		$nt_hash13 = {11 b2 8f f7} //0xf78fb211 == RtlCreateTimerQueue
		$nt_hash14 = {4c 7c de a5} //0xa5de7c4c == RtlCreateTimer
		$nt_hash15 = {90 fe 61 95} //0x9561fe90 == RtlDeleteTimerQueue
		$nt_hash16 = {d0 ee 33 77} //0x7733eed0 == RtlCaptureContext
		$nt_hash17 = {a9 af 4b 55} //0x554bafa9 == RtlAddVectoredExceptionHandler
		$nt_hash18 = {0e 21 0c 88} //0x880c210e == RtlRemoveVectoredExceptionHandler
		$nt_hash19 = {3d 13 8e 8b} //0x8b8e133d == NtClose
		$nt_hash20 = {7d 74 58 ca} //0xca58747d == ZwCreateEvent
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "3 of them" for more robust (but compute expensive) searching
		(3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
[TLP:WHITE] win_havoc_w1   (20221012 | No description)
rule win_havoc_w1 {
	//Detects the hashing routine used in Havoc C2
    
	meta:
		author = "embee_research @ HuntressLabs"
		vendor = "Huntress Research" 
		date = "2022/10/11"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemonDJB2.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		

		//  Hashing Routine of DLL   
		$dll = {b8 05 15 00 00 0f be 11 48 ff c1 84 d2 74 07 6b c0 21 01 d0 eb ef} 
		
		                             
        //Hashing Routine of Shellcode
		$shellcode = {41 80 f8 60 76 04 41 83 e8 20 6b c0 21 45 0f b6 c0 49 ff c1 44 01 c0 eb c4}
		
		
	condition:
		//PE or Shellcode or Shellcode
		//Leave as "any of them" for more robust (but compute expensive) searching
		(any of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
}
Download all Yara Rules