S1229 Havoc
Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.
| Item | Value |
|---|---|
| ID | S1229 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 05 August 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | Havoc has a module capable of token impersonation.3 |
| enterprise | T1087 | Account Discovery | Havoc can identify privileged user accounts on infected systems.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Havoc can use HTTP/S listeners to establish and maintain C2 communications. 3124 |
| enterprise | T1071.002 | File Transfer Protocols | Havoc can use an SMB listener for C2 communication.314 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Havoc can facilitate the execution of PowerShell commands.4 |
| enterprise | T1059.003 | Windows Command Shell | Havoc can execute commands via cmd.exe.34 |
| enterprise | T1005 | Data from Local System | Havoc can download files from the victim’s computer.34 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Havoc can send an AES encrypted check-in request to the C2 server.12 |
| enterprise | T1083 | File and Directory Discovery | The Havoc interface can display a file explorer view of the compromised host.3 |
| enterprise | T1105 | Ingress Tool Transfer | Havoc has the ability to upload files to infected systems.34 |
| enterprise | T1559 | Inter-Process Communication | The Havoc SMB demon can use named pipes for communication through a parent demon.3 |
| enterprise | T1570 | Lateral Tool Transfer | Havoc has the ability to copy files from one location to another.3 |
| enterprise | T1106 | Native API | Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Havoc has been distributed through ClickFix phishing campaigns.2 |
| enterprise | T1057 | Process Discovery | Havoc can enumerate processes on targeted hosts.312 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Havoc has DLL spawn and injection modules.3 |
| enterprise | T1055.002 | Portable Executable Injection | Havoc has itself injected into C:\\Windows\\System32\\Werfault.exe on targeted systems.3 |
| enterprise | T1090 | Proxy | Havoc has the ability to route HTTP/S communications through designated proxies.3 |
| enterprise | T1018 | Remote System Discovery | Havoc features a module capable of host enumeration.3 |
| enterprise | T1113 | Screen Capture | Havoc can capture screenshots.314 |
| enterprise | T1082 | System Information Discovery | Havoc can gather system information including hostname, domain, and OS details.2 |
| enterprise | T1016 | System Network Configuration Discovery | Havoc has a module for network enumeration including determining IP addresses.3 |
| enterprise | T1016.001 | Internet Connection Discovery | The Havoc demon can check for a connection to the C2 server from the target machine.1 |
| enterprise | T1033 | System Owner/User Discovery | Havoc can trigger exection of whoami on the target host to display the current user.12 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.004 | Malicious Copy and Paste | The Havoc infection chain has been initiated via ClickFix lures in phishing emails.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Checks | The Havoc demon agent can be set to sleep for a specified time.31 |
References
-
Shivtarkar, N. and Jain, S. (2023, February 14). Havoc Across the Cyberspace. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩
-
Wan, Y. (2025, March 3). Havoc: SharePoint with Microsoft Graph API turns into FUD C2. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩
-
Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Immersive Content Team. (2024, April 9). Havoc C2 Framework – A Defensive Operator’s Guide. Retrieved August 13, 2025. ↩↩↩↩↩↩↩