Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Havoc Demon payload deployment and persistence operation

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A fake IT support operation is deploying Havoc Demon payloads to preserve access across compromised endpoints and support likely data exfiltration or ransomware follow-on activity. The intrusion chain relies on email spam, phone-based social engineering, and remote-access tools such as Quick Assist and AnyDesk to win initial access. Operators then use legitimate binaries and DLL sideloading to launch the payload, hide activity, and maintain persistence with Level RMM and XEOX backups. The rapid spread across machines increases the risk of broader compromise and makes remediation harder.

Related Happenings

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Open Happening

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

Open Happening

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Deed RAT and TernDoor multi-wave deployment

Malware Activity
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...

Open Happening

Hugging Face shared-loader supply chain campaign

Campaign
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Open Happening

Timeline

  1. 03.03.2026 19:15 2 articles · 2mo ago

    Fake IT support campaign deploys Havoc C2

    Initial Disclosure

    Huntress identified a fake IT support campaign in which bad actors used email spam and phone calls to trick victims into Quick Assist sessions or AnyDesk installs, then led them to a counterfeit Microsoft page hosted on Amazon Web Services (AWS) that harvested credentials and triggered DLL sideloading. The intrusion chain deployed Havoc command-and-control (C2) via custom Havoc Demon payloads, legitimate binaries such as ADNotificationManager.exe, DLPUserAgent.exe, and Werfault.exe, and at least one obfuscated DLL named vcruntime140_1.dll that used control flow obfuscation, timing-based delay loops, Hell's Gate, and Halo's Gate to evade endpoint detection and response (EDR) defenses. In one organization, the actors moved from initial access to nine additional endpoints over eleven hours and used Level RMM and XEOX on some hosts as backup persistence, suggesting preparation for data exfiltration, ransomware, or both.

    Show sources
    Open in new tab