Find notable cyber news and cases, enriched with sources, timelines, and signals.

Havoc Demon payload deployment and persistence operation

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A fake IT support operation is deploying Havoc Demon payloads to preserve access across compromised endpoints and support likely data exfiltration or ransomware follow-on activity. The intrusion chain relies on email spam, phone-based social engineering, and remote-access tools such as Quick Assist and AnyDesk to win initial access. Operators then use legitimate binaries and DLL sideloading to launch the payload, hide activity, and maintain persistence with Level RMM and XEOX backups. The rapid spread across machines increases the risk of broader compromise and makes remediation harder.

Related Happenings

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Operation Dragon Weave cyber-espionage campaign

Campaign
H score37 First: 01.06.2026 14:54 Last: 01.06.2026 14:54 Sources 1

About this happening: The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
H score10 First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
H score39 First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Timeline

  1. 03.03.2026 19:15 2 articles · 4mo ago

    Fake IT support campaign deploys Havoc C2

    Initial Disclosure

    Huntress identified a fake IT support campaign in which bad actors used email spam and phone calls to trick victims into Quick Assist sessions or AnyDesk installs, then led them to a counterfeit Microsoft page hosted on Amazon Web Services (AWS) that harvested credentials and triggered DLL sideloading. The intrusion chain deployed Havoc command-and-control (C2) via custom Havoc Demon payloads, legitimate binaries such as ADNotificationManager.exe, DLPUserAgent.exe, and Werfault.exe, and at least one obfuscated DLL named vcruntime140_1.dll that used control flow obfuscation, timing-based delay loops, Hell's Gate, and Halo's Gate to evade endpoint detection and response (EDR) defenses. In one organization, the actors moved from initial access to nine additional endpoints over eleven hours and used Level RMM and XEOX on some hosts as backup persistence, suggesting preparation for data exfiltration, ransomware, or both.

    Show sources