Skip to content
Malware family LinuxmacOSWindows

Havoc

Havoc is an open-source post-exploitation command-and-control framework used by red teams and widely repurposed by threat actors in real intrusions.

Profile source: Mallory opens in a new tab

Havoc

Family profile

Havoc is an open-source post-exploitation command-and-control framework used by red teams and widely repurposed by threat actors in real intrusions. Its primary implant, commonly referred to as Demon, is used after initial compromise to provide interactive access, tasking, and follow-on operations on victim systems. Havoc has been observed in espionage, hacktivist, financially motivated, and opportunistic campaigns, including activity linked to Chinese state-directed operations, pro-Ukrainian hacktivist clusters, and low-skill criminal operators.

Observed tradecraft shows Havoc commonly deployed through multi-stage in-memory chains involving script-based stagers, PowerShell loaders, reflective PE loading, and shellcode execution, often without writing the final implant to disk. It has also been launched through DLL sideloading, malicious shortcut-based phishing chains, web-shell-assisted deployment on already compromised servers, and loader frameworks such as Donut-style reflective loaders. In some campaigns, Havoc was installed from archives or side-loaded via trusted signed binaries to reduce detection.

Once active, Havoc supports post-exploitation functions such as remote command execution, reconnaissance, credential and session follow-on activity through operator tasking, file transfer, and broader intrusion enablement. Reporting also associates Havoc deployments with screen monitoring and attempts to compromise additional systems in the network. Operators have used Havoc alongside scheduled-task persistence, process injection, and defense-evasion techniques including in-memory execution, encrypted or externalized configuration, indirect API resolution, and other anti-analysis measures inherited or reused by related tooling.

Havoc is primarily associated with Windows intrusions, where Demon implants and loaders are most frequently documented, but it is also referenced as part of macOS and Linux operator tradecraft and as HTTP-based C2 infrastructure on Linux servers. It has been used against enterprises, government entities, healthcare, aviation, public service organizations, and small businesses. Because Havoc is openly available and increasingly common in intrusion sets, its presence generally indicates an active post-compromise operation rather than a uniquely attributable actor.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Keylogging
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation
  • Process Injection
  • Reconnaissance

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 19, 2026
Feed role
C2
Host form
19 IP / 0 hostnames

Leading locations

  • US8
  • SG2
  • AR1
  • CH1
  • DE1
  • FR1
  • GB1
  • HK1
  • IT1
  • LU1
  • RO1

Leading providers

  • DigitalOcean, LLC4
  • Microsoft Corporation3
  • Alibaba (US) Technology Co., Ltd.2
  • Dattatec.com1
  • FlokiNET ehf1
  • Ghosty Networks LLC1

Infrastructure traits

  • Hosting 17
  • Proxy 1

Samples

Recent associated samples

Reported operators

Threat actors

19 named in public reporting
GOLD ENCOUNTER

The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.

TeamPCP

Havoc C2 for post-exploitation tasks like pivoting through compromised hosts into internal networks, privilege escalation, and maintaining stealth

Amaranth-Dragon

The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints.

Fox Kitten

The group uses a combination of living-off-the-land tools (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and custom C2 binaries) across Linux and cloud systems.

FIN7

What once ended with a $300 gift card purchase now ends with a modified Havoc C2 framework burrowed into your environment... deploying a mix of custom Havoc Demon payloads...

KTA440

"...used to execute the Havoc command-and-control (C2) framework."

BRONZE BUTLER

The attack is also characterized by the deployment of the Havoc post-exploitation framework on select systems...

APT32

OceanLotus: TahirSec has published a report on a recent OceanLotus (APT32) phishing campaign that drops Havoc payloads.

Bitter

KugelBlitz, a shellcode loader that's used to deploy the Havoc C2 framework

APT41

The final payload deployed as part of the attack is the open-source command-and-control (C2 or C&C) framework known as Havoc.

Hydra Saiga

Lastly, some operators started experimenting with the Havoc C2 framework in March 2025, to supplement their tooling.

Molerats

"...downloads and executes an additional payload, most commonly Havoc."

ShadowSyndicate

ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.

TGR-STA-1030

“The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat.”

Transparent Tribe

"Pakistani hackers used vibeware as a 'hybrid' fallback for well-known tools such as the open-source Havoc framework for command and control..."

Black Basta

Nearly half a dozen organizations have been targeted with the Havoc command-and-control framework for subsequent data theft or ransomware compromise in a new IT support scam campaign.

SloppyLemming

This evolution includes the use of the Rust programming language, a departure from previous reliance on traditional compiled languages and frameworks like Cobalt Strike and Havoc.

Fishing Elephant

"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."

Outrider Tiger

"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."

Exploited software

Vulnerabilities linked to Havoc

3 CVEs

MITRE ATT&CK

Havoc in ATT&CK

74 distinct techniques

Techniques

74 techniques
T1071 Application Layer Protocol T1595 Active Scanning T1590 Gather Victim Network Information T1105 Ingress Tool Transfer T1190 Exploit Public-Facing Application T1055 Process Injection T1053.005 Scheduled Task T1059.001 PowerShell T1548.002 Bypass User Account Control T1598 Phishing for Information T1027 Obfuscated Files or Information T1620 Reflective Code Loading T1068 Exploitation for Privilege Escalation T1574.001 DLL T1543.001 Launch Agent T1059.005 Visual Basic T1133 External Remote Services T1018 Remote System Discovery T1505.003 Web Shell T1021.002 SMB/Windows Admin Shares T1218.011 Rundll32 T1059.003 Windows Command Shell T1036 Masquerading T1047 Windows Management Instrumentation T1518.001 Security Software Discovery T1041 Exfiltration Over C2 Channel T1090 Proxy T1027.013 Encrypted/Encoded File T1140 Deobfuscate/Decode Files or Information T1036.001 Invalid Code Signature T1071.001 Web Protocols T1037.001 Logon Script (Windows) T1566.002 Spearphishing Link T1218.007 Msiexec T1036.005 Match Legitimate Resource Name or Location T1057 Process Discovery T1219 Remote Access Tools T1082 System Information Discovery T1566.001 Spearphishing Attachment T1195.001 Compromise Software Dependencies and Development Tools T1106 Native API T1497 Virtualization/Sandbox Evasion T1112 Modify Registry T1195 Supply Chain Compromise T1204 User Execution T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution T1189 Drive-by Compromise T1113 Screen Capture T1497.003 Time Based Checks T1033 System Owner/User Discovery T1204.004 Malicious Copy and Paste T1083 File and Directory Discovery T1134.001 Token Impersonation/Theft T1570 Lateral Tool Transfer T1016 System Network Configuration Discovery T1016.001 Internet Connection Discovery T1055.001 Dynamic-link Library Injection T1559 Inter-Process Communication T1071.002 File Transfer Protocols T1573.001 Symmetric Cryptography T1055.002 Portable Executable Injection T1087 Account Discovery T1005 Data from Local System T1218 System Binary Proxy Execution T1053 Scheduled Task/Job T1027.002 Software Packing T1204.003 Malicious Image T1102 Web Service T1567.002 Exfiltration to Cloud Storage T1102.002 Bidirectional Communication T1566 Phishing T1583.001 Domains T1571 Non-Standard Port

Reporting

Research mentioning Havoc

Jul 9
Codeby

Security awareness программа: пентестер строит обучение ИБ

Playbook на скомпрометированный хост: если EDR фиксирует Cobalt Strike beacon (или Sliver, или Havoc - сейчас зоопарк C2-фреймворков растёт) на рабочей станции сотрудника - немедленная изоляция хоста, сброс учётных данных, ревью всех действий за последние 72 часа.

Jun 21
Codeby

Persistence macOS: техники закрепления для Red Team

Все техники ниже предполагают, что initial access уже получен - оператор имеет shell или C2-агент (Mythic Poseidon, Havoc) на целевом Mac.

Jun 18
Scworld

Attacker establishes persistent access to French business using OpenSSH and Tailscale | brief | SC Media

The attacker utilized a multi-stage in-memory malware chain, including a VBScript stager, a PowerShell loader, and Havoc's Demon agent, to gain initial access.

Jun 17
Censys

AdaptixC2: Fingerprinting an Open-Source C2 Framework at Scale - Censys

The project is at v1.2 and has less public analysis coverage than older frameworks like Cobalt Strike, Havoc, or Sliver.

Jun 17
The Hacker News

Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc's Demon agent without dropping the implant to disk.

Jun 16
Catonetworks

Operation Poisson Under the Spotlight | Cato Networks

Poisson typed each of his 339 commands from a Havoc C2 framework server... Inside is a Donut-style reflective PE loader ... wrapping the Havoc Demon agent.

Jun 8
Securelist

Hacktivists are broadening their scope beyond political motivation | Securelist

Inside a similar SFX archive located in the user directory $user\desktop\ under the filename demon.x64.exe, we found another post-exploitation framework: Havoc.

Jun 8
Securelist Ru

Хактивисты выходят за рамки политически мотивированных атак | Securelist

В аналогичном SFX-архиве в пользовательском каталоге $user\desktop\ под именем demon.x64.exe мы нашли другой постэксплуатационный фреймворк — Havoc, настроенный на коммуникацию с С2 77.72.85[.]62.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.