Cybersecurity investigators have recently uncovered a new phishing campaign that exploits the ClickFix technique to deploy Havoc, an open-source Command-and-Control (C2) framework. This sophisticated attack conceals its payload behind a SharePoint site while leveraging the Microsoft Graph API to mask malicious communications within legitimate services. The attackers use a modified version of Havoc Demon, a powerful post-exploitation agent, to achieve stealthy persistence.
The Phishing Trap: A Deceptive Email and ClickFix Manipulation
The ClickFix technique used in this attack involves tricking users into manually executing a malicious PowerShell script. The attack starts with a phishing email that contains an HTML attachment (Documents.html). When opened, the attachment displays a fake error message, instructing the user to run a specific PowerShell command to fix an issue with OneDrive.
Once executed, the command initiates a connection to an attacker-controlled SharePoint server, enabling the deployment of the malware onto the target system.
Multi-Stage Malware Deployment: From PowerShell to Python
The malware follows a multi-stage execution process:
- PowerShell Execution: The malicious PowerShell script checks whether it is running in a sandboxed environment to evade detection.
- Python Installation: If Python (‘pythonw.exe’) is not installed, the script downloads and installs it.
- Shellcode Loader Execution: A secondary PowerShell script downloads and executes a Python-based shellcode loader.
- KaynLdr Deployment: This loader runs KaynLdr, a reflective loader written in C and Assembly.
- Havoc Deployment: The final stage injects Havoc Demon, granting attackers full control over the compromised machine.
Havoc’s Capabilities: A Stealthy Cyber Weapon
Havoc is a powerful post-exploitation framework with a wide range of functionalities:
- Information gathering (e.g., system details, user data)
- File operations (uploading, downloading, deleting files)
- Command execution (running arbitrary commands)
- Payload execution (injecting malicious payloads)
- Token manipulation (stealing authentication tokens)
- Kerberos attacks (network-based credential theft)
Google Advertisements Exploited to Target PayPal Users
Alongside ClickFix phishing, cybersecurity experts have also detected threat actors abusing Google Ads to target PayPal users.
Attackers create fraudulent advertisements impersonating PayPal support pages. When users click on these ads, they are redirected to fake customer service pages where they are asked to call a fraudulent support number. Once on the call, scammers attempt to steal victims’ PayPal credentials and financial information.
Google Advertisements Loophole: A Playground for Fraudsters
This attack exploits a loophole in Google Ads policies that allows threat actors to create misleading advertisements as long as the landing page (final URL) and display URL match the same domain.
Cybercriminals take advantage of this by bidding on popular support-related search terms like:
- “PayPal customer support number”
- “Recover PayPal account”
- “PayPal fraud support”
These fraudulent ads appear at the top of search results, increasing the chances of tricking unsuspecting users.
Conclusion: A Rising Threat Landscape
The ClickFix phishing campaign and Google Ads abuse showcase the ever-evolving tactics used by cybercriminals. Users and businesses must remain vigilant, adopt robust cybersecurity measures, and exercise caution when interacting with emails and online advertisements.
Threat Summary Table
| Attribute | Details |
|---|---|
| Threat Type | Phishing, Malware, C2 Framework |
| Malware Name | ClickFix Havoc |
| Encrypted File Extension | N/A (Data theft-focused) |
| Ransom Note File Name | N/A |
| Associated Emails | Phishing emails posing as Microsoft Support |
| Detection Names | Havoc, KaynLdr, PowerShell Trojan |
| Symptoms of Infection | Unexpected PowerShell execution, SharePoint connection requests, unauthorized system access |
| Damage | Data theft, remote control over system, persistence, security bypass |
| Distribution Methods | Phishing emails, Google Ads abuse |
| Danger Level | High |
Remove ClickFix Havoc Malware
With SpyHunter
Prevention and Removal Guide
- Avoid clicking on unknown email attachments – Do not open HTML attachments in unsolicited emails.
- Check sender legitimacy – Verify email sources before following troubleshooting instructions.
- Monitor PowerShell execution – Block suspicious PowerShell scripts using Endpoint Detection and Response (EDR) solutions.
- Restrict Python installation – If not required, prevent users from installing pythonw.exe to reduce risk.
- Deploy endpoint security tools – Use updated anti-malware solutions to detect and remove threats.
- Manually remove malware:
- Open Task Manager (Ctrl+Shift+Esc) and end suspicious processes.
- Navigate to C:\Users[Username]\AppData\Local\Temp and delete unusual files.
- Run a full system scan with a trusted anti-malware tool.
If you are still having trouble, consider contacting remote technical support options.
Remove ClickFix Havoc Malware
With SpyHunter
