Technology

Microsoft SharePoint hijacked to spread Havoc malware

March 4, 2025

Security researchers spotted a new ClickFix campaign
The goal is to deploy the Havoc post-exploitation framework
The framework is hosted on a Microsoft SharePoint account

Hackers have been seen abusing Microsoft SharePoint to distribute the Havoc post-exploitation framework in a new ClickFix phishing attack.

Cybersecurity researchers Fortiguard Labs, who have been tracking the campaign since last year, highlighted how ClickFix is a type of scam we’ve probably all encountered at least once. Cybercriminals would hijack a website, and create an overlay that displays a fake error message (for example: “Your browser is outdated, and to view the contents of the webpage, you need to update it”). That fake message would prompt the victim into action, which usually concludes by downloading and running malware, or sharing sensitive information such as passwords or banking data.

This campaign is similar, although requires a bit more activity from the victim’s side. The attack chain starts with a phishing email, carrying a “restricted notice” as a .HTML attachment. Running the attachment displays a fake error that says “Failed to connect to OneDrive – update the DNS cache manually”. The page also has a “How to fix” button that copies a PowerShell command to the Windows clipboard, and then displays a message on how to paste and run it.

Rising threat of ClickFix

Running this script then runs a second one, hosted on the attackers’ SharePoint server which, in turn, downloads a Python script that deploys the Havoc post-exploitation framework as a .DLL file.

Havoc is a post-exploitation framework designed for advanced red teaming and adversary simulation, providing modular capabilities for stealthy command and control (C2) operations. It offers features like in-memory execution, encrypted communication, and evasion techniques to bypass modern security defenses.

ClickFix has gotten insanely popular in these last couple of months. In late October last year, a new malware variant was observed compromising thousands of WordPress websites, installing a malicious plugin that would serve the ClickFix attack.

Just a few weeks prior, researchers saw fake broken Google Meet calls, which was also a variant of the ClickFix attack.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar