2026-06-03 The Demon Arrives Later A Havoc Stager Hides Behind Microsoft Defender DLP

📃Title: The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
📅Date: 2026-06-03
🔗References:

• https://www.levelblue.com/blogs/spiderlabs-blog/the-demon-arrives-later-a-havoc-stager-hides-behind-microsoft-defender-dlp

Description

Cybercriminals in Brazil are exploiting the country’s electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl…

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• target-information=“Brazil”
• producer= da7743e9-205e-47b0-8afc-b7aa7a5ae050
• malpedia=“Havoc”
• country=“malaysia”
• malpedia=“KongTuke”
• operating-system=“Windows”
• software-vendor=“googleapis”
• software-vendor=“microsoft”
• mitre-attack-pattern=[‘T1036.005’, ‘T1566.002’, ‘T1218.007’, ‘T1140’, ‘T1036.001’, ‘T1071.001’, ‘T1059.005’, ‘T1574.002’, ‘T1105’, ‘T1037.001’, ‘T1027.013’]

MISP event uuid: 636a805b-58f3-442e-9a0a-72b9d7e7f244

Indicator of Compromise (IoCs)

type,value,comment
md5, 347a3f5f2ed2f503a22f68c4951c78c7, ''
md5, 3fe903c9d39790de3bf6c1a8a2217d29, ''
md5, 63e45ffa6d0c22cb04646ef549d61065, ''
md5, ce9abf0dab1facd7afeb70dc34925a78, ''
md5, 659575cb45a67b4d0c70e7361709fb03, ''
md5, 9d066964414cff647beeecb75affb5b5, ''
md5, 01b43dad62e56164771db696827a30ae, ''
md5, 4442897e3b772dfa4f7af109bec8924d, ''
md5, a9198c1497481b2fea007ea5f13eafbf, ''
md5, 6b8ec32dc76fa3138f00616156962f4f, ''
md5, 08060143ea9b55b480746b415af22e3a, ''
md5, f799ea5df9ec08690385d0972aefb59d, ''
md5, e6c69f14d7b0dabff5c67e54cf87aba2, ''
md5, 6ee4050ac0c5192961c9f34568ca68fd, ''
md5, fa9d1f3e719d9284af8af075b1cef9cc, ''
md5, 37e065585c573ecc082aacbfd31564eb, ''
md5, 609c3fc64a67630a7b206a6880c893a8, ''
md5, 19b2f2902825eaf62f2db1eb8aaa520a, ''
md5, 37b996509ce2873f96781c9f9b12d8b5, ''
domain, thomphon.com, ''
domain, e4wxbrg5277.com, ''
domain, 49xb5hoiqsr.com, ''
domain, jh038x18gy9.com, ''
ip-dst, 194.62.55.81, ''
sha256, eca5c297008e7c07a5c6fc9070c03121d702ef093b4a8e508b712040d87fed36, 'No sample in VT\r\nLast check:05/06/2026'
sha256, ced6b0f4441085bb9c54a32da9ab4ba14c6e21daf6e34fd61d54923f87baacd0, 'No sample in VT\r\nLast check:05/06/2026'
md5, 07d0d4c580ac76ac3ffb63353c9b6b85, 'No sample in VT\r\nLast check:05/06/2026'
md5, 7d384886720c8e576c3ca9d68cb5f08b, 'No sample in VT\r\nLast check:05/06/2026'
ip-dst, 194.59.31.192, ''
sha1, b032d4ec4e24714f59e853da9b6e63794aacdbcb, 'No sample in VT\r\nLast check:05/06/2026'
url, https://tr.ee/lAZ5yi, ''
url, https://storage.googleapis.com/nodesdownload/update.msi, ''
url, https://e4wxbrg5277.com/dl/update.zip?tk=, ''
url, https://49xb5hoiqsr.com/dl/update.zip?tk=, ''
url, https://jh038x18gy9.com/dl/update.zip?tk=, ''
ip-dst, 143.198.183.46, ''

Full IOCs available in Rectifyq’s MISP