Novel open-source command-and-control framework Havoc has been gaining traction among threat actors, with more attackers using the post-exploitation framework in place of Cobalt Strike and Brute Ratel, according to BleepingComputer. Aside from featuring various modules that could enable code execution, process management, and additional payload downloads, Havoc also uses indirect syscalls, return address stack spoofing, and sleep obfuscation to avert Microsoft Defender on devices running on Windows 11, a report from Zscaler ThreatLabz revealed. In one attack observed by researchers, Event Tracing for Windows has been disabled through a shellcode loader while no DOS and NT headers were found in the final Havoc Demon payload. Havoc was earlier reported by ReversingLabs to be distributed through the Aabquerys typosquatting module. "Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc. It supports building malicious agents in several formats including Windows PE executable, PE DLL, and shellcode," said ReversingLabs researcher Lucija Valenti.