SOC Prime Bias: Medium

04 Jun 2026 15:13 UTC
newspaper icon levelbluecyber

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Author Photo
SOC Prime Team linkedin icon Follow
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors in Brazil are distributing spoofed electronic invoice NF-e ZIP attachments that deliver a malicious MSI installer. The MSI drops a fake Microsoft Defender Endpoint DLP DLL that actually functions as a Havoc stager. Once launched, the stager connects to a remote command-and-control server, retrieves an in-memory Havoc payload, and creates persistence through a Logon Script registry value. Similar variants have also been observed on Malaysia-registered domains using the same delivery wrapper.

Investigation

LevelBlue SpiderLabs analyzed the ZIP archive, the VBS dropper, and the MSI package, uncovering a signed Microsoft binary, mpextms.exe, paired with an unsigned endpointdlp.dll stager. The stager contained clear-text configuration values, including the command-and-control host, URL paths, and a mutex string. Network captures revealed GET and POST traffic to specific IP addresses along with distinct user-agent values. Researchers identified nine related stager variants that shared the same version metadata and import hash.

Mitigation

Defenders should detect unsigned DLLs masquerading as Microsoft Defender Endpoint DLP or Dragon Data Protection components, monitor changes to HKCU\Environment\UserInitMprLogonScript, and alert on the known mutex value. The published YARA rule should be deployed to detect the stager before it can load the Havoc payload. Security teams should also verify Authenticode signatures on all Microsoft-branded binaries delivered inside archives.

Response

If this activity is detected, block the associated IP addresses and domains, quarantine the MSI and DLL files, and remove the malicious Logon Script registry entry. Perform host forensics to confirm that no in-memory Havoc payload remains active, and rotate credentials for affected users. Relevant business teams should be notified, and email protections should be updated to block similar NF-e themed attachments.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef operator fill:#ff9900 %% Nodes action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Delivery of a malicious ZIP disguised as a Brazilian NFu2011e invoice"] class action_phishing action action_vbscript["<b>Action</b> – <b>T1059.005 Command and Scripting Interpreter: Visual Basic</b><br/>Hidden VBScript launches a concealed cmd that initiates the MSI download"] class action_vbscript action action_download_msi["<b>Action</b> – <b>T1218.007 Signed Binary Proxy Execution: Msiexec</b><br/>Curl invoked to fetch <i>update.msi</i> from Google Cloud Storage"] class action_download_msi action action_msi_execution["<b>Action</b> – <b>T1218.007 Signed Binary Proxy Execution: Msiexec</b><br/>Msiexec runs the MSI which contains signed <i>mpextms.exe</i> and malicious <i>endpointdlp.dll</i>"] class action_msi_execution action action_dll_sideload["<b>Action</b> – <b>T1218 DLL Sideu2011Loading</b> and <b>T1036.001 Masquerading</b><br/><i>endpointdlp.dll</i> mimics a Microsoft Defender DLL but lacks a valid signature"] class action_dll_sideload action action_stager_c2["<b>Action</b> – <b>T1102.002 Application Layer Protocol: Web Protocols</b><br/>Stager sends GET /stage/<hex> with custom u201cMicrosoft-Delivery-Optimization/10.1u201d Useru2011Agent"] class action_stager_c2 action action_download_havoc["<b>Action</b> – <b>T1219 Remote Access Tool</b><br/>Havoc demon is downloaded over HTTP and executed directly in memory without touching disk"] class action_download_havoc action action_persistence["<b>Action</b> – <b>T1037.001 Logon Script</b><br/>Writes HKCU\Environment\UserInitMprLogonScript to launch <i>mpextms.exe</i> at user logon"] class action_persistence action action_telemetry["<b>Action</b> – <b>T1102.003 Application Layer Protocol: Web Protocols</b><br/>POST /api/v2/telemetry/diag to the C2 server"] class action_telemetry action action_defense_evasion["<b>Action</b> – <b>T1027.013 Obfuscated Files or Information: Embedded Payload</b>, <b>T1027.010 Binary Padding</b>, <b>T1564.003 Hide Artifacts</b><br/>Payload encrypted, commands obfuscated and executed in hidden windows"] class action_defense_evasion action %% Edges showing attack flow action_phishing –>|leads_to| action_vbscript action_vbscript –>|triggers| action_download_msi action_download_msi –>|invokes| action_msi_execution action_msi_execution –>|installs| action_dll_sideload action_dll_sideload –>|communicates_with| action_stager_c2 action_dll_sideload –>|creates| action_persistence action_stager_c2 –>|downloads| action_download_havoc action_stager_c2 –>|sends| action_telemetry action_download_havoc –>|enables| action_defense_evasion "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker who has already gained initial foothold on the victim machine wishes to maintain persistence across user logons. They choose the UserInitMprLogonScript value because it runs before the user’s shell starts, providing early code execution. The attacker places a covert binary mpextms.exe (a renamed version of rundll32.exe) in the user’s AppData folder and crafts a malicious DLL endpointdlp.dll that performs credential dumping. By setting the registry value to "%APPDATA%mpextms.exe" "%APPDATA%endpointdlp.dll", the attacker ensures that at each logon the DLL is side‑loaded via the signed rundll32.exe proxy, satisfying T1218.007 and T1027.013 while evading naive binary whitelists.

  • Regression Test Script:

    # -------------------------------------------------
# Step 1: Drop malicious binaries (simulated)
$payloadDir = "$env:APPDATAMalicious"
New-Item -ItemType Directory -Path $payloadDir -Force | Out-Null

# Simulated 'mpextms.exe' – using rundll32.exe renamed for realism
$src = "$env:SystemRootSystem32rundll32.exe"
$dstExe = Join-Path $payloadDir "mpextms.exe"
Copy-Item -Path $src -Destination $dstExe -Force

# Simulated malicious DLL (empty file for test purposes)
$dllPath = Join-Path $payloadDir "endpointdlp.dll"
New-Item -ItemType File -Path $dllPath -Force | Out-Null

# Step 2: Create the persistence registry entry
$regPath = 'HKCU:Environment'
$regName = 'UserInitMprLogonScript'
$regValue = "`"$dstExe`" `"$dllPath`""
Set-ItemProperty -Path $regPath -Name $regName -Value $regValue -Force

Write-Host "Persistence entry created: $regName = $regValue"
# -------------------------------------------------

  • Cleanup Commands:

    # Remove the registry persistence entry
Remove-ItemProperty -Path 'HKCU:Environment' -Name 'UserInitMprLogonScript' -ErrorAction SilentlyContinue

# Delete the dropped files
$payloadDir = "$env:APPDATAMalicious"
Remove-Item -Path $payloadDir -Recurse -Force -ErrorAction SilentlyContinue

Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free