#Havoc

Modern open-source C2 framework with strong tradecraft, increasingly observed in real-world intrusions


#Havoc

Modern open-source C2, increasingly real-world abused

IOCs by window

Today

0

IOCs tagged #Havoc

Week

0

IOCs tagged #Havoc

Month

0

IOCs tagged #Havoc

Year

1,086

IOCs tagged #Havoc

Counts as of 2026-04-29. Regenerated daily.

About #Havoc

  • Type: modern open-source C2 framework written in Go (server) + C++ (Demon agent), maintained by C5pider. Released in 2022 with a focus on tradecraft - sleep obfuscation, indirect syscalls, return-address spoofing, AMSI bypass and ETW patching out of the box.
  • Abuse pattern: increasingly observed in real-world intrusions through 2023-2026 as a Cobalt Strike alternative. Appears in both APT and ransomware-affiliate operations where the operator wants out-of-the-box evasion without writing it themselves.
  • Detection signals: Demon agent strings, distinctive HTTP listener defaults, JA3 / JA4 fingerprints, sleep-obfuscation memory patterns, in-memory PE loading via Go runtime.
  • References: HavocFramework/Havoc on GitHub · Malpedia.

Recent IOCs tagged #Havoc

No IOCs tagged #Havoc in the past 30 days. Year aggregate: 1,086. For longer-window data, query api.tweetfeed.live/v1/year/havoc.

Related tags

Tags that frequently co-occur with #Havoc.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Havoc?

Havoc is a modern open-source C2 framework written in Go (server side) and C++ (the Demon agent), maintained by C5pider since 2022. It targets the same niche as Cobalt Strike and Sliver but ships strong evasion tradecraft out of the box - sleep obfuscation, indirect syscalls, return-address spoofing, AMSI bypass and ETW patching - without operators having to add it themselves.

Why is Havoc popular among operators?

Three reasons: it is free and open-source (lowering the barrier compared to Cobalt Strike's licensing); it is modern and actively maintained (in contrast to abandoned alternatives); and it ships with strong evasion features by default. Together these make Havoc attractive to both APT-aligned operators and ransomware affiliates.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Havoc-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Havoc subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Havoc IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).