{"id":50636,"date":"2023-02-17T10:30:08","date_gmt":"2023-02-17T10:30:08","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/"},"modified":"2023-02-17T10:30:08","modified_gmt":"2023-02-17T10:30:08","slug":"cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/","title":{"rendered":"Cry Havoc and let slip dogs of war &#8230; there&#8217;s an upgraded malware server in town"},"content":{"rendered":"<p>There&#8217;s a fresh open-source command-and-control (C2) framework on the loose, dubbed Havoc, as an alternative to the popular Cobalt Strike, and other mostly legitimate tools, that have been abused to spread malware.<\/p>\n<p>ReversingLabs <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.reversinglabs.com\/blog\/open-source-malware-sows-havoc-on-supply-chain\">wrote<\/a> about <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/HavocFramework\/Havoc\">Havoc<\/a> earlier this month in connection with a malicious npm package called Aabquerys, noting that it was created by a malware developer called C5pider. Now researchers with Zscaler&#8217;s ThreatLabz threat intelligence unit say Havoc is being used in a campaign targeting a government organization.<\/p>\n<p>&#8220;While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 Defender,&#8221; the ThreatLabz researchers wrote in a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/havoc-across-cyberspace#analysis\">report<\/a> this week.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>It&#8217;s also difficult to detect. The post-exploitation framework uses a range of sophisticated evasion techniques, including indirect syscalls, sleep obfuscation, and return address stack spoofing, to evade detection by infosec tools.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Cybercriminals use rogue servers as C2 systems to communicate with and send orders to malware in compromised computers. In recent years, legitimate tools like Cobalt Strike, which is used by corporate red teams for testing an organization&#8217;s security defenses, have been appropriated by criminals to gain persistence, move laterally through a victim&#8217;s network, and execute malicious payloads.<\/p>\n<p>Cobalt Strike and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/07\/06\/brc4_state_sponsored_apt29\/\" rel=\"noopener\">Brute Ratel<\/a> are among the most popular C2 systems, with <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/11\/25\/infosec_roundup\/\" rel=\"noopener\">Nighthawk<\/a>, Silver, and Covenant also well-used.<\/p>\n<p>Cybersecurity vendors are trying to push back against the malicious use of these tools, or at least catch them in the act. Palo Alto Networks&#8217; Unit 42 group in December 2022 wrote that security pros are getting better at <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/12\/06\/cobalt_strike_memory_unit_42\/\" rel=\"noopener\">detecting Cobalt Strike<\/a> attack code.<\/p>\n<p>A month earlier, Google <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/cloud.google.com\/blog\/products\/identity-security\/making-cobalt-strike-harder-for-threat-actors-to-abuse\">released<\/a> a set of open-source Yara rules to help organizations flag and identify components of multiple versions of Cobalt Strike, adding that &#8220;since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In the latest case, ThreatLabz in early January 2023 detected in the Zscaler Cloud an executable named &#8220;pix.exe&#8221; that was downloaded from a remote server and aimed at the unnamed government organization. The eventual goal of the code is to deliver the Havoc Demon payload.<\/p>\n<p>ReversingLabs&#8217;s report described Havoc Demon as malware with remote access trojan (RAT) capabilities, generated by the Havoc framework.<\/p>\n<p>According to ThreatLabz, Havoc Demon&#8217;s shellcode loader disables the Event Tracing for Windows feature used to trace and log events \u2013 a move to evade detection \u2013 and decrypts and executes the shellcode through Microsoft&#8217;s CreateThreadpoolWait function.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In another evasive move, Havoc&#8217;s Demon DLL is loaded without the DOS and NT headers. The payload uses a modified DJB2 hashing algorithm to resolve virtual addresses of disparate NT APIs. The attackers also use the image of &#8220;Zero Two&#8221; \u2013 a character in a Japanese anime TV series \u2013 to hide the execution and activities of the Havoc Demon payload going on in the background.<\/p>\n<p>&#8220;After the demon is deployed successfully on the target&#8217;s machine, the server is able to execute various commands on the target system,&#8221; the researchers wrote.<\/p>\n<p>The laundry list of commands includes downloading, uploading, copying, or removing files, displaying a file&#8217;s contents, creating a new directory or retrieving a current one, take a screenshot, and clean up and exit the system. The C2 server manages all this through a web-based console.<\/p>\n<p>The ThreatLabz researchers were able to gather some information on the attackers by analyzing their infrastructure and taking advantage of operational security mistakes to get screenshots of their C2 machine through what they called a &#8220;self-compromise.&#8221;<\/p>\n<p>While running the infrastructure analysis, the researchers found an open directory on a server that included multiple demon and Metasploit payloads as well as internal logs and screenshots. Included in the directory was a HTML file that showed a screenshot of the attackers&#8217; machine.<\/p>\n<p>They also determined the miscreants&#8217; IP was located in New York. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/02\/17\/havoc_c2_framework_threatlabz\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ThreatLabz finds free alternative to Cobalt Strike and other tools used in the wild There&#8217;s a fresh open-source command-and-control (C2) framework on the loose, dubbed Havoc, as an alternative to the popular Cobalt Strike, and other mostly legitimate tools, that have been abused to spread malware.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-50636","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cry Havoc and let slip dogs of war ... there&#039;s an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cry Havoc and let slip dogs of war ... there&#039;s an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-17T10:30:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cry Havoc and let slip dogs of war &#8230; there&#8217;s an upgraded malware server in town\",\"datePublished\":\"2023-02-17T10:30:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\"},\"wordCount\":681,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\",\"name\":\"Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2023-02-17T10:30:08+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage\",\"url\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cry Havoc and let slip dogs of war &#8230; there&#8217;s an upgraded malware server in town\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/","og_locale":"en_US","og_type":"article","og_title":"Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-17T10:30:08+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cry Havoc and let slip dogs of war &#8230; there&#8217;s an upgraded malware server in town","datePublished":"2023-02-17T10:30:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/"},"wordCount":681,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/","url":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/","name":"Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2023-02-17T10:30:08+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-HHQTon8j5xTsKtfXbSWgAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cry-havoc-and-let-slip-dogs-of-war-theres-an-upgraded-malware-server-in-town\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cry Havoc and let slip dogs of war &#8230; there&#8217;s an upgraded malware server in town"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50636"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50636\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}