The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

LevelBlue SpiderLabs reports a Brazil-focused malspam campaign that uses invoice-shaped ZIP attachments and a fake Microsoft Defender DLP installer to deploy an unsigned stager (endpointdlp.dll) which fetches Havoc implants over the network (never written to disk). The analysis links nine stager variants to a single builder, enumerates persistence via UserInitMprLogonScript, describes Havoc’s anti-forensic features (memory masking, indirect syscalls, AMSI/ETW patching), and publishes YARA and IOCs to detect the stager and related infrastructure.