In October 2020, against the stunning backdrop of Lower Austria, a gifted teenage programmer would lay the foundations for a powerful and versatile offensive security framework called Havoc. Paul, known by his online handle 5pider, had just turned 16 years old at the time of writing the first lines of Havoc.
Where in the world are you?
I'm in Austria. My parents moved from Romania to Austria around 30 years ago and I was born here 18 years ago. I live in Lower Austria. I can speak Romanian, but not as well as I’d like to.
At what age did you start learning to program computers?
I think it was around 13 or 14 when I started programming and hacking. I started off using Metasploit and then learned Ruby so I could write new modules for it. After that, I dabbled in Python, but I learned ‘real’ programming in high school at around 15 years old.
What things are you learning at high school?
I attend a technical high school where our main focus is low-level hardware PCB (printed circuit board) design, soldering and programming using C/C++. This is where I got my passion for low-level programming using C and C++.
Havoc is a bit of a step up from Metasploit, did you work on something similar to Havoc before Havoc was released?
Not really. I used to do malware analysis and reverse engineering for fun, but I haven't developed any offensive-focused tools.
What inspired you to create Havoc?
Metasploit, boredom and too much free time. I was incredibly bored and wanted to force myself to learn something new. Something big.
What tools did you test before trying to create Havoc?
Before I wrote Havoc I played around with tools like Metasploit, Cobalt Strike and DarkComet RAT. Anything that could inspire me.
Why did you make Havoc open-source instead of making it a commercial tool?
I had no interest in making any money from it. It was, and is, a hobby project of mine where my only goal is to learn about malware development and Windows internals. The reason I open-sourced it was to give people the opportunity to learn malware development and Windows internals too. I think I’ve achieved my goal.
How does it make you feel when you see Havoc being used by threat actors in real attacks?
I have mixed feelings about it. Obviously, I knew it was a matter of time before it would be abused by threat actors. I’m not shocked by it, but I do hate to see it being abused.
Have you been approached by any big-name security companies?
Surprisingly not. I’m sure I’ll get a few DMs soon now that it’s being used in real attacks. However, the code is completely open source and readable by everyone with an Internet connection, so they might not ever need to get in touch with me.
What do you like to do when you’re offline?
When I get time outside of high school, I like to go to the gym and love taking walks outside to refresh my brain. Finding the time for anything else is tough.
What are your career aspirations?
I am still not sure. I can imagine myself doing offensive research. However, I hope to start learning more about exploit development soon, especially kernel-level exploits and learning low-level malware like bootkits. I have started to look more at APT-level implants and exploits to try and replicate them. As long as I am doing anything related to low-level operating system internals, I am going to be satisfied.
What languages can you write programs in?
Once you learn fundamental programming, it’s quite straightforward to move to other languages. So I know quite a few languages now. Not fluently, but good enough to write projects with. Python, C, C++, NASM Assembly, JavaScript, PHP, Golang and Rust.
What programming language would you recommend people learn first?
I think it really depends on what the goal is that the person is trying to achieve. But in my experience and opinion, C and C++ are good first starters because the syntax is simple, readable and understandable.
What advice would you give to someone who wants to be able to write a tool like Havoc?
You have to be willing to dedicate a lot of hours to learning and fixing problems you are going to encounter. There are no shortcuts. It took me two full years and thousands of hours to get Havoc to the state it is in today. Well, to be fair, it took me so long because I had zero cybersecurity experience, didn't know anything about how operating systems work and barely knew enough C/C++ to write a simple project.
What types of programs can we expect to see from you in the future?
I think I’ll work on more offensive security projects. I want to work on projects like LLVM/Gimple obfuscators, VMs, bootkits, and so much more. I have a lot of ideas for new projects that I’d like to implement, but very little time.
You can check out Havoc on GitHub and follow 5pider on Twitter.
