Ekko (default), Ziliean, FOLIAGE - encrypt implant memory during sleep
Stack duplication
Copy and restore the call stack during sleep to defeat stack-scanning
Heap encryption
Encrypt implant heap alongside stack duplication
Indirect syscalls
All Nt* API calls go through dynamically resolved syscall stubs
Return address spoofing
x64 - spoof return addresses for scanner detection evasion
AMSI/ETW bypass
Hardware breakpoint-based - no in-memory patching, harder to detect
Proxy library loading
Load DLLs without touching LoadLibrary
DLL export name randomization
The exported function (Start in vanilla Havoc) is replaced with a random identifier at each build, defeating static signature rules that match the export name
Example: sleep 30 20 - 30 second interval, 20% jitter.
When sleep masking is enabled and no jobs are running, Demon encrypts its memory and applies the configured obfuscation technique before sleeping. x64 Demon uses return address spoofing during sleep.