Cybersecurity researchers have uncovered a sophisticated cyberattack campaign in which threat actors impersonate IT support staff to deploy a modified Havoc command-and-control (C2) framework inside corporate networks. The attack relies heavily on social engineering, spam campaigns, and remote-access tools to gain control of victims’ systems and potentially launch ransomware or steal sensitive data.

Overview of the Attack Campaign

The campaign was detected by security researchers at Huntress across multiple organizations. Attackers first sent large volumes of spam emails to targeted victims. Shortly afterward, the victims received phone calls from individuals posing as internal IT support staff. These callers claimed they were helping resolve the spam issue and convinced victims to grant remote access to their machines.

Once remote access was granted, attackers installed malicious payloads that deployed the Havoc C2 framework, enabling them to control compromised machines remotely and execute further malicious activities within the network.

Attack Chain and Infection Process

The attack follows a multi-stage process designed to trick victims and evade security detection:

1. Spam Email Flooding
   Attackers begin by overwhelming the victim’s inbox with numerous spam messages. This tactic increases the chances that the victim will believe a “support call” about spam filtering issues is legitimate.
2. Fake IT Support Call
   The attackers then contact victims by phone, pretending to be company IT personnel offering assistance. They convince users to grant remote access using tools such as Quick Assist or AnyDesk.
3. Credential Harvesting
   Victims are directed to a fake webpage hosted on cloud infrastructure that mimics Microsoft services and asks them to enter their email address and password to update spam rules.
4. Malware Execution
   A downloaded file launches a legitimate executable that side-loads a malicious DLL, which then loads the Havoc malware into memory.
5. Network Persistence and Control
   Once deployed, the Havoc agent establishes communication with attacker-controlled servers and enables lateral movement across the network.

Malware Techniques Used

The attackers employ several advanced techniques to evade detection and maintain control:

• DLL sideloading to execute malicious code through legitimate applications
• Control flow obfuscation to hide malicious behavior
• Timing-based delay loops to bypass security monitoring
• Advanced techniques such as Hell’s Gate and Halo’s Gate to bypass endpoint detection and response (EDR) tools.

In some compromised environments, attackers also installed legitimate Remote Monitoring and Management (RMM) tools to maintain persistent access in case the primary malware was detected or removed.

Rapid Lateral Movement

Researchers observed that attackers moved quickly once inside a network. In one case, they compromised nine additional endpoints within eleven hours, demonstrating a clear intention to escalate privileges and expand control before launching further attacks.

Such rapid lateral movement is often a precursor to major cyber incidents such as:

• Data exfiltration
• Network-wide ransomware deployment
• Credential theft across enterprise systems.

Links to Previous Ransomware Tactics

The tactics used in this campaign resemble previous attacks linked to the Black Basta ransomware group, which previously used email bombing and phishing techniques through communication platforms like Microsoft Teams.

Although Black Basta activity decreased after internal chat logs were leaked, researchers believe that former affiliates or other cybercriminal groups may now be using the same playbook.

Security Implications

This campaign highlights how attackers increasingly combine social engineering with sophisticated malware frameworks. Even though technical defenses may be strong, human trust remains a major vulnerability.

Modern cybercriminal operations now layer multiple techniques:

• Social engineering to gain initial access
• Malware obfuscation to avoid detection
• Multiple persistence mechanisms to survive remediation efforts.

Conclusion

The fake IT support campaign demonstrates how cyber attackers are evolving their strategies by blending psychological manipulation with advanced malware deployment techniques. By impersonating trusted support personnel and exploiting remote-access tools, attackers can bypass traditional security barriers and infiltrate enterprise networks.

Organizations must strengthen security awareness training, identity verification processes, and endpoint monitoring to prevent similar attacks. Verifying IT support requests, limiting remote-access permissions, and deploying advanced threat detection systems can significantly reduce the risk of compromise.