Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations
Source: The Hacker News
Overview
Threat hunters have called attention to a new campaign in which bad actors masquerade as fake IT support to deliver the Havoc command‑and‑control (C2) framework as a precursor to data exfiltration or ransomware attacks.
The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an “IT desk” that activates a layered malware‑delivery pipeline.
“In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence. The speed of lateral movement strongly suggests the end goal was data exfiltration, ransomware, or both,”
— Researchers Michael Tigges, Anna Pham, and Bryan Masters
The modus operandi is consistent with email‑bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent after a public leak of its internal chat logs last year, the continued presence of the group’s playbook suggests two possible scenarios.
Possible Scenarios
- Former Black Basta affiliates have moved on to other ransomware operations and are using the same tactics to launch fresh attacks.
- Rival threat actors have adopted the same social‑engineering strategy to obtain initial access.
Attack Chain
- Spam Campaign – Junk emails flood the target’s inboxes.
- Phone Call – Actors pose as IT support, convincing victims to grant remote access via Quick Assist, AnyDesk, or similar tools.
- Fake Landing Page – The adversary opens a malicious page hosted on Amazon Web Services (AWS) that impersonates Microsoft and asks the victim to enter their email address to “update Outlook’s anti‑spam rules.”
- Credential Harvesting – Clicking “Update rules configuration” runs a script that overlays a password prompt, harvesting the user’s credentials.
“This mechanism serves two purposes: it allows the threat actor (TA) to harvest credentials, which, when combined with the required email address, provides access to the control panel; concurrently, it adds a layer of authenticity to the interaction, convincing the user the process is genuine,” – Huntress
-
Malicious DLL Delivery – The “anti‑spam patch” download triggers execution of a legitimate binary (e.g., ADNotificationManager.exe, DLPUserAgent.exe, or Werfault.exe) that sideloads a malicious DLL.
-
DLL Payload – The DLL implements defense evasion and launches the Havoc shellcode payload by spawning a thread that loads the Havoc Demon agent.
- At least one DLL (vcruntime140_1.dll) uses:
- Control‑flow obfuscation
- Timing‑based delay loops
- Hell’s Gate and Halo’s Gate techniques to hook ntdll.dll functions, bypassing EDR solutions.
- At least one DLL (vcruntime140_1.dll) uses:
-
Lateral Movement – After the Havoc Demon establishes a foothold, the actors move laterally across the environment, creating scheduled tasks to ensure persistence after reboots.
“While the initial social engineering and malware delivery demonstrated some interesting techniques, the hands‑on‑keyboard activity that followed was comparatively straightforward,” the researchers noted.
Technical Highlights
| Technique | Purpose | Reference |
|---|---|---|
| Sideloading via legitimate binaries | Evade detection by using trusted executables | — |
| Control‑flow obfuscation | Hinder static analysis | — |
| Timing‑based delay loops | Avoid sandbox execution | — |
| Hell’s Gate / Halo’s Gate | Hook ntdll.dll to bypass user‑mode EDR | Hell’s Gate • Halo’s Gate |
| Scheduled tasks | Persistence across reboots | — |
Open Questions
The report ends abruptly, leaving the final observations incomplete:
“That said, the threat actor has been found to d…”
Further investigation is required to determine the full scope of the actor’s post‑deployment activities and any additional persistence mechanisms employed.
References
- Huntress Blog – Fake Tech Support Havoc Command‑Control –
- MITRE ATT&CK – Havoc Demon (S1229) –
- The Hacker News – QakBot‑linked BC malware adds enhanced capabilities –
- The Hacker News – Former Black Basta members use… –
- MalwareTech – An Introduction to Bypassing User‑Mode EDR Hooks –
This cleaned‑up markdown preserves the original content and structure while improving readability and consistency.
Deploy legitimate remote monitoring and management (RMM) tools like Level RMM and XEOX on some compromised hosts instead of Havoc, thus diversifying their persistence mechanisms.
Some important takeaways from these attacks are that threat actors are more than happy to impersonate IT staff and call personal phone numbers if it improves the success rate, techniques like defense evasion that were once limited to attacks on large firms or state‑sponsored campaigns are becoming increasingly common, and commodity malware is customized to bypass pattern‑based signatures.
Also of note is the speed at which attacks progress—swiftly and aggressively—from initial compromise to lateral movement, as well as the numerous methods used to maintain persistence.
“What begins as a phone call from ‘IT support’ ends with a fully instrumented network compromise – modified Havoc demons deployed across endpoints, legitimate RMM tools repurposed as backup persistence,” Huntress concluded. “This campaign is a case study in how modern adversaries layer sophistication at every stage: social engineering to get in the door, DLL sideloading to stay invisible, and diversified persistence to survive remediation.”
Found this article interesting? Follow us on:
to read more exclusive content we post.