Cybersecurity researchers are warning of a fast-moving threat campaign in which attackers impersonate IT support staff to deploy a customized version of the Havoc command-and-control (C2) framework across corporate networks.
The activity, uncovered by Huntress, was detected last month in at least five partner organizations. Investigators say the attacks combined spam email floods, phone-based social engineering, credential harvesting, DLL sideloading, and hands-on-keyboard lateral movement — all within hours of initial access.
From Spam Flood to Full Network Compromise
The attack chain begins with an email bombing campaign designed to overwhelm a victim’s inbox with junk messages. Shortly afterward, the target receives a phone call from someone posing as IT support, offering assistance in resolving the spam issue.
Victims are persuaded to grant remote access through Microsoft Quick Assist or to install legitimate remote access tools such as AnyDesk. Once connected, the attackers escalate their intrusion rapidly.
In one observed case, threat actors moved from initial access to nine additional endpoints within 11 hours — a pace researchers say strongly suggests preparation for data theft, ransomware deployment, or both.
Fake Microsoft Portal Hosted on AWS
After gaining remote access, attackers launch a browser session and direct victims to a counterfeit webpage hosted on Amazon Web Services (AWS). The page impersonates Microsoft and claims users must update Outlook anti-spam rules.
Victims are prompted to enter their email address and later their password under the guise of completing the update process. This dual-purpose step allows attackers to harvest credentials while reinforcing the illusion of legitimacy.
Clicking the “Update rules configuration” button triggers a scripted workflow that deepens the compromise.
DLL Sideloading Deploys Havoc Demon
The campaign ultimately delivers the Havoc C2 framework using a technique known as DLL sideloading.
Attackers leverage legitimate Windows binaries — including:
- ADNotificationManager.exe
- DLPUserAgent.exe
- Werfault.exe
These trusted executables load a malicious DLL, often disguised as “vcruntime140_1.dll,” which executes the Havoc Demon payload in memory.
Researchers found that at least one variant used advanced defense-evasion methods, including:
- Control flow obfuscation
- Timing-based delay loops
- Hell’s Gate and Halo’s Gate techniques to hook ntdll.dll functions
- Endpoint detection and response (EDR) bypass tactics
Such techniques, once more common in state-sponsored attacks, are increasingly appearing in financially motivated cybercrime operations.
Lateral Movement and Persistent Access
Once the Havoc Demon agent is established, attackers pivot laterally across the network using relatively straightforward administrative techniques.
Persistence mechanisms include:
- Scheduled tasks configured to relaunch the Havoc payload at system reboot
- Deployment of legitimate remote monitoring and management (RMM) tools
In some cases, attackers installed Level RMM and XEOX instead of Havoc on additional endpoints, diversifying their foothold to survive remediation attempts.
Echoes of Black Basta Playbook
The campaign’s tactics resemble previous email bombing and Microsoft Teams phishing operations linked to affiliates of the Black Basta ransomware group.
Although Black Basta’s operations appeared to decline after internal chat logs were leaked last year, researchers say its techniques remain in circulation. This suggests either former affiliates have moved to other ransomware groups or rival actors are adopting its proven playbook.
Key Takeaways for Security Teams
Huntress researchers highlighted several concerning trends:
- Attackers are increasingly willing to impersonate internal IT teams and call personal phone numbers.
- Commodity malware frameworks like Havoc are being customized to evade modern security controls.
- Intrusions now progress from access to lateral movement in a matter of hours.
- Legitimate tools are routinely repurposed to maintain persistence and blend into normal operations.
“What begins as a phone call from ‘IT support’ can quickly escalate into a fully instrumented network compromise,” Huntress warned.
Defensive Recommendations
Organizations should consider the following mitigation steps:
- Train employees to verify internal IT communications through official channels.
- Restrict and monitor use of remote access tools.
- Audit scheduled tasks and startup persistence mechanisms.
- Monitor for unusual DLL loading activity involving legitimate Windows binaries.
- Enforce multi-factor authentication to limit credential abuse.
As social engineering and post-exploitation tradecraft continue to evolve, defenders face a growing challenge: attacks that combine human manipulation with technical sophistication — and move faster than ever before.
