Cybersecurity researchers have uncovered a sophisticated campaign where attackers pose as IT support staff to deploy the Havoc command-and-control framework. These actors use overwhelming email spam to create a fake technical issue, then call the victim to offer a fraudulent solution that leads to total system compromise.
Threat hunters recently identified a series of intrusions targeting multiple organizations that began with a deluge of email spam. Once the target's inbox was flooded, the attackers contacted the victims by phone, pretending to be from an internal IT help desk. By offering to help resolve the spam issue, they convinced users to grant remote access to their computers through tools like Quick Assist or AnyDesk.
Once the attackers gained entry, they directed the victims to a fraudulent website hosted on Amazon Web Services that impersonated a Microsoft support page. The site prompted users to enter their email addresses and click a button to update their spam filter settings. This action triggered a script that displayed a fake password prompt, allowing the attackers to harvest credentials while maintaining the illusion of a legitimate technical repair.
The ultimate goal of this access was to deploy the Havoc Demon payload and move laterally through the network. In one instance, the researchers observed the adversary spreading to nine different endpoints within just eleven hours. The speed of this movement and the deployment of persistent remote management tools strongly indicated that the attackers were preparing for a major ransomware deployment or data theft.
The tactics used in these attacks bear a striking resemblance to the playbook of the Black Basta ransomware group, which was known for using email bombing and social engineering. Although that group has been less visible following a significant leak of their internal communications, their methods continue to be used effectively. This suggests that former members have joined new organizations or that other cybercriminals have simply adopted their successful strategies.
By combining social engineering with technical tools like the Havoc framework, these attackers have created a highly effective pipeline for breaching corporate defenses. The transition from a simple phone call to full network control happens rapidly, leaving organizations little time to react. This campaign serves as a reminder that the human element remains one of the most vulnerable points in modern network security.
Source: Fake Tech Support Spam Deploys Customized Havoc C2 Against All Organizations LLP