THREAT hunters have flagged a new campaign in which actors pose as fake IT support to deliver the Havoc command-and-control (C2) framework as a prelude to data exfiltration or ransomware. The intrusions were identified by Huntress last month across five partner organisations, with attackers using email spam lures followed by a phone call from an IT desk to initiate a layered malware delivery pipeline.
In one organisation, the adversary progressed from initial access to nine additional endpoints within eleven hours, deploying custom Havoc Demon payloads and legitimate Remote Monitoring and Management tools for persistence, suggesting a rapid end goal of data exfiltration and/or ransomware. The attack chain hinges on social engineering, DLL sideloading and the use of a fake landing page hosted on AWS that imitates Microsoft, prompting victims to enter their email to access an Outlook anti-spam rules update system.
According to Huntress, the operation also involves downloading an anti-spam patch to trigger legitimate binaries and load Havoc into the environment, with techniques like defence evasion and the use of scheduled tasks to maintain persistence across reboots.