Cybersecurity

Cyber: Fake Tech Support Spam Deploys Customized Havoc C2 Across...

2026-03-03 0 views admin
Cyber: Fake Tech Support Spam Deploys Customized Havoc C2 Across...

Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack.

The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.

"In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both," researchers Michael Tigges, Anna Pham, and Bryan Masters said.

It's worth noting that the modus operandi is consistent with email bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent following a public leak of its internal chat logs last year, the continued presence of the group's playbook suggests two possible scenarios.

One possibility is that former Black Basta affiliates have moved on to other ransomware operations and are using them to mount fresh attacks, or two, rival threat actors have adopted the same strategy to conduct social engineering and obtain initial access.

The attack chain begins with a spam campaign aiming to overwhelm a target's inboxes with junk emails. In the next step, the threat actors, masquerading as IT support, contact the recipients and trick them into granting remote access to their machines either via a Quick Assist session or by installing tools like AnyDesk to help remediate the problem.

With the access in place, the adversary wastes no time launching the web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS) that impersonates Microsoft and instructs the victim to enter their email address to access Outlook's anti-spam rules update system and update the spam rules.

Clicking a button to "Update rules configuration" on the counterfeit page triggers the execution of a script that displays an overlay asking the user to enter their password.

"This mechanism serves two purposes: it allows the threat actor (TA) to harvest credentials, which, when combined with the required email ad

Source: The Hacker News

🏷️ Tags

malwareransomwareattackthreat

More from Cybersecurity

Cyber: Speakeasies To Shadow Ai: Banning AI Browsers Will Fail 2026

Cyber: Speakeasies To Shadow Ai: Banning AI Browsers Will Fail 2026

2026-03-03 0
Cyber: Google Chrome Shifts To Two-week Release Cycle For Increased Stability

Cyber: Google Chrome Shifts To Two-week Release Cycle For Increased Stability

2026-03-03 0
Cyber: Lexisnexis Confirms Data Breach As Hackers Leak Stolen Files

Cyber: Lexisnexis Confirms Data Breach As Hackers Leak Stolen Files

2026-03-03 0
Cyber: Compromised Site Management Panels Are A Hot Item In Cybercrime...

Cyber: Compromised Site Management Panels Are A Hot Item In Cybercrime...

2026-03-03 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views