Hackers leverage fake tech support calls to deploy Havoc-based ransomware and data theft schemes

A coordinated social‑engineering campaign infected organisations through fake tech support calls, utilising modified Havoc framework and legitimate remote management tools to establish a durable presence, with rapid lateral movement indicating intent for data exfiltration or ransomware deployment.

Threat researchers have detailed a coordinated social‑engineering campaign in which attackers posed as technical support staff to gain remote control of corporate machines and deploy a modified Havoc command‑and‑control framework, setting the stage for data theft or ransomware. According to Huntress, investigators observed the intrusions in February 2026 across five partner organisations, where email spam was used to bait victims and follow‑up voice calls from a supposed IT desk converted that initial contact into hands‑on‑keyboard access.

Huntress analysts said the adversaries progressed quickly once inside, with one incident moving from the first compromised host to nine further endpoints within eleven hours, installing a mixture of customised Havoc “Demon” agents and legitimate remote monitoring and management software for persistence. “In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both,” the researchers wrote.

The delivery sequence combined classical social engineering with DLL sideloading and shellcode execution. Victims were steered to counterfeit Microsoft pages hosted on cloud infrastructure and prompted to run an “anti‑spam” update; that action launched legitimate binaries which in turn loaded malicious DLLs that executed the Havoc payload. Huntress noted the attackers added registry‑based fallback C2s and indirect system calls to evade endpoint detection and response products.

Technical analysis indicates the malware employed multiple evasion tricks normally associated with higher‑tier intrusions. One observed DLL used control‑flow obfuscation, deliberate timing delays and techniques known as Hell’s Gate and Halo’s Gate to hook ntdll.dll functions, while other campaign variants have leveraged Microsoft Graph API and SharePoint hosting to deliver and control implants. FortiGuard Labs and other responders have flagged similar Havoc‑based approaches, including PowerShell‑orchestrated deployments and sandbox checks embedded in scripts.

The attackers did not rely solely on a single persistence mechanism. After initial compromise they created scheduled tasks to relaunch implants on reboot and, in several cases, installed legitimate RMM suites such as Level RMM and XEOX as secondary persistence vectors, complicating remediation. Industry observers say that this layering of legitimate tools and bespoke malware is increasingly common as adversaries seek durable footholds.

The campaign’s social‑engineering tactics mirror earlier campaigns that combined ’email bombing’ and vishing via collaboration platforms, with multiple security vendors reporting comparable playbooks that exploit urgent‑looking inbox noise to prompt victims into granting remote access. Cyware’s roundups and government threat summaries underline that click‑to‑execute tricks and DNS‑based payload retrieval techniques are also evolving, broadening the arsenal available to financially motivated groups.

The reuse of familiar tradecraft has prompted debate about attribution: defenders note overlaps with methods used by actors tied to Black Basta and other extortion groups, but say the same tactics can be recycled across different criminal crews. “What begins as a phone call from ‘IT support’ ends with a fully instrumented network compromise – modified Havoc Demons deployed across endpoints, legitimate RMM tools repurposed as backup persistence,” Huntress concluded, urging organisations to treat unsolicited support calls and unusual inbox traffic with heightened scepticism.

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Source: Fuse Wire Services