New Social Engineering Attack Installs Havoc Malware on Corporate Networks

Fake IT Support Calls Used to Deploy Havoc Malware in Targeted Cyber Attacks

Security researchers have uncovered a new cyberattack campaign in which attackers pose as IT support staff to trick victims into granting remote access to their systems. Once inside the network, the attackers deploy the Havoc command-and-control framework, which can be used to steal sensitive data or prepare systems for ransomware attacks.

Threat hunters discovered the activity across multiple organizations during investigations into suspicious security incidents. The attacks relied heavily on social engineering techniques combined with malware delivery, allowing the attackers to quickly expand their access inside victim environments.

Attack Begins With Email Flooding and Social Engineering

The campaign typically starts with an email bombing attack, where the target receives a large number of spam messages within a short period of time.

After overwhelming the victim’s inbox, the attackers contact the individual by phone while pretending to be part of the organization’s IT help desk. During the call, they claim they are helping resolve the spam problem.

Victims are then persuaded to grant remote access to their computer using tools such as:

  • Quick Assist
  • AnyDesk

Once the attacker gains control of the device, they begin the next stage of the attack.

Fake Microsoft Page Used to Steal Credentials

After accessing the victim’s system, the attackers open a web browser and direct the user to a fraudulent webpage designed to look like a Microsoft service.

The page claims that the user must update Outlook’s spam filtering rules. Victims are asked to enter their email address and follow a prompt to “update” their anti-spam settings.

When the victim clicks the update button, a script runs that displays a prompt requesting their account password.

This tactic allows attackers to collect login credentials while making the entire process appear legitimate.

Malware Delivered Through DLL Side-Loading

The attackers then download what appears to be a legitimate update file. In reality, it launches a legitimate Windows binary such as:

  • ADNotificationManager.exe
  • DLPUserAgent.exe
  • WerFault.exe

These programs are used to load a malicious DLL file through a technique known as DLL side-loading.

The malicious library executes shellcode that installs the Havoc Demon agent, a remote control implant that allows attackers to manage infected machines.

Advanced Techniques Used to Avoid Detection

The malware used in this campaign includes several advanced techniques designed to evade security software.

Researchers observed that the malicious DLL uses methods such as:

  • Control flow obfuscation
  • Time-based execution delays
  • Direct system call techniques such as Hell’s Gate and Halo’s Gate

These approaches allow the malware to bypass endpoint detection and response (EDR) tools and avoid triggering common security alerts.

Rapid Spread Across the Network

After gaining access to the initial machine, attackers quickly begin moving through the network.

In one documented case, attackers spread from the first compromised device to nine additional endpoints within approximately eleven hours.

To maintain access, the attackers create scheduled tasks that automatically launch the Havoc malware whenever the system restarts.

Legitimate IT Tools Used to Maintain Control

In addition to deploying malware, the attackers sometimes install legitimate remote monitoring and management (RMM) software on compromised machines.

These tools include:

  • Level RMM
  • XEOX

Using legitimate software helps attackers blend their activity into normal administrative operations while maintaining persistent access.

Possible Links to Black Basta Ransomware Techniques

Researchers say the tactics used in this campaign closely resemble previous attacks associated with the Black Basta ransomware group.

That criminal organization previously used similar methods involving:

  • email bombing
  • impersonation of IT staff
  • remote access tools

Although the group appeared to disappear after internal chat logs were leaked last year, investigators believe former members or other cybercriminals may now be using the same strategy.

Attackers Moving Faster and Using More Sophisticated Techniques

Security experts warn that modern cybercriminal operations are becoming faster and more complex.

The campaign highlights several concerning trends:

  • attackers using phone calls and social engineering to gain trust
  • advanced malware evasion techniques becoming more common
  • legitimate IT tools being abused to maintain persistence
  • rapid lateral movement across networks after initial compromise

What begins as a simple phone call from someone claiming to be technical support can quickly turn into a full network breach.

Key Lessons for Organizations

Security teams should be aware that attackers may impersonate internal support staff to gain access to employee systems.

Organizations can reduce risk by:

  • training employees to verify IT support requests
  • restricting remote access tools
  • monitoring suspicious installation of RMM software
  • implementing strong endpoint detection solutions

These measures can help prevent attackers from turning a social engineering attempt into a widespread network compromise.