Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations

The campaign illustrates how cybercriminals are refining social‑engineering playbooks by posing as internal IT help desks. By flooding inboxes with spam and following up with phone calls, attackers increase credibility and coax users into granting remote access through tools such as Quick Assist or AnyDesk. Once a session is opened, victims are redirected to a counterfeit Microsoft‑styled landing page hosted on AWS, where credentials are harvested and a malicious “anti‑spam” update is triggered. This multi‑stage lure blurs the line between legitimate support and intrusion, raising the bar for user awareness.

The technical core of the intrusion relies on the Havoc command‑and‑control framework, specifically the Havoc Demon agent. Attackers sideload a malicious DLL into trusted Windows binaries such as ADNotificationManager.exe, leveraging control‑flow obfuscation, timing‑based delay loops, and the Hell’s Gate/Halo’s Gate techniques to hijack ntdll.dll functions and evade endpoint detection. Once the DLL executes, it spawns a thread that loads the Havoc shellcode, establishing persistent remote access. The adversaries further diversify persistence by deploying legitimate remote‑monitoring and management solutions like Level RMM and XEOX, complicating forensic attribution.

For defenders, the campaign underscores the necessity of verifying any unsolicited IT support request through independent channels before granting remote control. Email filtering alone cannot stop the follow‑up phone call that completes the social‑engineering loop, so organizations should enforce multi‑factor authentication for privileged tools and monitor for anomalous RMM deployments. Detecting DLL sideloading requires behavioral analytics that flag unexpected child processes and unusual library loads. As threat actors continue to blend commodity malware with custom evasion, a layered defense strategy combining user education, strict access policies, and advanced endpoint telemetry becomes essential to mitigate similar attacks.