Fake IT support Havoc campaign
Campaign
Summary
Hide ▲
Show ▼
A fake IT support campaign is using email spam, phone-based social engineering, and Havoc C2 to gain initial access, putting targeted organizations at risk of data exfiltration or ransomware. The operation has been identified across five partner organizations and can move from initial compromise to lateral movement in 11 hours. Attackers are combining remote-access abuse, DLL sideloading, and legitimate RMM tools to maintain persistence. The layered tradecraft increases the chance of successful intrusion and makes remediation harder.
Related Happenings
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor Meta
H score26
First: 07.07.2026 17:00
Last: 07.07.2026 17:00
Sources 1
About this happening:
**Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor MetaAbout this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
**Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
About this happening:
The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityAbout this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
H score16
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Timeline
-
03.03.2026 19:15 2 articles · 4mo ago
Fake IT support campaign delivers Havoc C2 to partner organizations
Initial DisclosureHuntress identified a fake IT support campaign across five partner organizations in which email spam lures were followed by phone calls from an IT desk, remote-access abuse through Quick Assist or AnyDesk, a counterfeit Microsoft page hosted on AWS, credential harvesting, DLL sideloading, and Havoc C2 deployment; researchers also noted Black Basta-like tradecraft, lateral movement to nine additional endpoints in one organization over eleven hours, and fallback persistence with Level RMM or XEOX to support possible data exfiltration or ransomware activity.
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15