Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fake IT support Havoc campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A fake IT support campaign is using email spam, phone-based social engineering, and Havoc C2 to gain initial access, putting targeted organizations at risk of data exfiltration or ransomware. The operation has been identified across five partner organizations and can move from initial compromise to lateral movement in 11 hours. Attackers are combining remote-access abuse, DLL sideloading, and legitimate RMM tools to maintain persistence. The layered tradecraft increases the chance of successful intrusion and makes remediation harder.

Related Happenings

Scattered Spider reclassified as a decentralized collective of independent clusters

Threat Actor Meta
H score26 First: 07.07.2026 17:00 Last: 07.07.2026 17:00 Sources 1

About this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...

DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure

Threat Actor Meta
H score26 First: 18.06.2026 16:30 Last: 18.06.2026 16:30 Sources 1

About this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...

Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program

Threat Actor Meta
H score24 First: 11.06.2026 19:50 Last: 11.06.2026 19:50 Sources 1

About this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Timeline

  1. 03.03.2026 19:15 2 articles · 4mo ago

    Fake IT support campaign delivers Havoc C2 to partner organizations

    Initial Disclosure

    Huntress identified a fake IT support campaign across five partner organizations in which email spam lures were followed by phone calls from an IT desk, remote-access abuse through Quick Assist or AnyDesk, a counterfeit Microsoft page hosted on AWS, credential harvesting, DLL sideloading, and Havoc C2 deployment; researchers also noted Black Basta-like tradecraft, lateral movement to nine additional endpoints in one organization over eleven hours, and fallback persistence with Level RMM or XEOX to support possible data exfiltration or ransomware activity.

    Show sources