Fake IT support Havoc campaign
Campaign
Summary
Hide ▲
Show ▼
A fake IT support campaign is using email spam, phone-based social engineering, and Havoc C2 to gain initial access, putting targeted organizations at risk of data exfiltration or ransomware. The operation has been identified across five partner organizations and can move from initial compromise to lateral movement in 11 hours. Attackers are combining remote-access abuse, DLL sideloading, and legitimate RMM tools to maintain persistence. The layered tradecraft increases the chance of successful intrusion and makes remediation harder.
Related Happenings
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Deed RAT and TernDoor multi-wave deployment
Malware Activity
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
Deed RAT and TernDoor multi-wave deployment
Malware ActivityAbout this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
CampaignAbout this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Timeline
-
03.03.2026 19:15 2 articles · 2mo ago
Fake IT support campaign delivers Havoc C2 to partner organizations
Initial DisclosureHuntress identified a fake IT support campaign across five partner organizations in which email spam lures were followed by phone calls from an IT desk, remote-access abuse through Quick Assist or AnyDesk, a counterfeit Microsoft page hosted on AWS, credential harvesting, DLL sideloading, and Havoc C2 deployment; researchers also noted Black Basta-like tradecraft, lateral movement to nine additional endpoints in one organization over eleven hours, and fallback persistence with Level RMM or XEOX to support possible data exfiltration or ransomware activity.
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15