Havoc C2 Framework Deployed via Fake Tech Support Campaign

First reported

03.03.2026 19:15

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors impersonating IT support have deployed the Havoc C2 framework across multiple organizations using email spam and phone calls. The campaign, identified by Huntress, involved initial access followed by rapid lateral movement, suggesting data exfiltration or ransomware as the end goal. The attackers used a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence. The tactics resemble those used by the Black Basta ransomware group, indicating possible affiliation or adoption of their methods. The attack chain begins with email spam, followed by a phone call from fake IT support. Victims are tricked into granting remote access, leading to the deployment of Havoc shellcode via DLL sideloading. The attackers also use legitimate RMM tools for persistence and employ defense evasion techniques to bypass security software.

Timeline

03.03.2026 19:15 1 articles · 23h ago

Havoc C2 Framework Deployed via Fake Tech Support Campaign
Threat actors impersonating IT support deployed the Havoc C2 framework across multiple organizations using email spam and phone calls. The campaign involved initial access followed by rapid lateral movement, suggesting data exfiltration or ransomware as the end goal. The attackers used a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence. The tactics resemble those used by the Black Basta ransomware group, indicating possible affiliation or adoption of their methods.
Show sources

Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
Open in new tab

Information Snippets

Threat actors used email spam and phone calls to impersonate IT support and gain initial access.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
The Havoc C2 framework was deployed using custom Demon payloads and legitimate RMM tools for persistence.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
The attack chain involved tricking victims into granting remote access via Quick Assist or AnyDesk.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
A fake landing page hosted on AWS was used to harvest credentials and execute a malicious DLL.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
The malicious DLL used defense evasion techniques like control flow obfuscation and timing-based delay loops.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
The attackers rapidly moved laterally across the victim environment, deploying Havoc Demon on multiple endpoints.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15
The tactics resemble those used by the Black Basta ransomware group, suggesting possible affiliation or adoption of their methods.
First reported: 03.03.2026 19:15

1 source, 1 article
Show sources
- Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations — thehackernews.com — 03.03.2026 19:15