A new intrusion cluster uncovered by Huntress shows how fake tech support scams are evolving from nuisance fraud into full-scale network compromises.
In a new advisory published on Monday, Huntress investigators said they identified coordinated attacks across five partner organizations in February 2026 that began with email-based spam and follow-up phone calls from individuals posing as IT staff.
Victims were directed to fraudulent Microsoft-style landing pages (spoofed “Outlook Antis-pam Control Panels” hosted on Amazon AWS) and instructed to download a supposed patch.
Instead of resolving spam, the download reconstructed a staged malware payload that ultimately deployed a heavily modified version of the open-source Havoc command-and-control (C2) framework.
In one case, the attacker moved from the initial host to nine additional endpoints in 11 hours, suggesting objectives like ransomware and/or data exfiltration.
Modified Havoc Demon with EDR Evasion
According to Huntress, the attackers used legitimate remote access tools, including Quick Assist and third-party Remote Monitoring and Management (RMM) tools, to gain hands-on keyboard access before sideloading malicious Dynamic Link Libraries (DLLs).
The loaders employed indirect system calls, known as Hell’s Gate and Halo’s Gate techniques, to avoid Endpoint Detection and Response (EDR) hooks in ntdll.dll. By extracting system service numbers at runtime and invoking syscalls directly, the malware avoided common userland monitoring controls.
Huntress also observed registry-stored fallback C2 infrastructure, a feature missing in stock Havoc and seemingly added to the software for malicious purposes. Encrypted host and port details were recoverable from specific Windows registry paths, allowing operators to restore connectivity if primary servers were disrupted.
The findings echo research published by Sophos in January this year linking similar social engineering and C2 techniques to activity associated with Black Basta and FIN7.
While Black Basta reportedly went dormant in late 2025 following law enforcement pressure, Huntress noted overlapping tactics, techniques, and procedures.
