Huntress researchers uncovered a coordinated campaign in which attackers impersonated IT support staff to deploy customized Havoc C2 payloads across five organizations — achieving lateral movement to nine additional endpoints within eleven hours. The Hacker News has the full report.

How It Works

The attack begins with a flood of spam email designed to overwhelm the target’s inbox. Attackers then phone victims directly, posing as IT support and convincing them to grant remote access through Quick Assist or AnyDesk. Once connected, the adversaries:

  1. Open a web browser to a fake AWS-hosted landing page mimicking Microsoft, tricking the user into entering credentials for a supposed “Outlook anti-spam rules update.”
  2. Use DLL sideloading through legitimate Windows binaries — including ADNotificationManager.exe, DLPUserAgent.exe, and Werfault.exe — to execute malicious DLLs with control flow obfuscation and Hell’s Gate techniques that evade EDR.
  3. Deploy customized Havoc Demon payloads and legitimate RMM tools (Level RMM, XEOX) for persistent access.
  4. Move laterally across the network rapidly, consistent with playbooks seen in past Black Basta ransomware operations.

Why It Matters

This campaign combines social engineering with advanced post-exploitation tooling to bypass both human judgment and endpoint defenses. The speed of lateral movement — nine hosts in under twelve hours — suggests the end goal is data exfiltration or ransomware deployment. The use of legitimate signed binaries for DLL sideloading makes detection significantly harder for traditional antivirus solutions.

What to Do

  • Restrict remote access tools. Block or monitor Quick Assist, AnyDesk, and similar RMM software that isn’t part of your approved toolset.
  • Train staff on callback phishing. Ensure employees know that IT support will never cold-call and ask for remote access after a spam flood.
  • Monitor for DLL sideloading. Alert on known-abused binaries like ADNotificationManager.exe or Werfault.exe loading unsigned DLLs.
  • Audit RMM tool installations. Flag any unexpected remote management agents (Level RMM, XEOX) appearing on endpoints.
  • Limit lateral movement. Enforce network segmentation, least-privilege access, and monitor for anomalous authentication patterns.