Fake Tech Support Deploys Havoc C2 in Targeted Intrusions
Fake tech support scams have evolved from simple extortion schemes into sophisticated vectors for deploying advanced command-and-control (C2) frameworks, such as a modified Havoc Demon.
In February 2026, cybersecurity firm Huntress uncovered a cluster of intrusions across five partner organizations, where attackers combined spam emails, vishing calls, and layered malware to achieve rapid network compromise.​
Attack Chain Overview
The intrusions began with targeted spam campaigns overwhelming victim inboxes, followed by phone calls from impostor “IT support” personnel. Attackers posed as Microsoft technicians, offering to fix “Outlook antispam” issues, tricking users into granting remote access via tools such as QuickAssist or AnyDesk.​
Once in control, adversaries navigated victims to a fraudulent AWS-hosted “Outlook Antispam Control Panel.” Users were instructed to download an “Antispam Patch,” a split ZIP archive reconstructed on-disk in %PROGRAMDATA%\Adobe\ARM\, containing legitimate binaries, such as ADNotificationManager.exe, alongside malicious DLLs, such as vcruntime140_1.dll.​
These DLLs employed sideloading against signed executables (e.g., DLPUserAgent.exe, WerFault.exe), using forwarding tables to proxy exports from legitimate DLLs while executing malicious entrypoints. Obfuscation via trampolines, Hell’s Gate for syscall resolution, and Halo’s Gate fallbacks evaded EDR hooks on functions like NtAllocateVirtualMemory.​
Loader Dissection
Two loader variants emerged: a heavily obfuscated vcruntime140_1.dll and simpler UPX-packed mpclient.dll/faultrep.dll.
Both decrypted Havoc shellcode fromthe license.key using identical ChaCha20 (key: 06 83 33 23 c5 e3 1a 82 73 be 47 b0 df 70 b9 4c c8 f3 8d 44 35 93 3b 91 81 1d 8b dd 95 26 8f 86), with registry fallback at HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\UXMP.​
Advanced loaders borrowed ESET code paths, inserted 4M-cycle anti-emulation loops, and installed Detours hooks: ntdll!RtlExitUserProcess (infinite 5s sleep) and ntdll!LdrUnloadDll (fake success return).
A reflective PE loader (loader_vcruntime140_1.dll) then spawned threads to execute the Demon shellcode, targeting processes like notepad.exe.​
| Loader | Packing | Obfuscation | Syscall Evasion | Anti-Analysis |
|---|---|---|---|---|
| vcruntime140_1.dll | None | 29-stage trampolines, Hell’s/Halo’s Gate | Direct syscalls via NtAddBootEntry gadget | ESET masquerading, tight loops |
| mpclient.dll | UPX | Minimal | Standard imports | Detours hooks only ​ |
Havoc Demon Modifications
The core payload was a customized Havoc C2 agent (forked from @C5pider’s archived repo), delivered as position-independent shellcode via KaynLdr. Initialization used DJB2 hashing (seeds 0x2673/0x16AA) to resolve NTAPI calls and manually mapped the embedded demon.x64.dll.​
Indirect syscalls bypassed EDR by extracting SSNs from ntdll stubs (e.g., mov r10,rcx; mov eax,<SSN>; syscall pattern), jumping to a shared NtAddBootEntry syscall gadget for all ~36 APIs. Hooked stubs triggered Halo’s Gate offset calculations from clean neighbors.​
Unique customizations included registry-stored fallback C2s (HKCU/HKLM\SOFTWARE\Microsoft\SQMClient\UFID/UCID), decrypted with ChaCha20 (nonce: 41 98 B6 39 77 EA 2B F0 A4 2D 42 22) to yield domains like arcupondepago[.]com. Stock Havoc lacks this resilience; configs used an 8s sleep/50% jitter and HTTP POST to fake API paths.​
Lateral Movement and Persistence
From the beachhead compromise (e.g., Feb 20, 20:18 UTC), attackers hit 9 endpoints over 11 hours. Scheduled tasks (numeric names like 1771621617) ran go.bat from SoftwareDistribution\Download, reassembling CAB payloads into sideloaders + license.key.​
Diversified persistence: Havoc on four hosts, Level RMM (–key uGTYwD7VzX3bnwX9PVGdXtiD) on two, XEOX on three. Rapid deployment (tasks in 9 minutes) indicated hands-on-keyboard ops for exfiltration/ransomware prep, echoing Black Basta/FIN7 TTPs despite that group’s 2025 dormancy.​
Threat Implications
This campaign fuses low-tech social engineering with red-team-grade evasion, targeting mid-sized firms. Former Black Basta affiliates or playbook copiers persist post-disruption, customizing commodity tools to erode signatures.​
Defenses: Enforce out-of-band IT verification, allowlist RMMs, block workstation RDP/SMB, hunt DLL sideloading via ADNotificationManager.exe/DLPUserAgent.exe. IOCs include SHA256: b1ccee3d0dc7a85c117580cc08b8edcb8118b5612669300d4b006f50663b387e (vcruntime140_1.dll).​
Site: cybersecuritypath.com
About the Author
