Social engineering by phone and Havoc redefine rapid intrusions into corporate networks

A new case of intrusion detected by threat hunters once again focuses on a combination of social engineering and advanced evasion techniques that, together, facilitate quick and silent attacks within corporate networks. Research Huntress they documented how malicious actors became technical support to convince employees to open remote access sessions, and from there they deployed the command and control framework known as Havoc with the apparent objective of exfiltering data or preparing a ransomware attack.

The chain of attack described by analysts begins with a mass mail campaign designed not only to fish credentials, but to saturate inlet trays and prepare the ground for a convincing phone call. The phone is not a minor detail: the attackers call themselves to the help table and persuade the victim to allow remote access to the team by means of legitimate tools such as Quick Assist or remote desktop applications like AnyDesk. Once inside, the intruder does not waste time: it opens the browser and guides the user to a false cloud-hosted page that imitates a Microsoft service to "update" spam rules in Outlook.

That apocrypho site requests the email and, by pressing a "update settings" button, it runs a script that shows an overlap by asking for the password. With this double movement the attackers achieve two simultaneous objectives: obtaining credentials and strengthening the sense of legitimacy of the operation, which facilitates the victim's collaboration. The alleged spam patch that is downloaded is not beneficial: what appears to be a legitimate installer runs a reliable binary - for example, ADNotificationManager.exe or system binary - that in turn sideloadea a malicious DLL. That DLL acts as a gateway to load the Havoc shellcode and deploy the agent known as Demon.

Technical details of the payload show a clear focus on mocking defenses: some of the DLL identified contained control flow outflow, time delay loops and sophisticated techniques such as Halo's Gate and other variations of "Hell's Gate" to hook ntdll.dll functions and avoid EDR hooks in user space. In order to contextualize this type of tactics, there are technical explanations on how EDR hooks are avoided and the implications for detection in corporate environments in analysis such as the MalwareTech and research studies on ntdll coupling chains.

After establishing the "beachhead," the attackers move quickly. Huntress documented cases where the initial intrusion expanded to multiple endpoints within hours, combining manual command execution by attacker with automated deployment for persistence. The techniques to stay within the network included the creation of programmed tasks that relaunch the agent after each reboot and, at times, the installation of legitimate remote management tools such as Level RMM or XEOX to diversify persistence points and complicate remediation.

The attack pattern recalls previous operations attributed to groups of ransomware who abused "email pumping" and phishing campaigns by Microsoft Teams to force actions, and raises two hypotheses about their origin: either former group affiliates like Black Basta are applying the same libretto in new criminal projects, or other bands have adopted that playbook because it worked. Whatever the case, the lesson is clear: tactics that were previously considered a domain of highly sophisticated actors are becoming more accessible and common for organized crime groups seeking initial access and rapid persistence.

Beyond the technical component, the most worrying point is the normalization of social phone engineering and the willingness of attackers to call personal numbers to improve the probability of success. When an apparently credible call opens the door, complex malware evasion and loading techniques turn that input into a compromise with lateral reach and risk of mass data exfiltration or encryption.

To defend yourself in this scenario, human and technical measures must be combined: it is essential to educate employees to verify the identity of the caller before allowing access to their equipment and to distrust of urgent requests that involve granting remote control or introducing credentials on unusual pages. From the technological layer, the adoption of multifactor authentication, the monitoring of programmed tasks, strict control over the installation of software and the ability of security solutions to detect abnormal behaviors rather than just static signatures are barriers that reduce the success of these attacks. Cybersecurity agencies, such as CISA they publish useful guides and alerts on how to mitigate risks linked to ransomware and initial social engineering commitments.

This incident is a reminder that security is not just a matter of tools: it is a discipline that requires processes, human verification and in-depth defence vision. The combination of a convincing phone deception, the abuse of legitimate profits and advanced evasion techniques produces an enemy able to enter with much subtlety and move quickly within a network. Stay alert, review remote access procedures and prepare response plans that contemplate rapid remediation are essential steps to minimize damage when these schemes reappear.