Real-World Havoc C2: The 'Fake IT Support' Callback Vector
Has anyone else dug into the Huntress report from last month regarding the five organizations hit by this new campaign? The approach is notably aggressive: combining initial email spam with immediate follow-up vishing calls to deploy customized Havoc C2.
It’s a textbook example of multi-factor social engineering. The email creates the context (the "lure"), and the phone call establishes the authority, often panic-inducing the user into running a "repair" script. What stands out to me is the use of Havoc. Since it's open-source and easily modifiable, threat actors are stripping out standard signatures to evade EDRs. This isn't just a script kiddie tool anymore; it's a mature RAT rivaling Sliver or Cobalt Strike in the hands of capable actors.
Given that the entry point relies on user interaction following a phone call, purely automated detection is tough. I've been focusing my hunts on the post-exploitation behaviors, specifically looking for the hollowing techniques Havoc often employs.
Here is a Sigma rule I've drafted to catch the process injection patterns often associated with Havoc's initial beacon:
title: Havoc C2 Process Injection Pattern
status: experimental
description: Detects potential Havoc C2 process hollowing/injection techniques
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: \explorer.exe
Image|endswith: \rundll32.exe
CommandLine|contains: '.dll,ZwCreateThread'
condition: selection
falsepositives:
- Legitimate software installers
level: high
With the end goal being ransomware or data exfiltration, the dwell time is likely short. How are your teams handling the "vishing" component? Standard phishing awareness doesn't seem to cover the urgency of a live caller.
The vishing aspect is the real killer here. We ran a tabletop exercise last quarter simulating a similar vector, and we found that even our "security-aware" staff complied 80% of the time when the caller displayed technical urgency. We’ve since implemented a strict policy: IT support never calls users unscheduled to request software installation. Users are instructed to hang up and call the official support line. It's a low-tech control, but it breaks the attack chain effectively.
We've been tracking Havoc's evolution for a while. The customization capabilities allow attackers to change the mutex names and user-agents easily, which defeats static IOC matching. You really need to rely on network telemetry. Havoc's sleep obfuscation is distinct. I'd recommend checking for TCP heartbeats that don't match standard jitter patterns of known malware families. If you have Zeek or similar, look for long-duration connections with small, regular packet sizes that don't align with standard HTTP/S traffic.
Great query, but watch out for rundll32.exe false positives from legacy installers. We've seen similar campaigns targeting MSPs specifically. If you manage client endpoints, ensure your RMM tools require MFA before any remote control session is initiated. In one case we analyzed, the attackers used the fake support call to trick the user into enabling a remote session, bypassing the need for an exploit entirely.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access