TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Fake Tech Support Delivers Havoc Command & Control

2026-03-02 · Read original ↗

ATT&CK techniques detected

31 predictions
T1053.005Scheduled Task
100%
“##l ), msvcp. dll, and the now - familiar license. key containing the encrypted havoc demon shellcode. analysis of faultrep. dll confirmed it shares the same functionality as mpclient. dll from the initial infection - both are upx - packed and use the identical chacha20 key to de…”
T1055.001Dynamic-link Library Injection
99%
“then calculates the correct ssn by offset shellcode loader the demon agent is delivered as a position - independent shellcode. before the demon can run, a shellcode loader must bootstrap it : find where it ' s loaded in memory, locate ntdll, resolve a few important apis, and manu…”
T1055.001Dynamic-link Library Injection
99%
“addition to the tradecraft discussed thus far. as the shellcode loader is relatively uninteresting, we ’ ll dissect, instead, the pe dll, as ultimately the loader works to simply pass off control from vcruntime _ 1. dll to the reflectively loaded pe dll, internally titled loader …”
T1055.001Dynamic-link Library Injection
99%
“in this process cannot be unloaded - this will always return 0, signaling to the calling process that the dll unload was successful even if it was not. these are measures to help aid the execution and potentially quell any attempts to terminate processes. ultimately, mpclient. dl…”
T1055.001Dynamic-link Library Injection
98%
“. next, it walks the peb ' s inmemoryordermodulelist to locate ntdll. dll by hashing each module name with djb2. finally, it parses ntdll ' s export table to resolve three ntapi functions, hashing each export name and matching against target hashes : ldrloaddll ( 0x14249d31 ), nt…”
T1055.001Dynamic-link Library Injection
98%
“the demon needs to call any nt * api, it puts the extracted ssn in eax and jumps to that syscall address inside ntdll, so the instruction pointer ( rip ) points into ntdll ' s legitimate memory when the syscall executes, making it look normal to edr. all ~ 36 apis share this sing…”
T1574.001DLL
97%
“was never set by the malware nor the adversary, so this deletion is likely superfluous. - the adnotificationmanager. exe ( or additional binaries, discussed later ) is then executed by the adversary, ultimately kicking off the malware. figure 3 : adversary - created fake outlook …”
T1055.001Dynamic-link Library Injection
96%
“##ines, including setting up flags for memory allocation syscall ( hell ’ s gate ). ultimately, an xor key ( 28 79 3f 78 41 79 38 3c 39 64 55 72 68 54 21 32 40 66 3e 42 44 54 37 78 70 00 ) is read beyond the virtualsize ’ s address pool in the. text section, further making it dif…”
T1055.001Dynamic-link Library Injection
96%
“sideloaded dlls are upx - packed and trivially unpacked / reverse engineered, but implement edr evasion techniques that will be recognizable later in the article. the dll entrypoint loads and decrypts the license. key file in memory with a fallback to read from value uxmp from re…”
T1055.001Dynamic-link Library Injection
95%
“prior to the process being terminated. in this case, a 5000 ms sleep loop is called. this prevents this function from ever resolving, meaning that malware execution is preserved even when process termination is attempted ( specifically through this ntdll high - level function ). …”
T1574.001DLL
94%
“and the application will then load that. dll. this is not an uncommon tactic for modern malware ; however, several of the techniques employed by the adversary suggest this to be a sophisticated and relatively advanced threat actor. upon analysis of the affected systems, we noted …”
T1055.001Dynamic-link Library Injection
91%
“as the chacha20 key found in mpclient. dll. it further employed a nonce of all null bytes. of note, license. key is assumed to be located in the same working directory. an attempt to read hkcu \ software \ classes \ local settings \ software \ microsoft, specifically the uxmp val…”
T1053.005Scheduled Task
88%
“host. all four scheduled tasks were created within a nine - minute window, starting at + 50 minutes after the initial compromise and completing by + 59 minutes, indicating rapid, sequential deployment. byormm : bring your own remote monitoring and management tool it ' s worth not…”
T1219Remote Access Tools
82%
“after the initial compromise, beginning at 07 : 14 utc on february 21. figure 16 : huntress detections for xeox rmm agent persistence via scheduled tasks in total, the adversary moved from the beachhead to nine additional endpoints, deploying three distinct persistence mechanisms…”
T1055.001Dynamic-link Library Injection
77%
“##t - based operator interface where operators connect to the teamserver, interact with agents, task commands, and receive output. this is the ui component, not to be confused with the demon agent itself. the havoc repository was archived on february 20, 2026, meaning the project…”
T1055.001Dynamic-link Library Injection
75%
“placed by edr solutions. figure 7 : hell ’ s gate & virtualalloc edr hooking this is particularly potent for several reasons ; when malicious applications allocate virtual memory, they ’ re often using these memory regions to store deobfuscated payloads such as shellcode that wil…”
T1219Remote Access Tools
74%
“and users should always practice a level of healthy skepticism when conducting themselves on computers. educated users present the largest barrier to adversary initial access. - enforce out - of - band authentication - require verification of it administrator requests through a s…”
T1566.004Spearphishing Voice
74%
“fake tech support delivers havoc command & control acknowledgments : special thanks to matt anderson and craig sweeney for their efforts in detecting and surfacing this behavior. background fake tech support scams are nothing new, but the payloads they deliver are getting a serio…”
T1219Remote Access Tools
73%
“host. all four scheduled tasks were created within a nine - minute window, starting at + 50 minutes after the initial compromise and completing by + 59 minutes, indicating rapid, sequential deployment. byormm : bring your own remote monitoring and management tool it ' s worth not…”
T1053.005Scheduled Task
71%
“after the initial compromise, beginning at 07 : 14 utc on february 21. figure 16 : huntress detections for xeox rmm agent persistence via scheduled tasks in total, the adversary moved from the beachhead to nine additional endpoints, deploying three distinct persistence mechanisms…”
T1566.004Spearphishing Voice
71%
“received notification of an anomalous process execution chain from our detection engineering & threat hunting ( de & th ) team in a partner environment. examination of data led to a multi - day and multi - intrusion threat hunt across five huntress partner organizations, revealin…”
T1566.002Spearphishing Link
57%
“received notification of an anomalous process execution chain from our detection engineering & threat hunting ( de & th ) team in a partner environment. examination of data led to a multi - day and multi - intrusion threat hunt across five huntress partner organizations, revealin…”
T1219Remote Access Tools
54%
“which organizations and audit this on a regular cadence. it is not uncommon for huntress to report years - old anomalous rmms on newly onboarded hosts. 3. prevent lateral movement once local access has been obtained, adversaries will move rapidly through networks, as demonstrated…”
T1667Email Bombing
49%
“fake tech support delivers havoc command & control acknowledgments : special thanks to matt anderson and craig sweeney for their efforts in detecting and surfacing this behavior. background fake tech support scams are nothing new, but the payloads they deliver are getting a serio…”
T1566.004Spearphishing Voice
49%
“outlook antispam panel that kicked things off, through the dll sideloading to the modified havoc demon agent at the core of it all. along the way, we ' ll compare two very different loader implementations from the same operator, tear apart the demon ' s indirect syscall mechanism…”
T1027.002Software Packing
48%
“advanced and highly obfuscated loader. figure 5 : dll forwarding in malicious mpclient. dll, pointing to mpclient2. dll, totaling 158 forwarded exports analysing these binaries was heavily impeded by the adversary ’ s obfuscation tactics. their primary method to make reverse engi…”
T1486Data Encrypted for Impact
45%
“. the use of the coordinated spam attack and fake tech support outreach is nothing new in the security sphere. researchers at sophos previously documented similar campaigns with links to black basta and fin7 in january of 2025. however, the overlap between that previous research …”
T1219Remote Access Tools
41%
“more sophisticated, adversaries have had to rapidly evolve their tradecraft to evade detection. - framework customization for resilience : commodity malware variants and command & control frameworks are heavily signatured. adversaries have identified security vendors ’ acute abil…”
T1055.001Dynamic-link Library Injection
40%
“at c : \ windows \ softwaredistribution \ download \ go. bat, a directory that temporarily stores windows update files, chosen to blend in with legitimate system activity. the scheduled tasks ensured that on every system boot, the batch script would execute, reconstructing and la…”
T1053.005Scheduled Task
40%
“at c : \ windows \ softwaredistribution \ download \ go. bat, a directory that temporarily stores windows update files, chosen to blend in with legitimate system activity. the scheduled tasks ensured that on every system boot, the batch script would execute, reconstructing and la…”
T1055.001Dynamic-link Library Injection
39%
“apis at runtime using djb2 hashing with a different seed than the original source code : interestingly, the binary contains two separate djb2 implementations with different seeds. the shellcode loader uses seed 0x2673 and is only used during the initial pe mapping stage, resolvin…”

Summary

Adversaries leverage fake tech support to deploy a modified Havoc C2 agent, employing DLL sideloading, syscall evasion (HellsGate), and RMM tools for persistent access.