Fake Tech Support Delivers Havoc Command & Control

This Huntress technical analysis documents a multi-organization intrusion campaign in February 2026 where attackers used spam and phone-based fake IT support to obtain remote access, then delivered a modified Havoc Demon C2 implant via DLL sideloading and fragmented payloads. The adversary employed advanced EDR-evasion (Hell's Gate/Halo's Gate indirect syscalls, Detours hooks, anti-emulation), diversified persistence (scheduled tasks, Level RMM, XEOX RMM), rapid lateral movement across nine endpoints, and registry-based fallback C2s; the report includes file and URL IOCs, timelines, and remediation recommendations.