'What begins as a phone call from 'IT support' ends with a fully instrumented network compromise': This fake tech support scam tricks employees into infecting their own company devices

Date:
Sat, 07 Mar 2026 19:35:00 +0000

Description:
Attackers deliberately crash browsers, impersonate IT staff, and convince employees to install malicious tools that deploy Havoc malware across corporate systems.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter Sign up for
breaking news, reviews, opinion, top tech deals, and more. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful An account already exists for this email address, please log in. Subscribe to our newsletter Attackers now rely on employees to unknowingly launch the malware themselves Fake IT support calls transform routine troubleshooting into a full network compromise Browser crashes become the opening move in carefully staged social engineering attacks Cybercriminal activity continues to move away from direct software exploitation toward manipulating everyday user behavior within corporate environments, experts have warned.

New research by Huntress describes a campaign in which attackers
intentionally crash a users browser and display alarming security messages that encourage a repair. The tactic creates a false sense of urgency while allowing the attacker to initiate direct communication with the employee. You may like The silent DNS malware thats redefining email and web-based cyberattacks This phishing campaign spoofs internal messages - here's what we know Watch out - hackers are coming after your Christmas bonus, as paychecks come under threat Attackers take advantage of employee confusion In many observed cases, victims received phone calls from individuals claiming to be internal technical staff responsible for resolving the issue, giving the attacker credibility and creates pressure for the employee to cooperate with instructions that appear routine.

The entire chain begins with spam messages flooding a users mailbox. Soon after, a phone call arrives from someone claiming to represent IT support,
who says the spam or browser malfunction requires immediate maintenance on
the affected computer.

The deception works because victims are persuaded to perform the actions that trigger the compromise themselves.

Researchers explained that the attackers rely on manual user interaction rather than automated malware delivery, as victims are guided through steps such as approving remote access sessions or installing remote administration tools like AnyDesk. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.

In other cases, users are instructed to copy and paste commands into system prompts or execute scripts disguised as diagnostic fixes.

The attackers open a browser during remote sessions and direct victims to a fraudulent Microsoft -themed interface hosted on cloud infrastructure.

Victims were instructed to log into a fake Outlook Antispam Control Panel and download what was described as an Antispam Patch, but is actually a disguised archive file containing several components designed to initiate the next
stage of the attack. What to read next Who's watching who? Experts reveal criminals using fake enterprise software to gain access to company systems These fake Chrome extensions will crash your browser so that hackers can
sneak in - here's how to stay safe Watch out: hackers are hijacking Microsoft Teams messages to try and get access to your emails - here's what you need to look out for

Once the so-called repair files were executed, the malicious chain reconstructed itself locally using a staged payload, unpacking files that appeared to resemble legitimate software components, including runtime libraries and executable utilities.

One binary named ADNotificationManager.exe triggers the next phase of the compromise after installation.

At this stage, attackers rely heavily on a technique known as DLL sideloading to run malicious code while legitimate applications continue operating normally.

Malicious dynamic libraries were placed beside legitimate files, allowing the malware to run without immediately triggering obvious alarms within the system.

The payload ultimately deployed a modified agent derived from the open-source command-and-control framework Havoc C2.

And what once ended with a $300 gift card purchase now ends with a modified Havoc C2 framework burrowed into your environment.

The activity is swift, in one case, the intruder expanded from the initial compromised computer to nine additional endpoints within roughly eleven
hours.

Such rapid activity indicates direct operator control rather than automated malware spreading through vulnerabilities.

The attacker used remote management tools and scripted payloads to maintain persistence while moving through connected systems.

The researchers warn that the campaign reiterates how attackers increasingly depend on social interaction rather than technical flaws to bypass firewall defenses. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



======================================================================
Link to news story: https://www.techradar.com/pro/security/what-begins-as-a-phone-call-from-it-sup port-ends-with-a-fully-instrumented-network-compromise-this-fake-tech-support- scam-tricks-employees-into-infecting-their-own-company-devices


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)