- Attackers now rely on employees to unknowingly launch the malware themselves.
- Fake IT Support Calls Turn Routine Troubleshooting Into Total Network Compromise
- Browser crashes become the first step in carefully staged social engineering attacks.
Cybercriminal activities continue to move away from directly exploiting software and toward manipulating everyday user behavior in enterprise environments, experts warn.
A new study from Huntress describes a campaign in which attackers intentionally crash a user’s browser and display alarming security messages that encourage a “fix.”
This tactic creates a false sense of urgency while allowing the attacker to establish direct communication with the employee.
Attackers take advantage of employee confusion
In many observed cases, victims have received phone calls from individuals claiming to be internal technical staff tasked with resolving the issue, which lends credibility to the attacker and creates pressure for the employee to cooperate with seemingly routine instructions.
The whole chain begins with spam messages flooding a user’s mailbox. Shortly after, a phone call arrives from someone claiming to represent “IT Support”, who claims that the spam or browser malfunction requires immediate maintenance on the affected computer.
Deception works because victims are convinced to carry out the actions themselves that trigger the compromise.
Researchers explained that attackers rely on manual user interaction rather than automated malware delivery, as victims are guided through steps such as approving remote access sessions or installing remote administration tools like AnyDesk.
In other cases, users are asked to copy and paste commands into system prompts or run scripts disguised as diagnostic fixes.
Attackers open a browser during remote sessions and direct victims to a fraudulent Microsoft-themed interface hosted on cloud infrastructure.
Victims were asked to log into a fake “Outlook Anti-Spam Control Panel” and download what was described as an “Anti-Spam Patch” but was actually a disguised archive file containing several components designed to launch the next stage of the attack.
Once the so-called repair files were executed, the malicious chain reconstructed itself locally using an intermediate payload, unpacking files that appeared to resemble legitimate software components, including runtime libraries and executable utilities.
A binary named ADNotificationManager.exe triggers the next phase of the compromise after installation.
At this point, attackers rely heavily on a technique known as DLL sideloading to execute malicious code while legitimate applications continue to function normally.
Malicious dynamic libraries were placed alongside legitimate files, allowing the malware to execute without immediately triggering obvious alarms within the system.
The payload ultimately deployed a modified agent derived from the open source Havoc C2 command and control framework.
And “what once ended with the purchase of a $300 gift card now ends with a modified Havoc C2 frame buried in your surroundings.” »
The activity is rapid: in one case, the intruder expanded from the initially compromised computer to nine additional endpoints in about eleven hours.
Such rapid activity indicates direct operator control rather than automated malware spread via vulnerabilities.
The attacker used remote management tools and scripted payloads to maintain persistence while moving through connected systems.
Researchers warn that the campaign is a reminder of how attackers increasingly rely on social interactions rather than technical flaws to bypass firewall defenses.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
