- Attackers now rely on employees to unknowingly launch malware themselves.
- Fake IT Support Calls Turn Routine Troubleshooting Into Full Network Compromise
- Browser crashes become the first step in carefully organized social engineering attacks
Experts have warned that cybercriminal activity continues to move away from the direct exploitation of software towards the manipulation of users’ everyday behavior within corporate environments.
New research from Huntress describes a campaign in which attackers intentionally crash a user’s browser and display alarming security messages that encourage a “repair.”
The tactic creates a false sense of urgency while allowing the attacker to initiate direct communication with the employee.
Attackers take advantage of employee confusion
In many observed cases, victims received phone calls from people claiming to be internal technical staff responsible for resolving the issue, lending credibility to the attacker and creating pressure for the employee to cooperate with seemingly routine instructions.
The entire chain begins with spam messages flooding a user’s mailbox. Shortly after, a phone call comes in from someone claiming to represent “IT support,” saying that spam or a malfunctioning browser requires immediate maintenance on the affected computer.
Deception works because victims are persuaded to carry out the actions themselves that trigger the commitment.
The researchers explained that attackers rely on manual user interaction rather than automatic malware delivery, as victims are guided through steps such as approving remote access sessions or installing remote administration tools like AnyDesk.
In other cases, users are instructed to copy and paste commands into system messages or run scripts disguised as diagnostic fixes.
Attackers open a browser during remote sessions and direct victims to a fraudulent Microsoft-themed interface hosted on a cloud infrastructure.
Victims were instructed to log into a fake “Outlook Anti-Spam Control Panel” and download what was described as an “anti-spam patch,” but which is actually a disguised file containing various components designed to initiate the next stage of the attack.
Once the so-called repair files were executed, the malicious chain was reconstructed locally using a staged payload, unpacking files that appeared to resemble legitimate software components, including runtime libraries and executable utilities.
A binary called ADNotificationManager.exe triggers the next phase of the commit after installation.
At this stage, attackers rely heavily on a technique known as DLL dumping to execute malicious code while legitimate applications continue to function normally.
Malicious dynamic libraries were placed next to legitimate files, allowing the malware to run without immediately triggering obvious alarms within the system.
The payload eventually deployed a modified agent derived from the open source Havoc C2 command and control framework.
And “what once ended with the purchase of a $300 gift card now ends with a modified Havoc C2 frame buried in its surroundings.”
The activity is rapid: in one case, the intruder expanded from the initial compromised computer to nine additional endpoints in approximately eleven hours.
Such rapid activity indicates direct operator control rather than automated malware spreading via vulnerabilities.
The attacker used remote administration tools and scheduled payloads to maintain persistence while moving through connected systems.
Researchers warn that the campaign reiterates how attackers are increasingly relying on social interaction rather than technical flaws to bypass firewall defenses.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
