- Attackers now rely on employees unknowingly launching the malware themselves
- Fake IT support calls turn routine troubleshooting into a complete network compromise
- Browser crashes become the first step in carefully staged social engineering attacks
Cybercriminal activity continues to move away from direct software exploitation to manipulate everyday user behavior in enterprise environments, experts have warned.
New research from Huntress describes a campaign where attackers deliberately crash a user’s browser and display alarming security messages prompting a “fix”.
The tactic creates a false sense of urgency while allowing the attacker to initiate direct communication with the employee.
Attackers take advantage of employee confusion
In many observed cases, victims received phone calls from individuals claiming to be internal technical staff responsible for resolving the issue, lending credibility to the attacker and creating pressure for the employee to cooperate with instructions that appear routine.
The entire chain begins with spam messages flooding a user’s inbox. Soon after, a phone call comes from someone claiming to represent “IT Support” who says that the spam or browser error requires immediate maintenance on the affected computer.
The deception works because victims are persuaded to perform the actions themselves that trigger the compromise.
Researchers explained that the attackers rely on manual user interaction rather than automatic delivery of malware, as victims are guided through steps such as authenticating remote access sessions or installing remote management tools such as AnyDesk.
In other cases, users are instructed to copy and paste commands into system prompts or execute scripts disguised as diagnostic fixes.
The attackers open a browser during remote sessions and direct victims to a fraudulent Microsoft-themed interface hosted on cloud infrastructure.
Victims were asked to log into a fake “Outlook Antispam Control Panel” and download what was described as an “Antispam Patch” but is actually a disguised archive file containing several components designed to initiate the next phase of the attack.
Once the so-called repair files were executed, the malicious chain reconstructed itself locally using a staged payload, extracting files that appeared to resemble legitimate software components, including runtime libraries and executable utilities.
A binary named ADNotificationManager.exe triggers the next stage of the compromise after installation.
At this stage, attackers rely heavily on a technique known as DLL sideloading to run malicious code while legitimate programs continue to function normally.
Malicious dynamic libraries were placed next to legitimate files, allowing the malware to run without immediately triggering obvious system alarms.
The payload ultimately implemented a modified agent derived from the Havoc C2 open source command-and-control framework.
And “what once ended with a $300 gift card purchase now ends with a modified Havoc C2 frame dug into your environment.”
Activity is rapid, in one case the intruder spread from the original compromised computer to nine additional endpoints within approximately eleven hours.
Such rapid activity indicates direct operator control rather than automated malware spreading through vulnerabilities.
The attacker used remote management tools and scripted payloads to maintain persistence while moving through connected systems.
The researchers warn that the campaign reiterates how attackers increasingly rely on social interaction rather than technical errors to bypass firewall defenses.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
