Fake tech support scams are not new. Historically, the goal was simple: convince someone to hand over a few hundred dollars in gift cards or give attackers remote access to a computer.
However, new research from Huntress highlights how familiar social-engineering tricks are evolving into something far more insidious. Instead of small-scale fraud, malefactors are using fake support calls to deploy sophisticated command-and-control malware inside business networks.
In a campaign observed in February 2026, bad actors first flooded organizations with spam emails. Then they followed up with phone calls posing as IT support staff, offering to “fix” the problem.
Victims were persuaded to approve remote-access sessions using tools like QuickAssist or install remote management software such as AnyDesk. Once inside the system, the attackers guided users through a fake “Outlook Antispam Control Panel,” which downloaded what looked like a legitimate patch.
That patch was far from innocuous. It installed a customized version of the Havoc command-and-control framework, a post-exploitation toolkit aimed at managing compromised machines.
The actors didn’t rely on stock malware either. The Havoc payload had been heavily modified with techniques specifically tailored to slip past modern endpoint detection and response (EDR) tools.
These included DLL sideloading, indirect system calls to bypass security hooks, and registry-based fallback command-and-control channels for resilience in the event that primary servers were disrupted.
Once inside, the operators moved quickly. In one environment, they spread from the initial compromised machine to nine additional endpoints in roughly eleven hours. Persistence mechanisms included scheduled tasks, malicious DLLs, and even legitimate remote monitoring tools deployed by the attackers themselves.
The broader message is that while the technical sophistication of these campaigns is growing, the entry point is still stubbornly human.
Attackers are still exploiting trust. They simply combine old-fashioned phone scams with modern offensive security frameworks.
For defenders, that’s a reminder that even the most advanced technical controls can be bypassed if an attacker convinces someone to open the door.
You can read the full report here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.