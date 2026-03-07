Attackers now rely on employees to unknowingly launch the malware themselves

Fake IT support calls transform routine troubleshooting into a full network compromise

Browser crashes become the opening move in carefully staged social engineering attacks

Cybercriminal activity continues to move away from direct software exploitation toward manipulating everyday user behavior within corporate environments, experts have warned.

New research by Huntress describes a campaign in which attackers intentionally crash a user’s browser and display alarming security messages that encourage a “repair.”

The tactic creates a false sense of urgency while allowing the attacker to initiate direct communication with the employee.

Attackers take advantage of employee confusion

In many observed cases, victims received phone calls from individuals claiming to be internal technical staff responsible for resolving the issue, giving the attacker credibility and creates pressure for the employee to cooperate with instructions that appear routine.

The entire chain begins with spam messages flooding a user’s mailbox. Soon after, a phone call arrives from someone claiming to represent “IT support”, who says the spam or browser malfunction requires immediate maintenance on the affected computer.

The deception works because victims are persuaded to perform the actions that trigger the compromise themselves.

Researchers explained that the attackers rely on manual user interaction rather than automated malware delivery, as victims are guided through steps such as approving remote access sessions or installing remote administration tools like AnyDesk.

In other cases, users are instructed to copy and paste commands into system prompts or execute scripts disguised as diagnostic fixes.

The attackers open a browser during remote sessions and direct victims to a fraudulent Microsoft-themed interface hosted on cloud infrastructure.

Victims were instructed to log into a fake “Outlook Antispam Control Panel” and download what was described as an “Antispam Patch”, but is actually a disguised archive file containing several components designed to initiate the next stage of the attack.

Once the so-called repair files were executed, the malicious chain reconstructed itself locally using a staged payload, unpacking files that appeared to resemble legitimate software components, including runtime libraries and executable utilities.

One binary named ADNotificationManager.exe triggers the next phase of the compromise after installation.

At this stage, attackers rely heavily on a technique known as DLL sideloading to run malicious code while legitimate applications continue operating normally.

Malicious dynamic libraries were placed beside legitimate files, allowing the malware to run without immediately triggering obvious alarms within the system.

The payload ultimately deployed a modified agent derived from the open-source command-and-control framework Havoc C2.

And “what once ended with a $300 gift card purchase now ends with a modified Havoc C2 framework burrowed into your environment.”

The activity is swift, in one case, the intruder expanded from the initial compromised computer to nine additional endpoints within roughly eleven hours.

Such rapid activity indicates direct operator control rather than automated malware spreading through vulnerabilities.

The attacker used remote management tools and scripted payloads to maintain persistence while moving through connected systems.

The researchers warn that the campaign reiterates how attackers increasingly depend on social interaction rather than technical flaws to bypass firewall defenses.

