A malicious DLL named vcruntime140_1.dll is doing work most security teams won’t immediately recognize. It uses control flow obfuscation, timing-based delay loops, and a pair of techniques called Hell’s Gate and Halo’s Gate to hook ntdll.dll functions and neutralize endpoint detection and response tools entirely. That single component sits near the middle of an attack chain that, in at least one case, spread across nine additional endpoints in eleven hours.
The campaign was identified by Huntress last month across five partner organizations. Researchers Michael Tigges, Anna Pham, and Bryan Masters documented it in detail. According to the report, threat actors impersonating IT support staff used email spam as the opening move, flooding targets’ inboxes with junk mail before placing a phone call offering to fix the problem.
The Delivery Chain
Once a target granted remote access — through Quick Assist or tools like AnyDesk — the attacker opened a web browser and navigated to a fake landing page hosted on Amazon Web Services. The page impersonated Microsoft and prompted the victim to enter their email address to access an “anti-spam rules update system.” Clicking the update button triggered a script that overlaid a password prompt, harvesting credentials while reinforcing the illusion that the process was legitimate.
The supposed anti-spam patch then executed a legitimate binary — ADNotificationManager.exe, or in some cases DLPUserAgent.exe or Werfault.exe — to sideload a malicious DLL. That DLL spawned a thread containing the Havoc Demon agent, a customized version of the open-source command-and-control framework. From there, the attackers created scheduled tasks to relaunch the payload on every reboot, locking in persistent access. On some hosts, they also deployed legitimate remote monitoring and management tools — Level RMM and XEOX — rather than Havoc, diversifying their foothold across the environment.
“The hands-on-keyboard activity that followed was comparatively straightforward,” the researchers said, noting that the sophistication was concentrated in the initial delivery, not the lateral movement itself.
A Familiar Playbook
The method closely mirrors tactics previously attributed to the Black Basta ransomware operation, which combined email bombing with Microsoft Teams phishing to gain initial access. That group has been largely quiet since its internal chat logs were publicly leaked last year. The researchers suggest two explanations: former affiliates may have migrated to other ransomware operations, or competing actors have simply adopted the same social engineering strategy independently.
More Read
The speed of the confirmed intrusion — initial access to nine endpoints in under twelve hours — points toward data exfiltration, ransomware deployment, or both as the intended outcome, the researchers said.
Three observations anchor the report’s findings. Threat actors are now willing to call personal phone numbers directly if it raises their success rate. Defense evasion techniques once reserved for nation-state campaigns are becoming standard in commodity attacks. And off-the-shelf malware frameworks are being customized specifically to defeat pattern-based detection — making the familiar unrecognizable by the time it lands.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
