Tech Support Scams Now Deploy Havoc Malware via Compromised cPanel & OAuth Phishing

Cybercriminals are actively exploiting compromised cPanel credentials and OAuth redirection to conduct sophisticated phishing attacks and distribute malware. The underground market for compromised cPanel accounts is thriving, providing attackers with ready-made infrastructure for hosting phishing sites and bypassing security filters. Simultaneously, OAuth redirection is being weaponized to redirect users from legitimate sign-in pages to attacker-controlled infrastructure, enabling credential harvesting and malware delivery. ## Latest Update The latest development involves tech support scams that trick employees into infecting their own company devices with the Havoc malware. Attackers use browser-based technical disruptions and high-pressure social engineering to convince victims to download and execute remote access tools, ultimately leading to network compromise and data exfiltration. ## Timeline * **2026-03-02:** OAuth redirection is being abused for phishing and malware delivery by weaponizing trusted authentication flows. * **2026-03-03:** Compromised cPanel credentials are being sold in bulk on underground markets, enabling plug-and-play phishing and scam infrastructure. * **2026-03-07:** Tech support scams now trick employees into installing the Havoc malware framework, leading to network compromise. ## What to Watch * **Escalation of Social Engineering Tactics:** Attackers may refine their social engineering techniques to further exploit user trust and bypass security awareness training. * **Increased Targeting of Corporate Networks:** The focus on infecting corporate devices suggests a growing interest in gaining access to sensitive data and intellectual property. * **Proliferation of Havoc Malware:** Monitor for increased use of the Havoc framework in other types of attacks, as its capabilities for lateral movement and data exfiltration make it a valuable tool for attackers.