Head Mare

Head Mare is a pro-Ukrainian hacktivist threat group active since at least 2023 that targets Russian and Belarusian organizations, with repeated reporting focused on Russian government, industrial, logistics, financial, construction, manufacturing, energy, education, and science sectors. The group has been linked to phishing-led intrusions, exploitation of newly disclosed vulnerabilities, credential theft, lateral movement, selective data exfiltration, SSH tunneling, and ransomware deployment. Reported initial access methods include phishing campaigns using password-protected archives, malicious LNK files, and malicious .url files; exploitation of CVE-2023-38831 in WinRAR, CVE-2021-26855 ProxyLogon on Microsoft Exchange, CVE-2024-43451 for NTLM hash leakage, and the TrueConf Server vulnerability BDU:2025-10114; and abuse of compromised contractors, trusted relationships, and valid accounts. Head Mare is known for custom malware including PhantomCore, also referred to as PhantomDL, PhantomJitter, PhantomHeart, and PhantomProxyLite. PhantomCore has been used in large phishing campaigns against Russian organizations and provides remote command execution, with persistence via PSFactoryBuffer COM hijacking observed in one campaign. PhantomHeart is a newer backdoor used to create SSH tunnels and communicate with C2 over HTTP, including host registration and heartbeat traffic. PhantomProxyLite was later reimplemented in PowerShell as part of a stronger Living-off-the-Land approach. Head Mare has also used CobInt, which researchers noted had previously been associated with Twelve. Observed tooling includes public and leaked utilities such as Mimikatz, secretsdump, ProcDump, ADRecon, fscan, SoftPerfect Network Scanner, mRemoteNG, PsExec, PAExec, smbexec, wmiexec, cloudflared, Gost, Localtonet, ngrok, revsocks, MicroSocks, OpenSSH/ssh.exe, Sliver, and rclone. The group has used masquerading and persistence mechanisms including scheduled tasks, Windows services, COM hijacking, and creation of privileged local users. Reported defense evasion includes renaming tools to resemble legitimate Windows files, removing created services and files, and clearing Windows event logs. Post-compromise activity has included reconnaissance, dumping ntds.dit and registry hives, lateral movement via RDP and SSH, and selective exfiltration of victim files. For impact, researchers observed deployment of LockBit 3.0 on Windows systems and Babuk on NAS devices. Multiple reports describe operational overlap or collaboration between Head Mare and other pro-Ukrainian groups. Researchers assessed likely cooperation with Twelve based on shared malware, scripts, infrastructure, file paths, service names, and victim sectors in attacks on Russian entities. Kaspersky also reported overlap and apparent coordination with BO Team, and F6 reported collaboration between Bearlyfy and Head Mare. Separate reporting noted some overlaps with Cloud Atlas infrastructure or file paths, especially around PhantomHeart-related SSH tunneling artifacts, but stated that the TTPs remain distinct. Known aliases and related naming in the reporting include Head Mare and the malware names PhantomCore/PhantomDL associated with the group.