Headlace

HeadLace is a multi-component backdoor malware family associated with the Russian GRU-linked threat actor APT28 (also tracked as Fancy Bear, Forest Blizzard, BlueDelta, and Unit 26165). Public reporting describes it as a CMD/VBS/BAT-based backdoor used in espionage campaigns from at least 2023 onward. It has been delivered primarily through spearphishing and phishing campaigns, including malicious ZIP archives, lure documents, and phishing emails crafted in victims’ native languages. Reported delivery chains have abused free and legitimate web services such as Mocky.IO/run.mocky.io, webhook.site, InfinityFree, and other cloud or web platforms to redirect victims, host payloads, and distribute commands.

HeadLace has been used for persistence, reconnaissance, credential collection, and data exfiltration. Reported commanding mechanisms include web endpoints on Mocky.IO. ANSSI reported that commands delivered through Mocky.IO were used to gather login credentials, collect information about the victim information system, and deploy offensive tools; persistence could include creation of a scheduled task. CERT Polska described an infection chain matching previously documented HeadLace behavior in which a ZIP archive contained a decoy executable, a BAT script, and a malicious WindowsCodecs.dll used for DLL side-loading. Subsequent stages abused Microsoft Edge, including headless mode, to fetch and execute additional scripts from webhook.site in a recurring loop, while displaying decoy images to reduce suspicion. The final observed stage collected the public IP address via ipinfo.io and directory listings from user and program folders, then sent the data to a command-and-control endpoint.

Victimology in the provided reporting includes critical energy infrastructure in Ukraine, Polish government institutions, French entities, European governmental and diplomatic targets, research and policy-focused organizations, logistics entities, technology companies, and organizations involved in humanitarian aid allocation or aid delivery to Ukraine. IBM X-Force reported a December 2023 campaign using Israel-Hamas-war-themed lure documents derived from authentic academic, finance, diplomatic, government, educational, and NGO materials to deliver the HeadLace backdoor, with country-based filtering restricting malware delivery to intended victims. Joint government advisories also state that HEADLACE was used in the ongoing GRU campaign against Western logistics entities and technology companies supporting Ukraine, where it was used alongside MASEPIE for persistence and data exfiltration.

High-confidence infrastructure and behavioral indicators mentioned in the content include use of Mocky.IO/run.mocky.io and webhook.site in delivery and command distribution, malicious ZIP archives, DLL side-loading via a fake WindowsCodecs.dll, BAT/VBS/CMD script chains, scheduled-task persistence, Microsoft Edge headless execution, and host reconnaissance including public IP discovery through ipinfo.io.