{
	"id": "a79a7b01-0e12-4ba3-ad6d-9c08b98e05a6",
	"created_at": "2026-04-06T00:11:21.737012Z",
	"updated_at": "2026-04-10T03:33:24.097059Z",
	"deleted_at": null,
	"sha1_hash": "7895a7017121f0f8f8e45f90fd2d17ae387e9709",
	"title": "Head Mare Intensifies Attacks On Russia With PhantomCore",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 910408,
	"plain_text": "Head Mare Intensifies Attacks On Russia With PhantomCore\r\nPublished: 2024-12-10 · Archived: 2026-04-05 17:13:19 UTC\r\nCyble analyzes the intensification of the ongoing Head Mare campaign against Russia, with deceptive ZIP archives\r\nbeing used to deploy the PhantomCore Backdoor.\r\nKey takeaways\r\nCyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group\r\nHead Mare aimed at targeting Russians.\r\nThis campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is\r\ncleverly disguised as an archive file to deceive users and facilitate its malicious operations.\r\nThe LNK file contains commands designed to extract and execute the disguised, which has been identified as\r\nPhantomCore.\r\nPhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is\r\nknown for consistently targeting Russia.  \r\nIn previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat\r\nactor (TA) is using C++-compiled PhantomCore binaries instead.\r\nTA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C\u0026C) server.\r\nPhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the\r\ntarget before deploying the final-stage payload or executing additional commands on the compromised system.\r\nPhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant\r\ndamage on the victim’s systems.\r\nOverview\r\nOn 2nd September 2024, Kaspersky released a blog about the Head Mare group, which first emerged in 2023. Head\r\nMare is a hacktivist group targeting organizations in Russia and Belarus with the goal of causing maximum damage\r\nrather than financial gain. They use up-to-date tactics, such as exploiting the CVE-2023-38831 vulnerability in\r\nWinRAR, to gain initial access and deliver malicious payloads. The group maintains a public presence on X, where they\r\ndisclose information about their victims.\r\nTheir targets span various industries, including government, transportation, energy, manufacturing, and entertainment.\r\nUnlike other groups, Head Mare also demands ransom for data decryption.\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 1 of 9\n\nFigure 1 – Threat Actor profile\r\nWorld's Best AI-Native Threat Intelligence\r\nCRIL recently identified a campaign targeting Russians linked to the notorious Head Mare group. While the initial\r\ninfection vector remains unknown, the group typically reaches users via spam emails. In this campaign, a ZIP archive\r\nnamed “Doc.Zip” was discovered, containing a malicious LNK file, an executable disguised as “Doc.zip” identified as\r\nthe PhantomCore, and a corrupted PDF.\r\nUpon executing the LNK file, it extracts the “Doc.Zip” archive into the “C:/ProgramData” directory and executes the\r\nfile “Doc.zip” using cmd.exe. Once executed, the malware gathers the victim’s information, such as the public IP\r\naddress, windows version username, etc., and sends it to a command-and-control (C\u0026C) server controlled by the TA. It\r\nthen awaits further commands from the C\u0026C server to execute additional malicious activities. The figure below shows\r\nthe infection chain.\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 2 of 9\n\nFigure 2 – Infection chain\r\nEarlier, PhantomCore samples were developed using GoLang. However, in the latest campaign, the threat actor is using\r\nC++-compiled PhantomCore binaries. Additionally, the C++ version of PhantomCore incorporates the Boost.Beast\r\nlibrary, which facilitates communication between the infected system and the command-and-control (C\u0026C) server\r\nthrough HTTP WebSockets.\r\nTechnical Analysis\r\nThe ZIP archive “Doc.zip,” downloaded from the file-sharing website hxxps://filetransfer[.]io/data-package/AiveGg6u/download, is suspected to have been delivered to the victim via a spam email. The email likely\r\ncarried a social engineering theme, designed to appear legitimate, such as an invoice for goods or similar financial\r\ndocuments. This theme was intended to deceive the recipient into interacting with the malicious attachment, ultimately\r\nleading to the delivery of the malicious payload.\r\nThe zip archive contains multiple files, including two LNK files, a corrupted lure PDF file, and an executable\r\ncamouflaged as a “.zip” file extension. All the files within the archive are notably in Russian, as detailed in the table\r\nbelow.\r\nActual file names Translated names\r\nСписок товаров и услуг.pdf.lnk List of goods and services.pdf.lnk\r\nСчет-фактура.pdf.lnk Invoice.pdf.lnk\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 3 of 9\n\nКонтактные данные для оплаты.pdf Contact details for payment.pdf\r\nThe LNK file is configured to execute a PowerShell command that locates and extracts the “Doc.zip” archive into the\r\n“C:ProgramData” directory. Once extracted, the “Doc.zip” archive, which contains an executable, is launched using the\r\ncmd.exe start command. The figure below illustrates the contents of the LNK file.\r\nFigure 3 – Contents of Список товаров и услуг.pdf.lnk\r\nUpon execution, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the\r\nSetConsoleCP and SetConsoleOutputCP Win32 APIs. Additionally, it sets the locale language of the victim machine to\r\n“ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding.\r\nFigure 4 – Sets locale to Russia\r\nAfter configuring the locale settings, the malware attempts to connect to the C\u0026C server at 45.10.247[.]152 using the\r\nUser-Agent string “Boost.Beast/353”. It retries the connection until successful, sleeping for 10 seconds between each\r\nattempt.\r\nFigure 5 – Connect request\r\nAfter a successful connection is established, the malware gathers the victim’s information, including the Buildname,\r\nWindows version, public IP address, computer name, username, and domain details. The Buildname, which can vary\r\n(e.g., ZIP, URL), may indicate the infection vector. This collected data is then sent to the C\u0026C server via the “init”\r\nendpoint, as illustrated in the figure below.\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 4 of 9\n\nFigure 6 – Gathering victim’s information\r\nFigure 7 – Sending victim’s details\r\nAfter sending the initial request containing the victim details and UUID, the malware waits for a response from the TA.\r\nHowever, during our analysis, we were unable to capture the response. Nevertheless, code analysis indicates that the\r\ntypical response from the TA follows a format similar to the one shown below.\r\nFigure 8 – TA’s response\r\nMoreover, the TA can execute commands on the victim’s machine and download additional payloads from the C\u0026C\r\nserver. This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by\r\ndeploying specific commands and payloads.  The malware uses the following endpoints for its C\u0026C communication\r\nand to receive commands\r\nhxxp:// [C\u0026C IP Address]/connect\r\nhxxp:// [C\u0026C IP Address]/init\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 5 of 9\n\nhxxp:// [C\u0026C IP Address]/check\r\nhxxp:// [C\u0026C IP Address]/command\r\nThe TA uses the following methods to execute commands and deploy additional payloads.\r\nCommand Execution through Pipes\r\nThe execution process involves creating a pipe and redirecting the WritePipe handle to the standard output (stdout) and\r\nstandard error (stderr). A new process is then launched using the command “cmd.exe /c” to execute the specified\r\ncommand. After the command is executed, the output is retrieved by reading from the pipe using the “ReadFile” API\r\nand the ReadPipe handle. Additionally, a log is generated to monitor and track the success or failure of the pipe creation\r\nand command execution.\r\nThe following code demonstrates the TA’s ability to execute commands through a pipe, read the command output, and\r\nparse the commands for execution via the pipe.\r\nFigure 9 – PIPE creation\r\nCreating new process\r\nThe malware can also create a new process based on the input from the calling function. If successful, it closes the\r\nprocess and thread handles, updates the log with a success message, and sets a flag to notify the calling process. In case\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 6 of 9\n\nof failure, it logs an error message and sets a different flag to indicate the failure.\r\nFigure 10 – New Process Creation\r\nThe Head Mare group has been known to deploy ransomware in previous attacks, targeting a variety of systems and\r\nenvironments. This includes the use of widely recognized ransomware strains such as LockBit for Windows machines\r\nand Babuk for ESXi (VMware) environments. These ransomware strains are notorious for their ability to encrypt\r\nvaluable data and demand ransom payments from victims in exchange for decryption keys.\r\nYara and Sigma rules to detect this campaign are available for download from the linked Github repository.\r\nConclusion\r\nThe Head Mare group’s campaign continues to target Russian organizations using the PhantomCore backdoor and\r\nevolving tactics, including using C++-compiled binaries and social engineering techniques. The group’s ability to\r\ncollect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses.\r\nOrganizations must stay vigilant and strengthen their security measures to defend against such attacks.\r\nRecommendations\r\nAvoid opening unexpected or suspicious email attachments, particularly ZIP or LNK files. Train employees to\r\nidentify phishing attempts and verify file origins before interacting with downloads. Implement email security\r\nsolutions that detect and block malicious attachments.\r\nEnsure all software, including WinRAR and operating systems, is updated with the latest security patches.\r\nVulnerabilities like CVE-2023-38831 can be exploited in outdated software, making patch management critical\r\nfor prevention.\r\nDeploy endpoint detection and response (EDR) tools to monitor suspicious activities such as unauthorized\r\nPowerShell execution. Use intrusion detection/prevention systems (IDS/IPS) to block connections to known\r\nmalicious C\u0026C servers like the one observed in this attack.\r\nLimit user permissions to execute potentially dangerous commands or files. Use application whitelisting to allow\r\nonly trusted programs to run and disable unnecessary scripting tools like PowerShell on non-administrative\r\nsystems.\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 7 of 9\n\nContinuously monitor network traffic for anomalies, such as unusual locale settings or repeated connection\r\nattempts to unknown IP addresses. Create an incident response plan to quickly isolate and remediate affected\r\nsystems in case of compromise.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique Procedure\r\nInitial Access\r\n(TA0001)\r\nPhishing (T1566)\r\nZIP archives might be sent through\r\nphishing email to the target users\r\nExecution\r\n(TA0002)\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\n(T1059.001)\r\nPowershell is used to extract the archive\r\nfile\r\nExecution\r\n(TA0002)\r\nWindows Command Shell\r\n(T1059.003)\r\nCmd.exe is used to execute commands\r\nthrough PIPE, start command\r\nExecution\r\n(TA0002)\r\nNative API (T1106)\r\nSetConsoleCP, SetConsoleOutputCP, and\r\nother Win32 APIs to configure locale\r\nCommand and\r\nControl\r\n(TA0011)\r\nSystem Information Discovery\r\n(T1082)\r\nCollects victim details, including OS\r\nversion, computer name, username, and\r\ndomain details\r\nCommand and\r\nControl\r\n(TA0011)\r\nApplication Layer Protocol: Web\r\nProtocols (T1071.001)  \r\nCommunicates with the C\u0026C server over\r\nHTTP using the “Boost.Beast” library.\r\nIndicators of Compromise\r\nIndicator\r\nIndicator\r\ntype\r\nComments\r\n6ac2d57d066ef791b906c3b4c6b5e5c54081d6657af459115eb6abb1a9d1085d SHA-256 coYLaSU4TQum\r\n0f578e437f5c09fb81059f4b5e6ee0b93cfc0cdf8b31a29abc8396b6137d10c3 SHA-256\r\nСписок товаров\r\nи услуг.pdf.lnk\r\ndd49fd0e614ac3f6f89bae7b7a6aa9cdab3b338d2a8d11a11a774ecc9d287d6f SHA-256\r\nСчет-фактура.pdf.lnk\r\n57848d222cfbf05309d7684123128f9a2bffd173f48aa3217590f79612f4c773 SHA-256 Doc.zip\r\n4b62da75898d1f685b675e7cbaec24472eb7162474d2fd66f3678fb86322ef0a SHA-256\r\nPhantomcore\r\nBackdoor\r\n44b1f97e1bbdd56afeb1efd477aa4e0ecaa79645032e44c7783f997f377d749f SHA-256\r\nPhantomcore\r\nBackdoor\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 8 of 9\n\n2dccb526de9a17a07e39bdedc54fbd66288277f05fb45c7cba56f88df00e86a7 SHA-256\r\nPhantomcore\r\nBackdoor\r\n1a2d1654d8ff10f200c47015d96d2fcb1d4d40ee027beb55bb46199c11b810cc SHA-256\r\nPhantomcore\r\nBackdoor\r\n8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70 SHA-256\r\nPhantomcore\r\nBackdoor\r\n9df6afb2afbd903289f3b4794be4768214c223a3024a90f954ae6d2bb093bea3 SHA-256\r\nPhantomcore\r\nBackdoor\r\nhxxps://city-tuning[.]ru/collection/srvhost.exe URL\r\nPhantomcore\r\nBackdoor\r\nDownload URL\r\nhxxps://filetransfer[.]io/data-package/AiveGg6u/download URL\r\nZIP file\r\ndownload URL\r\nhxxp://45.10.247[.]152/init URL C\u0026C\r\nhxxp://45.10.247[.]152/check URL C\u0026C\r\nhxxp://45.10.247[.]152/connect URL C\u0026C\r\nhxxp://45.10.247[.]152/command  URL  C\u0026C\r\nhxxp://185.80.91[.]84/command URL C\u0026C\r\nhxxp://185.80.91[.]84/connect URL C\u0026C\r\nhxxp://185.80.91[.]84/check URL C\u0026C\r\nhxxp://185.80.91[.]84/init URL C\u0026C\r\nhxxp://45.87.245[.]53/init URL C\u0026C\r\nhxxp://45.87.245[.]53/check URL C\u0026C\r\nhxxp://45.87.245[.]53/connect URL C\u0026C\r\nhxxp://45.87.245[.]53/command URL C\u0026C\r\nSource: https://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nhttps://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/"
	],
	"report_names": [
		"head-mare-deploys-phantomcore-against-russia"
	],
	"threat_actors": [
		{
			"id": "401a4c49-1b76-49ea-8b31-9a8c3c0bd9b9",
			"created_at": "2025-03-18T11:50:08.877355Z",
			"updated_at": "2026-04-10T02:00:03.639241Z",
			"deleted_at": null,
			"main_name": "Head Mare",
			"aliases": [],
			"source_name": "MISPGALAXY:Head Mare",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775792004,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7895a7017121f0f8f8e45f90fd2d17ae387e9709.pdf",
		"text": "https://archive.orkl.eu/7895a7017121f0f8f8e45f90fd2d17ae387e9709.txt",
		"img": "https://archive.orkl.eu/7895a7017121f0f8f8e45f90fd2d17ae387e9709.jpg"
	}
}