{
	"id": "82fb56d2-0f50-4b88-8356-3c2981ee1589",
	"created_at": "2026-04-06T00:10:47.818111Z",
	"updated_at": "2026-04-10T03:33:24.102778Z",
	"deleted_at": null,
	"sha1_hash": "d04a6871cbb2255d875dcfb975ce3157efa93278",
	"title": "Head Mare: adventures of a unicorn in Russia and Belarus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1302730,
	"plain_text": "Head Mare: adventures of a unicorn in Russia and Belarus\r\nBy Kaspersky\r\nPublished: 2024-09-02 · Archived: 2026-04-02 11:16:36 UTC\r\nHead Mare is a hacktivist group that first made itself known in 2023 on the social network X (formerly Twitter)[1].\r\nIn their public posts, the attackers reveal information about some of their victims, including organization names,\r\ninternal documents stolen during attacks, and screenshots of desktops and administrative consoles.\r\nBy analyzing incidents in Russian companies, we identified how Head Mare conducts its attacks, the tools it uses,\r\nand established the group’s connection with the PhantomDL malware (article in Russian).\r\nKey findings\r\nHead Mare exclusively targets companies in Russia and Belarus.\r\nFor initial access, the group conducts various phishing campaigns distributing RAR archives that exploit\r\nthe CVE-2023-38831 vulnerability in WinRAR.\r\nSome of the discovered tools overlap with previously investigated groups attacking Russian organizations.\r\nThe group encrypts victims’ devices using two ransomware families: LockBit for Windows and Babuk for\r\nLinux (ESXi).\r\nTechnical details\r\nHistorical context\r\nSince the beginning of the Russo-Ukrainian conflict, we’ve seen the emergence of numerous hacktivist groups\r\nwhose main goal is often not financial gain but causing as much damage as possible to companies on the opposing\r\nside of the conflict. Head Mare is one such group, exclusively targeting organizations located in Russia and\r\nBelarus. This is confirmed by open-source information and telemetry from the Kaspersky Security Network – a\r\nsystem for collecting anonymized threat data voluntarily provided by users of our solutions.\r\nHacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict use similar\r\ntechniques and tools and, when analyzed using the Unified Kill Chain method, generally resemble one another.\r\nHowever, unlike other similar groups, Head Mare uses more up-to-date methods for obtaining initial access. For\r\ninstance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which\r\nallows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows\r\nthe group to deliver and disguise the malicious payload more effectively.\r\nLike most hacktivist groups, Head Mare maintains a public account on the social network X, where they post\r\ninformation about some of their victims. Below is an example of one of their posts:\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 1 of 18\n\nHead Mare post on X\r\nAt the time of carrying out the study, the group has claimed nine victims from various industries:\r\nGovernment institutions;\r\nTransportation;\r\nEnergy;\r\nManufacturing;\r\nEntertainment.\r\nThe ultimate goal of the attackers is likely to cause maximum damage to companies in Russia and Belarus.\r\nHowever, unlike some other hacktivist groups, Head Mare also demands a ransom for data decryption.\r\nHead Mare’s toolkit\r\nIn their attacks, Head Mare mainly uses publicly available software, which is typical of most hacktivist groups\r\ntargeting Russian companies in the context of the Russo-Ukrainian conflict. However, while some hacktivists\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 2 of 18\n\nhave no proprietary developments in their toolkit at all, Head Mare uses their custom malware PhantomDL and\r\nPhantomCore in phishing emails for initial access and exploitation.\r\nBelow is a list of software discovered in Head Mare attacks:\r\nLockBit ransomware;\r\nBabuk ransomware;\r\nPhantomDL;\r\nPhantomCore;\r\nSliver;\r\nngrok;\r\nrsockstun;\r\nXenAllPasswordPro;\r\nMimikatz.\r\nMost of these tools are available on the internet, be it LockBit samples generated using the publicly available\r\nbuilder leaked in 2022, or the Mimikatz utility, whose code is available on GitHub.\r\nInitial access\r\nDuring our investigation of Head Mare’s activities, we discovered that this group is associated with targeted\r\nattacks on Russian organizations using malicious PhantomDL and PhantomCore samples. The detected samples\r\nwere distributed in various phishing campaigns in archives with decoy documents of the same name. The\r\nmalicious archives exploit the CVE-2023-38831 vulnerability in WinRAR. If the user attempts to open the\r\nlegitimate-seeming document, they trigger the execution of the malicious file. The same sample could be\r\ndistributed in different archives with decoy documents on various topics.\r\nVerdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as\r\nan exploit for CVE-2023-38831\r\nAfter execution, PhantomDL and PhantomCore establish communication with one of the attackers’ command\r\nservers and attempt to identify the domain to which the infected host belongs. Below are the results of dynamic\r\nanalysis of several samples in Kaspersky Sandbox (detonation graphs), reflecting the malware’s behavior\r\nimmediately after launch.\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 3 of 18\n\nDetonation graph of a PhantomDL sample reflecting its behavior in Kaspersky Sandbox\r\nIn the image above, the PhantomDL sample connects to the C2 server 91.219.151[.]47 through port 80 and\r\nperforms domain identification using the command cmd.exe /c \"echo %USERDOMAIN%\".\r\nPhantomDL communication with C2\r\nThe PhantomCore sample establishes a connection with another C2 (45.11.27[.]232) and checks the host’s domain\r\nusing the WinAPI function NetGetJoinInformation.\r\nPhantomCore sample detonation in Kaspersky Sandbox\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 4 of 18\n\nSuspicious activity of the PhantomCore sample\r\nAnother PhantomCore sample, after execution, establishes a connection with C2 5.252.178[.]92:\r\nPhantomCore C2 connection\r\nDuring our research, we also found several PhantomDL and PhantomCore samples, which we cannot attribute\r\nwith complete certainty to the same cluster of activity as the samples found in Head Mare’s attacks. Information\r\nabout these samples can be found in the section “Samples similar to Head Mare’s toolkit”.\r\nPersistence in the system\r\nThe attackers used several methods to persist in the system. For example, in one incident, they added a\r\nPhantomCore sample to the Run registry key. After execution, the sample automatically established a connection\r\nwith the attackers’ C2 5.252.176[.]47:\r\nPhantomCore C2 connection\r\nWe observed the following commands adding a value to the Run registry key:\r\nCommand Description\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 5 of 18\n\ncmd /c “cd /d $selfpath\\ \u0026\u0026 reg add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\r\n\\Run /v \\”MicrosoftUpdateCoree\\” /t REG_SZ /d\r\n\\”$selfpath\\$selfname.exe\\ /f”\r\nAdding a value to the Run registry key named\r\nMicrosoftUpdateCoree with content\r\n$appdata\\Microsoft\\Windows\\srvhostt.exe\r\n(PhantomCore) with the /f parameter (no\r\nconfirmation prompt)\r\nreg add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\r\n\\Run /v \\”MicrosoftUpdateCoree\\” /t REG_SZ /d\r\n\\”$appdata\\Microsoft\\Windows\\srvhostt.exe\\” /f\r\nreg add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\r\n\\Run /v \\”MicrosoftUpdateCore\\” /t REG_SZ /d\r\n\\”$appdata\\Microsoft\\Windows\\srvhost.exe\\” /f\r\nA similar method of adding to the registry key, but\r\nthe value is named MicrosoftUpdateCore\r\nIn some other cases, the attackers created scheduled tasks to persist in the victim’s system. The following tasks\r\nwere used to launch a PhantomCore sample:\r\nCommand Description\r\nschtasks /create /tn \\”MicrosoftUpdateCore\\”\r\n/tr\r\n\\”$appdata\\Microsoft\\Windows\\srvhost.exe\\”\r\n/sc ONLOGON\r\nCreates a scheduled task named MicrosoftUpdateCore that\r\nlaunches $appdata\\Microsoft\\Windows\\srvhost.exe\r\n(PhantomCore) each time the user logs in\r\nschtasks /create /tn “MicrosoftUpdateCore”\r\n/tr\r\n“$appdata\\Microsoft\\Windows\\srvhost.exe”\r\n/sc\r\nONLOGON /ru “SYSTEM”\r\nA similar method of creating a scheduled task, but in this\r\ncase, the task runs with SYSTEM privileges\r\nDetection evasion\r\nAs mentioned in the previous section, the attackers create scheduled tasks and registry values named\r\nMicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software.\r\nWe also found that some LockBit samples used by the group had the following names:\r\nOneDrive.exe;\r\nVLC.exe.\r\nThese samples were located in the C:\\ProgramData directory, disguising themselves as legitimate OneDrive and\r\nVLC applications.\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 6 of 18\n\nIn general, many of the tools used by Head Mare had names typical of legitimate programs and were located in\r\nstandard paths or lookalikes:\r\nSoftware Path\r\nSliver C:\\Windows\\system32\\SrvLog.exe\r\nrsockstun\r\nc:\\Users\\\u003cuser\u003e\\AppData\\Local\\microsoft\\windows\\srvhosts.exe\r\nc:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\microsoft\\windows\\srvhostt.exe\r\nPhantom\r\nc:\\windows\\srvhost.exe\r\nc:\\Users\\\u003cuser\u003e\\appdata\\roaming\\microsoft\\windows\\srvhost.exe\r\nLockBit c:\\ProgramData\\OneDrive.exe\r\nAs can be seen in the table, the attackers primarily attempted to disguise their samples as legitimate svchost.exe\r\nfiles in the C:\\Windows\\System32 directory.\r\nThe attackers also used disguise tactics in their phishing campaigns – samples of PhantomDL and PhantomCore\r\nwere named to resemble business documents and had double extensions. Here are some examples we encountered:\r\nСчет-Фактура.pdf .exe\r\nдоговор_ №367кх_от_29.04.2024_и_доп_соглашение_ртсс 022_контракт.pdf .exe\r\nрешение №201-5_10вэ_001-24 к пив экран-сои-2.pdf .exe\r\nтз на разработку.pdf .exe\r\nисходящее письмо от 29.04.2024 n 10677-020-2024.pdf .exe\r\nвозврат средств реквизиты.pdf .exe\r\nAdditionally, all the samples of PhantomDL and PhantomCore we found were obfuscated, possibly using a\r\npopular obfuscator for Go called Garble.\r\nManagement and infrastructure\r\nDuring our research, we discovered that the main C2 framework used by the attackers is Sliver, an open-source C2\r\nframework designed for simulating cyberattacks and pentesting. Such frameworks are used to manage\r\ncompromised systems after initial access, allowing attackers (or pentesters) to execute commands, gather data, and\r\nmanage connections.\r\nSliver’s architecture includes an agent (implant) installed on compromised devices to execute commands from the\r\nserver, a server for managing agents and coordinating their actions, and a client in the form of a command-line\r\ninterface (CLI) for operator-server interaction. Sliver’s core functionality includes managing agents, executing\r\ncommands via a command shell, creating tunnels to bypass network restrictions, and automating routine tasks\r\nwith built-in scripts.\r\nThe Sliver implant samples we found had default configurations and were created using the following command:\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 7 of 18\n\ngenerate --http [IP] --os windows --arch amd64 --format exe\r\nTo disguise the implants, the attackers used the popular Garble tool, which is available on GitHub.\r\nThe attackers also frequently used VPS/VDS servers as C2 servers. Below is a list of servers we observed in\r\nattacks:\r\nIP First detection ASN\r\n188.127.237[.]46 March 31, 2022 56694\r\n45.87.246[.]169 June 26, 2024 212165\r\n45.87.245[.]30 – 57494\r\n185.80.91[.]107 July 10, 2024 212165\r\n91.219.151[.]47 May 02, 2024 56694\r\n5.252.176[.]47 – 39798\r\n5.252.176[.]77 October 29, 2023 39798\r\nVarious utilities used at different stages of the attacks were found on the attackers’ C2 servers. The same utilities\r\noften appeared on different servers with identical file names.\r\nAnalysis of Head Mare’s C2 infrastructure\r\nBelow is a list of tools found on one of the attackers’ command servers:\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 8 of 18\n\nContents of one of the C2 server directories\r\nUtility name Description\r\n2000×2000.php\r\nPHP shell for executing commands on the server. This shell is called\r\np0wny@shell:~# and is available on GitHub at\r\nhxxps://github[.]com/flozz/p0wny-shell.\r\nLEGISLATIVE_COUSIN.exe Sliver implant.\r\nConnects to 5.252.176[.]77:8888. SOFT_KNITTING.exe\r\nsherlock.ps1\r\nPowerShell script for quickly finding vulnerabilities for local privilege\r\nescalation, available on GitHub at hxxps://github[.]com/rasta-mouse/Sherlock/tree/master.\r\nngrok.exe ngrok utility.\r\nreverse.exe\r\nMeterpreter.\r\nConnects to 5.252.176[.]77:45098.\r\nservicedll.exe nssm utility for managing services.\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 9 of 18\n\nsysm.elf\r\nUnix reverse shell using the sys_connect function to connect to the\r\nattacker’s C2. If the connection attempt fails, the program enters sleep mode\r\nfor 5 seconds using the sys_nanosleep function before trying again.\r\nConnects to 5.252.176[.]77:45098.\r\nXmrig* XMRig miner. Not used in any attacks known to us.\r\nPivoting\r\nPivoting is a set of methods that allow an attacker to gain access to private network segments using compromised\r\nmachines as intermediate nodes. For this purpose, the attackers use the ngrok and rsockstun utilities.\r\nThe rsockstun utility creates a reverse SOCKS5 tunnel with SSL and proxy server support. It allows a client\r\nbehind a NAT or firewall to connect to a server via a secure connection and use SOCKS5 to forward traffic.\r\nWe analyzed the utility’s code and identified its key functions:\r\nClient Server\r\nConnectViaProxy function:\r\nEstablishes a connection with the server\r\nthrough a proxy.\r\nSupports NTLM authentication for proxy\r\nservers.\r\nCreates and sends requests to the proxy\r\nserver and processes responses.\r\nConnectForSocks function:\r\nEstablishes a connection with the server\r\nvia SOCKS5.\r\nEstablishes an SSL connection to the\r\nserver.\r\nAuthenticates using a password.\r\nCreates a Yamux session for multiplexing\r\nconnections.\r\nlistenForSocks function:\r\nWaits for client connections via SSL.\r\nVerifies the existence and correctness of the\r\nconnection password.\r\nCreates a Yamux client session.\r\nlistenForClients function:\r\nWaits for local client connections.\r\nOpens a Yamux stream and forwards traffic\r\nbetween the local client and the remote server.\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 10 of 18\n\nFragment of rsockstun code containing one of the Head Mare C2 addresses\r\nNgrok is a cross-platform utility designed to create secure tunnels to local web servers over the internet. It allows\r\nquick and easy access to local services and applications by providing public URLs that can be used to access the\r\nserver externally.\r\nNetwork exploration\r\nAfter successfully gaining a foothold on the initial node, attackers execute a series of commands to further explore\r\nthe node, domain, and network environment:\r\nCommand Description\r\ncmd /c “echo %USERDOMAIN%” Retrieve the victim’s domain name\r\narp -a\r\nRetrieve the ARP cache for all network\r\ninterfaces on the compromised system\r\n“cmd /c “cd /d $selfpath \u0026\u0026 whoami\r\nGather information about the current user’s\r\nname and domain\r\ncmd /c “cd /d $appdata \u0026\u0026 powershell Get-ScheduledTask -TaskName “WindowsCore”Search for a scheduled task named\r\nWindowsCore\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 11 of 18\n\nCredential harvesting\r\nTo collect credentials, attackers use the mimikatz utility.\r\nIn addition, to obtain additional credentials from the system, attackers use the console version of the XenArmor\r\nAll-In-One Password Recovery Pro3 utility (XenAllPasswordPro), which can extract user credentials from\r\nregistry hives.\r\n\"c:\\ProgramData\\update\\XenAllPasswordPro.exe\" -a\r\n\"c:\\ProgramData\\update\\report.html\"\r\nEnd goal: file encryption\r\nWhile studying Head Mare attacks, we discovered the use of two ransomware families:\r\nLockBit for Windows;\r\nBabuk for ESXi.\r\nBabuk\r\nThe Babuk variant we discovered is a 64-bit build for ESXi, created using a publicly available configurator. The\r\nTrojan uses standard encryption algorithms for Babuk builds for ESXi – X25519 + SHA256 + Sosemanuk, as well\r\nas the standard extension for encrypted files, *.babyk.\r\nKaspersky Threat Attribution Engine results for the found Babuk samples\r\nThe distinctive features of the discovered Trojan are:\r\nAbility to log its activities in /tmp/locker.log.\r\nAbility to destroy running virtual machines, the list of which is taken from the vm-list.txt file. This file is\r\npopulated when the esxcli vm process listd command is called.\r\nThe Babuk sample we found encrypts files with the following extensions:\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 12 of 18\n\n.vmdk .vmem .vswp\r\n.vmsn .bak .vhdx\r\nAfter encryption is complete, it leaves a ransom note. Below is an example of the note, which contains a unique\r\nidentifier for the Session messenger and the message “Message us for decryption ^_^.”\r\nBabuk sample ransom note\r\nLockBit\r\nThe LockBit builds we found in Head Mare attacks are identical to samples generated by the publicly available\r\nLockBit builder, which was leaked online in 2022. The attackers distributed LockBit under the following names:\r\nlb3.exe\r\nlock.exe\r\nOneDrive.exe\r\nlockbithard.exe\r\nlockbitlite.exe\r\nphdays.exe\r\nl.exe\r\nVLC.exe\r\nThe ransomware was located in the following paths:\r\nc:\\Users\\User\\Desktop;\r\nc:\\ProgramData\\.\r\nThe attackers used two of these ransomware versions sequentially – lockbitlite.exe and then lockbithard.exe. First,\r\nthey encrypted files using LockbitLite, and then additionally encrypted the output with the LockbitHard variant.\r\nThe configuration of these variants differed slightly.\r\nLockbitLite LockbitHard\r\n“encrypt_filename”: false, “encrypt_filename”: true,\r\n“wipe_freespace”: false, “wipe_freespace”: true,\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 13 of 18\n\n“white_folders”: “$recycle.bin;config.msi;$windows.~bt;$w\r\nindows.~ws;windows;boot”,\r\n“white_folders”: “”,\r\nExamples of the notes from both samples, which are generated when the Trojan is created in the configurator, are\r\npresented below.\r\nRansom note from LockBit sample\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 14 of 18\n\nRansom note from another LockBit sample\r\nVictimology\r\nAccording to Kaspersky Threat Intelligence, all samples related to Head Mare were detected only in Russia and\r\nBelarus. The screenshot below shows the analysis of the PhantomDL sample on the Threat Intelligence Portal.\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 15 of 18\n\nInformation about the PhantomDL sample from TIP\r\nTo get a more complete picture, we analyzed samples seen in Head Mare attacks using the Similarity technology,\r\nwhich helps us find similar malware samples. While we can’t say for certain that the discovered files were also\r\nused by Head Mare, their similarity may help in attributing cyberattacks and further analyzing the group’s\r\nactivities.\r\nPhantomDL\r\nPhantomCore\r\nLockBit\r\nConclusions\r\nThe tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other\r\ngroups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict. However, the group distinguishes itself by using custom-made malware such as PhantomDL\r\nand PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the\r\ninfrastructure of their victims in phishing campaigns. This is an important aspect that Russian and Belarusian\r\norganizations should pay attention to: attackers are evolving and improving their TTPs.\r\nIndicators of compromise\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 16 of 18\n\nPlease note: The network addresses provided in this section are valid at the time of publication but may become\r\noutdated in the future.\r\nHashes:\r\n201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8\r\n9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69\r\n08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470\r\n6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263\r\n33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A\r\n5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03\r\n9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0\r\n5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9\r\nDC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA\r\n053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD\r\n2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921\r\n015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343\r\n9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546\r\n22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3\r\n2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569\r\nAF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F\r\n9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836\r\nB8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984\r\n92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50\r\n664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38\r\n311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86\r\n4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271\r\n2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50\r\nDC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E\r\nEDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B\r\nFile paths:\r\n$appdata\\Microsoft\\Windows\\srvhostt.exe\r\n$appdata\\Microsoft\\Windows\\srvhost.exe\r\nC:\\Windows\\system32\\SrvLog.exe\r\nc:\\Users\\User\\AppData\\Local\\microsoft\\windows\\srvhosts.exe\r\nc:\\windows\\srvhost.exe\r\nc:\\ProgramData\\OneDrive.exe\r\nc:\\ProgramData\\update\\XenAllPasswordPro.exe\r\nc:\\ProgramData\\update\\report.html\r\n$user\\desktop\\rsockstun.exe\r\nC:\\ProgramData\\resolver.exe\r\n$user\\desktop\\lockbitlite.exe\r\n$user\\desktop\\lb3.exe\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 17 of 18\n\nC:\\ProgramData\\lock.exe\r\n$user\\desktop\\x64\\mimikatz.exe\r\nc:\\Users\\User\\Documents\\srvhost.exe\r\nc:\\microsoft\\windows\\srchost.exe\r\nIP addresses\r\n188.127.237[.]46\r\n45.87.246[.]169\r\n45.87.245[.]30\r\n185.80.91[.]107\r\n188.127.227[.]201\r\n5.252.176[.]47\r\n45.11.27[.]232\r\nURLs\r\n188.127.237[.]46/winlog.exe\r\n188.127.237[.]46/servicedll.exe\r\n194.87.210[.]134/gringo/splhost.exe\r\n194.87.210[.]134/gringo/srvhost.exe\r\n94.131.113[.]79/splhost.exe\r\n94.131.113[.]79/resolver.exe\r\n45.156.21[.]178/dlldriver.exe\r\n5.252.176[.]77/ngrok.exe\r\n5.252.176[.]77/sherlock.ps1\r\n5.252.176[.]77/sysm.elf\r\n5.252.176[.]77/servicedll.rar\r\n5.252.176[.]77/reverse.exe\r\n5.252.176[.]77/soft_knitting.exe\r\n5.252.176[.]77/legislative_cousin.exe\r\n5.252.176[.]77/2000×2000.php\r\n[1]\r\n https://x.com/head_mare is the account supposedly associated with the hacktivist group. Use this source with\r\ncaution.\r\nSource: https://securelist.com/head-mare-hacktivists/113555/\r\nhttps://securelist.com/head-mare-hacktivists/113555/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/head-mare-hacktivists/113555/"
	],
	"report_names": [
		"113555"
	],
	"threat_actors": [
		{
			"id": "401a4c49-1b76-49ea-8b31-9a8c3c0bd9b9",
			"created_at": "2025-03-18T11:50:08.877355Z",
			"updated_at": "2026-04-10T02:00:03.639241Z",
			"deleted_at": null,
			"main_name": "Head Mare",
			"aliases": [],
			"source_name": "MISPGALAXY:Head Mare",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775792004,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d04a6871cbb2255d875dcfb975ce3157efa93278.pdf",
		"text": "https://archive.orkl.eu/d04a6871cbb2255d875dcfb975ce3157efa93278.txt",
		"img": "https://archive.orkl.eu/d04a6871cbb2255d875dcfb975ce3157efa93278.jpg"
	}
}