Headlace
HeadLace is a backdoor malware family associated with the Russian GRU’s Unit 26165, widely tracked as APT28/Fancy Bear/Forest Blizzard/BlueDelta and also linked in IBM X-Force reporting to ITG05. Public reporting describes it as used in espionage campaigns for persistence, command execution, reconnaissance, credential collection, offensive tool deployment, and data exfiltration. It has been used against Western logistics entities and technology companies involved in supporting aid delivery to Ukraine, as well as government, diplomatic, research, policy, and humanitarian-aid-related targets in Europe and other countries. Reported victim geographies include the United States, Germany, Poland, France, Ukraine, Hungary, Türkiye, Australia, Belgium, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.
Observed delivery methods are primarily spearphishing. Reported infection chains include phishing emails delivering malicious ZIP archives containing the HeadLace backdoor, including campaigns abusing free web services such as run.mocky.io, webhook.site, InfinityFree-hosted domains, and Mocky.IO. One documented chain used ZIP archives masquerading as photos and relied on DLL side-loading via a fake WindowsCodecs.dll and batch/VBS scripts to launch Microsoft Edge, retrieve staged content from webhook.site, and repeatedly fetch additional scripts. CERT Polska stated this flow was identical to previously described HeadLace behavior. ANSSI reported that in 2023 APT28 used InfinityFree-hosted domains to deliver HeadLace and that the backdoor relied on commands distributed from Mocky.IO endpoints. IBM X-Force reported a separate December 2023 campaign using authentic lure documents themed around the Israel–Hamas war to deliver the ITG05-exclusive HeadLace backdoor, with infrastructure restricting delivery by target country.
High-confidence behaviors directly described in the source material include persistence and data exfiltration; gathering login credentials; collecting information about the victim information system; deploying additional offensive tools; and basic host reconnaissance such as obtaining the public IP address via ipinfo.io and listing user and program directories. In the broader GRU logistics-targeting campaign, HeadLace was one of the malware families used alongside MASEPIE. Reported indicators and infrastructure themes include use of run.mocky.io, Mocky.IO, webhook.site, InfinityFree-hosted domains, malicious ZIP archives, attacker-supplied WindowsCodecs.dll files, and associated SHA-256 hashes and URLs published by CERT Polska.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesA significant aspect of the campaign involves the exploitation of known vulnerabilities. The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials Roundcube vulnerabilities for email server access CVE-2023-38831 in WinRAR for remote code execution
“At the beginning of the infection chain, operators of the APT28 intrusion set are conducting phishing campaigns…”
Execution
2 techniques“In some cases, operators of the intrusion set attempted to establish a means of persistence by creating a scheduled task.”
The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials ... CVE-2023-38831 in WinRAR for remote code execution
Persistence
1 techniquePrivilege Escalation
1 techniqueCommand and Control
2 techniques“This backdoor relied on the distribution of commands from web endpoints of the Mocky.IO service.”
“…links redirecting users… to deliver malicious ZIP archives containing the HeadLace backdoor.”
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used in the campaign for persistence and data exfiltration.
HeadLace is a malware used by APT28 for credential harvesting, particularly targeting users of webmail services like UKR[.]net. It is deployed as part of phishing campaigns to steal login credentials and two-factor authentication codes.
A targeted backdoor delivered via lure documents themed around the Israel–Hamas war; infrastructure appears to geofence delivery so only intended victims in a specific country can download/receive the payload, enabling multiple malicious actions on objectives.
Malware family distributed via phishing in APT28-linked activity (details not provided in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.