New Threat from Hacktivist Group Head Mare Targets Russia

Hacktivist Group Head Mare Launches Sophisticated Attack Campaign Against Russia

In a strikingly sophisticated move, the hacktivist group Head Mare has initiated a new campaign targeting Russia, as reported by Cyble Research and Intelligence Labs (CRIL). This latest operation involves the use of a seemingly innocuous ZIP archive that conceals a malicious LNK file and a disguised executable, primarily aimed at facilitating illicit operations.

Emerging in the wake of Russia’s invasion of Ukraine, Head Mare has garnered attention as part of a wave of hacktivist groups committed to causing disruption rather than financial gain. Characteristically, the motivations behind their attacks are steeped in geopolitical conflict, with a clear focus on inflicting damage on adversaries.

The recently uncovered campaign revolves around a ZIP file labeled “Doc.Zip” containing a LNK file and a corrupted PDF. Upon execution, the LNK file triggers a PowerShell command that unpacks the contents into the “C:/ProgramData” directory. The executable, referred to as PhantomCore, leverages new programming techniques, moving from Golang to C++ and incorporating the Boost.Beast library for communication with command-and-control (C&C) servers.

What sets Head Mare apart from other hacktivist factions is its strategic deployment of ransomware, including LockBit and Babuk, targeting vulnerabilities such as the CVE-2023-38831 exploit within WinRAR for initial access. The campaign not only captures sensitive victim data but also has the capability to download further malicious payloads, evolving the attack into a more extensive breach.

CRIL’s analysts emphasize that the ongoing threat posed by Head Mare highlights the dynamic and perilous landscape of digital warfare, urging vigilance from potential targets. For those wishing to understand the full spectrum of this evolving threat, Cyble’s blog post details MITRE ATT&CK techniques and provides detection rules on GitHub.