Two advanced threat groups known as Head Mare and Twelve appear to have formed an alliance, launching coordinated attacks against Russian organizations, according to new research from Kaspersky.
Evidence of this collaboration emerged as Head Mare was seen using command-and-control (C2) servers and tools historically linked to Twelve. “This level of overlap suggests the groups are either collaborating or launching joint campaigns,” Kaspersky noted.
Both groups were initially documented in September 2024, with Head Mare exploiting the WinRAR vulnerability (CVE-2023-38831) to gain initial access and deliver malware. In several cases, this access escalated to ransomware deployments, including LockBit on Windows systems and Babuk on Linux servers, particularly targeting ESXi environments.
Meanwhile, Twelve has focused on destructive attacks—leveraging publicly available tools to encrypt data and deploy wipers designed to irreversibly destroy infrastructure.
Kaspersky’s latest analysis reveals that Head Mare is expanding its toolkit. The group now uses:
- CobInt — a backdoor previously associated with Russian-targeted groups like ExCobalt and Crypt Ghouls.
- PhantomJitter — a new bespoke implant designed for remote command execution on compromised servers.
Interestingly, the presence of CobInt in Twelve’s operations strengthens the theory of tactical ties between Head Mare, Twelve, and Crypt Ghouls, signaling a growing web of collaboration among groups targeting Russian entities.
Head Mare’s attacks show a clear evolution in strategy:
- Exploiting the notorious ProxyLogon flaw (CVE-2021-26855) in Microsoft Exchange Servers to download and execute CobInt.
- Leveraging phishing emails with malicious attachments.
- Compromising contractors to pivot into victim networks—a technique known as a trusted relationship attack.
Once inside, Head Mare shifted away from traditional scheduled tasks for persistence. Instead, attackers create privileged local user accounts on business automation servers. These accounts are used for interactive RDP sessions, enabling the download and execution of additional tools without raising alarms.
To evade detection, the attackers:
- Disguise payloads as legitimate OS files (e.g., calc.exe, winuac.exe).
- Routinely clear event logs to cover their tracks.
- Use proxy and tunneling tools like Gost and Cloudflared to mask network traffic.
The attackers rely on a wide range of tools for reconnaissance, credential harvesting, lateral movement, and data exfiltration:
- System reconnaissance: quser.exe, tasklist.exe, netstat.exe
- Network mapping: fscan, SoftPerfect Network Scanner
- Active Directory data extraction: ADRecon
- Credential theft: Mimikatz, secretsdump, ProcDump
- Remote communications: mRemoteNG, smbexec, wmiexec, PAExec, PsExec
- Data transfer: Rclone
- Lateral movement and RDP hijacking
The final stage often involves deploying LockBit 3.0 and Babuk ransomware, followed by leaving ransom notes urging victims to contact the attackers via Telegram for file decryption.
“Head Mare is expanding rapidly, not just in tools but also tactics,” Kaspersky warns. “Their use of contractor compromise for initial access marks a concerning shift. Together with Twelve, they’re now actively hitting state and private organizations in Russia.”
This surge in cyberattacks against Russia coincides with other regional campaigns:
- ScarCruft (APT37), linked to North Korea, was caught in a December 2024 phishing campaign dropping malware loaders designed to fetch unknown payloads from remote servers.
- Russian cybersecurity firm BI.ZONE compared this activity to the SHROUDED#SLEEP campaign documented by Securonix, which deployed the VeilShell backdoor in Southeast Asia, targeting Cambodia and other nations.
- Meanwhile, Bloody Wolf continues its attacks in Kazakhstan and Russia, shifting from STRRAT to delivering the NetSupport RAT. The campaign has reportedly compromised over 400 systems.
