Emerging Cyber Threat: Collaboration Between Head Mare and Twelve Targets Russian Entities
Recent intelligence from Kaspersky has revealed that two threat groups, known as Head Mare and Twelve, appear to have aligned their efforts to launch cyberattacks against Russian organizations. The firm’s analysis indicates that Head Mare has adopted tools linked to Twelve, including command-and-control (C2) servers associated with prior Twelve operations. This suggests a possible strategic collaboration, which raises alarms for enhanced cyber threats targeting Russian assets.
Both Head Mare and Twelve were previously documented in September 2024, with Head Mare notably exploiting a patched vulnerability in WinRAR (CVE-2023-38831) to gain initial access. Once inside, the group deployed various malware families, including ransomware such as LockBit for Windows and Babuk for Linux environments. Meanwhile, Twelve has conducted destructive operations designed to obliterate data and render systems inoperable, amplifying the risks faced by their victims.
Kaspersky’s findings also highlight Head Mare’s recent utilization of two new tools. One is CobInt, a backdoor previously associated with cyber groups like ExCobalt and Crypt Ghouls, while the other, PhantomJitter, is a custom implant used for remote command execution on compromised servers. The presence of CobInt in both groups’ attacks reveals potential operational overlaps, indicating that these adversarial entities may be leveraging shared resources and strategies.
In addition to employing CobInt, Head Mare has exploited multiple vulnerabilities, including ProxyLogon in Microsoft Exchange, and utilized phishing tactics to gain access through compromised contractors. This strategy, termed the “trusted relationship attack,” manipulates existing business relationships to infiltrate networks undetected. These techniques align with the initial access and persistence tactics outlined in the MITRE ATT&CK framework, marking a calculated approach to infiltrate and maintain footholds within the victim’s infrastructure.
Kaspersky reports that attackers executed commands to download CobInt onto targeted servers using ProxyLogon. They circumvent traditional persistence methods by creating privileged local user accounts on automation servers, allowing for remote desktop protocol (RDP) connections. This approach illustrates a significant escalation in attack sophistication, as it enables ongoing access while obscuring traditional detection mechanisms.
The threat actors have also implemented various tactics to maintain stealth, such as renaming malicious payloads to resemble legitimate system files and clearing event logs post-activity. Tools like Mimikatz for credential harvesting, alongside other reconnaissance applications, bolster their capabilities to map the target environment effectively and prepare for lateral movement within compromised networks.
Ultimately, these operations culminate in the deployment of LockBit 3.0 and Babuk ransomware, persisting with extortion demands that instruct victims to reach out via messaging platforms for decryption assistance. Kaspersky’s analysis indicates that both Head Mare and Twelve are evolving their methodologies, having diversified their tactics by employing phishing emails alongside contractor compromises, shifting their focus to both state and privately controlled enterprises in Russia.
Furthermore, BI.ZONE has linked another cyber actor, ScarCruft, to phishing campaigns targeting unspecified Russian industries, revealing a broader landscape of cyber threats against Russian firms. In a separate report, a resurgence in attacks by Head Mare was noted in March 2025, highlighting the persistent risks posed by these malicious actors.
In conclusion, business owners should remain vigilant as the threat landscape evolves. Understanding these adversarial tactics and implementing robust cybersecurity measures becomes paramount in a climate marked by inter-group collaborations and increasingly complex attack vectors. Keeping abreast of such developments is essential for safeguarding sensitive business infrastructure and mitigating the risks associated with evolving cyber threats.
