Head Mare Intensifies Attacks On Russia With PhantomCore

> - Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians. > - This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations. > - The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore. > - PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia. > - In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C+±compiled PhantomCore binaries instead. > - TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server. > - PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system. > - PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.