Are Russian Entities Facing Joint Cyber Attacks from Head Mare and Twelve?

Article Highlights
Off On

In a startling revelation, cybersecurity firm Kaspersky has reported a significant collaboration between two notorious threat clusters, Head Mare and Twelve, targeting Russian entities. The collaboration signals a new phase of cyber warfare, leveraging sophisticated tools and techniques to breach and compromise both state and private infrastructures. This article delves into the various methods employed by these clusters, their targets, and the potential implications for cybersecurity in Russia.

Head Mare’s Collaborative Offensive

Head Mare has been in the spotlight since September last year for exploiting a now-patched WinRAR vulnerability (CVE-2023-38831) to deliver malware and ransomware, including LockBit for Windows and Babuk for Linux. Recently, Kaspersky’s analysis unearthed that Head Mare has adopted tools and command-and-control (C2) servers previously associated with Twelve. This strategic move suggests a coordinated campaign aimed at Russian targets, employing both malware distribution and infrastructure destruction.

Head Mare’s recent offensive operations have included deploying new tools such as CobInt, a backdoor that has been used in past attacks on Russian firms, and a customized implant named PhantomJitter for remote command execution. This development aligns with Twelve’s historic use of destructive tactics, including data encryption and the deployment of wipers to obliterate victims’ infrastructure. The tactical overlap between Head Mare, Twelve, and another group, Crypt Ghouls, indicates that these threat actors are sharing resources and strategies to maximize their impact.

Both clusters have exploited vulnerabilities in Microsoft Exchange Server, like ProxyLogon (CVE-2021-26855), to gain initial access. Additionally, Head Mare has used phishing emails with rogue attachments to infiltrate networks. Once inside, they have targeted contractors’ networks to compromise critical infrastructures, employing a technique known as a trusted relationship attack. By leveraging ProxyLogon, they executed commands to download and run CobInt on servers, establishing long-term persistence via privileged local user accounts on automation platform servers. These accounts facilitated remote desktop protocol (RDP) connections to transfer and execute malicious tools covertly.

Techniques and Evasion Strategies

The attackers have demonstrated remarkable ingenuity in evading detection. They disguised malicious payloads to resemble legitimate operating system files and meticulously cleared event logs to cover their tracks. Network traffic was concealed using proxy and tunneling tools like Gost and Cloudflared, ensuring that their activities remained under the radar. Their reconnaissance arsenal included quser.exe, tasklist.exe, and netstat.exe, while credential harvesting was accomplished with tools such as Mimikatz, secretsdump, and ProcDump.

For lateral movement within compromised networks, the attackers relied on RDP. They communicated with remote hosts using various tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec. Data exfiltration was facilitated via Rclone, a robust tool designed for cloud storage management. The attacks often culminated in the deployment of ransomware like LockBit 3.0 and Babuk, with victims receiving notes instructing them to contact the attackers on Telegram for decryption keys.

Kaspersky noted that Head Mare’s toolkit is expanding, and its collaboration with Twelve underscores a significant elevation in the cyber threat landscape. This joint effort has successfully targeted both state-run and privately-owned enterprises in Russia, indicating a broad and indiscriminate approach to their cyber warfare tactics.

Additional Threat Actors and Campaigns

Adding another layer of complexity to the cyber threat landscape, BI.ZONE has linked the North Korean-associated threat actor ScarCruft to a phishing campaign last December targeting an unnamed Russian industrial entity. This campaign delivered a malware loader from a remote server, closely resembling another campaign dubbed SHROUDED#SLEEP, documented by cybersecurity firm Securonix. These findings suggest that multiple threat actors with diverse motivations and backgrounds are converging on Russian targets, significantly complicating defense efforts.

Moreover, BI.ZONE also highlighted ongoing cyber attacks by another group known as Bloody Wolf, which has compromised over 400 systems in Kazakhstan and Russia using the NetSupport RAT. This series of attacks further emphasizes the increasing aggressiveness and sophistication of threat actors targeting the region, as well as the dire need for heightened cybersecurity measures.

Evolving Cyber Threat Landscape

In a surprising development, cybersecurity firm Kaspersky has unveiled a significant collaboration between two well-known threat clusters, Head Mare and Twelve, aimed at Russian targets. This alliance marks a new chapter in cyber warfare, utilizing advanced tools and techniques to infiltrate and compromise both government and private sector infrastructures. The article explores the various tactics employed by these criminal groups, their chosen targets, and the potential ramifications for cybersecurity in Russia. The discovery of this cooperation between Head Mare and Twelve suggests a heightened level of sophistication and coordination in cyber attacks, raising concerns about the ability of Russian cybersecurity defenses to withstand such threats. This development could lead to an escalation in both the frequency and severity of cyber attacks on Russian entities, requiring enhanced vigilance and improved defense measures. The cooperation between these clusters may also indicate a trend toward more collaborative efforts among cybercriminals globally, posing a broader challenge for international cybersecurity efforts.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged