Head Mare: adventures of a unicorn in Russia and Belarus
Essential information
- Published
- 02/09/2024 20:52
- Modified
- 02/09/2024 21:54
- Tags
- 2024-09-02 CVE-2023-38831 babuk babyk belarus hacktivists lockbit phantomcore phantomdl phishing ransomware russia vasa locker
- Related entities
- 1 vulnerabilities (cve), 52 observables, 1 intrusion sets (apt), 17 techniques (mitre), 6 malware, 6 others
Description
Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like Sliver, Mimikatz, and ransomware variants LockBit and Babuk. The group's goal appears to be causing maximum damage to Russian and Belarusian organizations, though they also demand ransoms. Head Mare uses various techniques for persistence, detection evasion, credential harvesting, and network exploration. Their attacks have impacted government, transportation, energy, manufacturing, and entertainment sectors.