Head Mare and Twelve: Emerging Cyber Threats Targeting Russia

By /

Listen to this Post

In recent cybersecurity reports, Kaspersky has uncovered a significant new development in cyberattack activity, where two well-known hacking groups, codenamed Head Mare and Twelve, appear to have joined forces to target Russian entities. This collaboration marks a new phase in their cyber operations, blending previously used tools and tactics. Kaspersky’s analysis reveals how these groups, which have been active in the cybercriminal world for years, are ramping up their campaigns and employing new techniques to infiltrate and damage their targets.

Key Findings

Kaspersky’s new findings shed light on the evolving tactics of the Head Mare and Twelve threat groups. The report indicates that the two hacker clusters have likely formed an alliance, pooling their resources and tools to launch joint attacks against Russian organizations. Both groups were previously identified by Kaspersky in September 2024, and their collaboration appears to be expanding.

– Head

  • Twelve’s Role: Twelve is known for its destructive campaigns, including data encryption and wiping attacks. They utilize publicly available tools for these purposes, but the recent analysis indicates that they are now working closely with Head Mare to enhance their operations. Twelve’s involvement includes the use of backdoors like CobInt, which has previously been used by ExCobalt and Crypt Ghouls.

  • Shared Tools: The two groups are found to be using several overlapping tools, indicating a tactical connection. For example, both groups deploy CobInt, a backdoor that has been linked to prior attacks targeting Russian firms. Furthermore, Head Mare has started using PhantomJitter, a bespoke implant designed for remote command execution.

  • Malicious Payloads: In recent campaigns, Head Mare has been observed installing various malicious payloads, such as LockBit 3.0 and Babuk ransomware, on compromised systems. These attacks are followed by ransom notes urging victims to contact the attackers via Telegram to decrypt their files.

  • Techniques and Tools: Both groups are increasingly using sophisticated tools for reconnaissance and exploitation, including system tools like quser.exe and netstat.exe, local network scanners like fscan, and credential-harvesting tools such as Mimikatz. Additionally, they employ RDP for lateral movement and tools like mRemoteNG and PsExec for remote communications.

This partnership between Head Mare and Twelve demonstrates an evolution in cyberattack tactics, as the two groups combine their capabilities for more efficient and damaging campaigns. Kaspersky’s analysis suggests that these attacks are not just random incidents but part of a broader effort to target both state-controlled and privately-held organizations in Russia.

What Undercode Say:

The partnership between the Head Mare and Twelve groups signifies a growing trend where cybercriminal organizations collaborate to maximize the impact of their operations. This marks a shift in how cybercriminals approach their targets—focusing not just on individual vulnerabilities but coordinating efforts to exploit multiple attack vectors at once.

From a strategic perspective, the collaboration between Head Mare and Twelve reflects an increasingly professionalized cyber threat landscape. These groups are not operating in isolation; they are leveraging each other’s strengths to execute more sophisticated and far-reaching attacks. The overlap in tools like CobInt and PhantomJitter suggests that both groups are well-coordinated in their efforts, sharing both knowledge and resources to adapt to evolving defense mechanisms.

One of the most concerning aspects of these attacks is their persistence. By using tools like ProxyLogon and targeting contractors’ networks, these groups are able to bypass traditional security measures, gaining long-term access to victim networks. Moreover, their use of trusted relationships to exploit systems further underscores how advanced their tactics are, as they manipulate trusted access points to deliver their payloads.

The deployment of ransomware such as LockBit and Babuk is also an indication that these cybercriminals are not only looking to cause chaos but are actively seeking financial gain. This adds another layer of complexity, as ransomware campaigns often make it harder for organizations to recover without paying the ransom.

As the attack patterns evolve, it’s clear that Head Mare and Twelve are no longer operating in isolation but as part of a larger, increasingly organized cybercriminal ecosystem. The fact that these groups are targeting Russian entities highlights how geopolitical tensions are being reflected in the cyber domain, with attackers taking advantage of both political and technological vulnerabilities.

Fact Checker Results

  • Tool Overlap: The tools used by Head Mare and Twelve, particularly CobInt and PhantomJitter, suggest a level of coordination between the two groups.
  • Targeting Russia: The focus on Russian entities aligns with geopolitical tensions, where cyberattacks are often a tool for political or economic leverage.
  • Evolving Techniques: The growing sophistication in attack methods, such as using trusted relationships and exploiting zero-day vulnerabilities, points to a highly skilled group of cybercriminals with evolving tactics.

References:

Reported By: https://thehackernews.com/2025/03/kaspersky-links-head-mare-to-twelve.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: