Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Kaspersky Uncovers Sinister Alliance Between Head Mare and Twelve Malware Groups



In a shocking revelation, renowned cybersecurity firm Kaspersky has exposed an intricate web of deceit involving two notorious malware groups: Head Mare and Twelve. The investigation reveals that these two malicious entities have formed an alliance to target Russian entities, leveraging cutting-edge tools and techniques to wreak havoc on unsuspecting victims.

  • Kaspersky has exposed an alliance between Head Mare and Twelve, two notorious malware groups targeting Russian entities.
  • The two groups have formed a partnership using cutting-edge tools and techniques to wreak havoc on unsuspecting victims.
  • Head Mare has incorporated tools previously associated with Twelve into its own malicious toolkit.
  • The alliance is notable for the deployment of CobInt, PhantomJitter, and other shared exploitation methods.
  • The partnership also involves phishing campaigns, security flaws in Microsoft Exchange Server, and rogue attachments.
  • Organizations are urged to prioritize robust cybersecurity measures to prevent falling prey to these sophisticated attacks.



    • THN Exclusive: In a shocking revelation, renowned cybersecurity firm Kaspersky has exposed an intricate web of deceit involving two notorious malware groups: Head Mare and Twelve. The investigation, conducted in collaboration with BI.ZONE, reveals that these two malicious entities have formed an unholy alliance to target Russian entities, leveraging cutting-edge tools and techniques to wreak havoc on unsuspecting victims.

    The plot thickens when Kaspersky's researchers discovered that Head Mare, previously known for exploiting vulnerabilities like the now-patched WinRAR flaw (CVE-2023-38831), has taken a liking to Twelve's arsenal of destructive attacks. The findings suggest a level of cooperation between the two groups, with Head Mare incorporating tools previously associated with Twelve into its own malicious toolkit.

    The alliance is perhaps most pronounced in the deployment of CobInt, a backdoor used by ExCobalt and Crypt Ghouls in past attacks on Russian firms. Kaspersky's analysis also uncovered the use of PhantomJitter, a bespoke implant designed for remote command execution, which has been observed in Head Mare's attacks as well as those attributed to Twelve.

    Furthermore, BI.ZONE has linked another North Korea-linked threat actor, ScarCruft (APT37), to a phishing campaign in December 2024 that delivered a malware loader responsible for deploying an unknown payload from a remote server. The activity bears striking resemblance to another campaign dubbed SHROUDED#SLEEP, documented by Securonix in October 2024, which led to the deployment of VeilShell backdoor in intrusions targeting Cambodia and likely other Southeast Asian countries.

    The partnership between Head Mare and Twelve is further underscored by their shared exploitation of security flaws in Microsoft Exchange Server (e.g., CVE-2021-26855) as well as phishing emails with rogue attachments. These tactics allow the threat actors to infiltrate victim infrastructure via compromised contractors, demonstrating an unsettling ability to operate within trusted relationships.

    "The attackers used ProxyLogon to execute a command to download and launch CobInt on the server," Kaspersky explained, highlighting the updated persistence mechanism employed by Head Mare. "These accounts are then used to connect to the server via RDP to transfer and execute tools interactively."

    The deployment of LockBit 3.0 and Babuk ransomware on compromised hosts is a chilling consequence of this alliance. The attackers also employ proxy and tunneling tools like Gost and Cloudflared to conceal network traffic, as well as utilities such as quser.exe, tasklist.exe, and netstat.exe for system reconnaissance.

    As the threat landscape continues to evolve, it's imperative that organizations prioritize robust cybersecurity measures to prevent falling prey to these sophisticated attacks. The collaboration between Head Mare and Twelve serves as a stark reminder of the dangers lurking in the shadows, waiting to strike when we least expect it.

    In light of this new information, Kaspersky has urged users to remain vigilant, emphasizing the importance of staying informed about emerging threats and maintaining up-to-date security protocols. By doing so, we can collectively mitigate the impact of these malicious groups and safeguard our digital assets against the ever-present threat of cyber attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Kaspersky-Uncovers-Sinister-Alliance-Between-Head-Mare-and-Twelve-Malware-Groups-ehn.shtml

  • https://thehackernews.com/2025/03/kaspersky-links-head-mare-to-twelve.html

  • https://nvd.nist.gov/vuln/detail/CVE-2021-26855

  • https://www.cvedetails.com/cve/CVE-2021-26855/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-38831

  • https://www.cvedetails.com/cve/CVE-2023-38831/

  • https://securelist.com/head-mare-twelve-collaboration/115887/

  • https://securelist.com/twelve-group-unified-kill-chain/113877/

  • https://www.crowdstrike.com/en-us/cybersecurity-101/malware/types-of-malware/

  • https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint

  • https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint

  • https://thesecmaster.com/blog/scarcruft-apt37

  • https://attack.mitre.org/groups/G0067/

  • https://cybermaterial.com/north-korean-hackers-use-veilshell-backdoor/

  • https://thehackernews.com/2024/10/north-korean-hackers-using-new.html

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

  • https://www.infosecinstitute.com/resources/malware-analysis/gh0st-rat-complete-malware-analysis-part-1/

  • https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

  • https://cyberpress.org/head-mar-hacker-group/

  • https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-february-2025/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Fri Mar 21 08:40:18 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us