• Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians.
• This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations.
• The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore.
• PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia.
• In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C+±compiled PhantomCore binaries instead.
• TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server.
• PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system.
• PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.