Analysts from Kaspersky have identified a new targeted campaign by the pro-Ukrainian group Head Mare, aimed at Russian government entities as well as construction and industrial companies. The operation showcases an updated toolset centered around a new PowerShell backdoor dubbed PhantomHeart, which replaces the group’s earlier DLL-based malware and significantly strengthens its stealth and flexibility.
Head Mare targets Russian government, construction, and industrial sectors
Head Mare has been tracked as a politically motivated threat actor conducting cyber-espionage and long-term access operations. The latest activity continues this pattern, focusing on organizations whose data and infrastructure are strategically valuable. Instead of immediate sabotage, the tools and techniques observed are consistent with persistent access, internal reconnaissance, and controlled data exfiltration, which align with typical advanced persistent threat (APT) tradecraft.
From binaries to PowerShell: Living-off-the-Land as a core tactic
The most notable shift in this campaign is the move from compiled binaries to PowerShell scripts and built-in Windows components. This indicates a deliberate adoption of a Living-off-the-Land (LOTL) strategy, where attackers rely on legitimate system tools rather than custom executables to carry out malicious actions.
In practice, LOTL means abusing standard utilities such as PowerShell, Windows Task Scheduler, registry tools, and native SSH clients. Because these components are trusted and widely used by administrators, their misuse is far harder to detect using traditional signature-based antivirus or basic perimeter controls. Numerous incident response reports from vendors like Microsoft, Mandiant, and CrowdStrike consistently highlight LOTL techniques as a key factor in modern intrusions, often mapped to the MITRE ATT&CK framework’s defense-evasion and execution tactics.
Initial access: TrueConf Server vulnerability BDU:2025-10114 and phishing
Head Mare’s initial access vectors have changed little compared to previous campaigns. The group continues to exploit a known vulnerability BDU:2025-10114 in TrueConf Server, a popular video conferencing platform. Unpatched TrueConf servers exposed to the internet can be remotely compromised, giving attackers a direct foothold in the target network.
Alongside exploitation of this vulnerability, researchers still observe phishing emails containing malicious attachments or links as an alternative entry point. By combining technical exploitation with social engineering, the attackers can flexibly choose the most convenient path into each environment, increasing the likelihood of at least one vector succeeding where patch management or staff awareness are weak.
PhantomHeart PowerShell backdoor: SSH tunneling and system reconnaissance
The centerpiece of the post-exploitation toolkit is the PhantomHeart PowerShell backdoor. Its primary function is to establish an SSH tunnel on demand, enabling reliable remote access from the attacker’s command-and-control (C2) servers even in restrictive network environments. By tunneling traffic over outbound SSH, Head Mare can bypass many firewall rules that focus on inbound connections.
PhantomHeart also performs lightweight reconnaissance, collecting technical information such as the computer name, domain context, external IP address, and a unique victim identifier. This allows the operators to prioritize targets, map compromised infrastructure, and coordinate follow-on actions with other tools in their arsenal.
Persistence via Task Scheduler and impersonation of LiteManager updates
Persistence is achieved through Windows Task Scheduler, where PhantomHeart is configured to run under the guise of a legitimate LiteManager remote administration tool update script. The malicious PowerShell file is dropped into the LiteManager installation directory and mimics normal maintenance activity. Because remote administration software is commonly used in corporate environments, this kind of impersonation can easily evade superficial audits and casual script reviews.
Masquerading as trusted IT tools is a widely used defense-evasion technique. Without detailed logging of Task Scheduler changes, application directories, and script executions, even experienced administrators may overlook such activity during routine checks.
PhantomProxyLite: PowerShell-based SSH proxy and tunneling service
Another key component, PhantomProxyLite, has also been reimplemented as a PowerShell script. Previously deployed as a binary service named SSHService, the same logic is now delivered via script, making it easier for the attackers to modify, obfuscate, and redeploy the code without recompilation. This tool primarily handles SSH tunneling and traffic proxying for persistent remote control.
Automated deployment with Create-SSHServiceTask.ps1 and ssh.exe
PhantomProxyLite is registered in Task Scheduler as SSHService and executed with SYSTEM privileges at system startup. It uses a dedicated registry key to store port configuration, writes a temporary SSH configuration file in C:\Windows\Temp, and launches the native ssh.exe client to create a reverse SSH tunnel back to Head Mare’s infrastructure.
To standardize and scale deployment, the group leverages an auxiliary script named Create-SSHServiceTask.ps1. This script programmatically creates or reinitializes the scheduled task with predefined parameters, first removing any existing task of the same name. Such automation is typical of mature operations: it reduces operator workload, minimizes configuration errors, and enables rapid roll-out of the tunneling service across many compromised hosts.
Additional tools: post-exploitation automation and SOCKS5 proxying
Beyond PhantomHeart and PhantomProxyLite, Kaspersky’s research shows that Head Mare maintains a modular toolkit for post-exploitation automation, including scripts and utilities for persistence, privilege management, and network access orchestration. This “building block” approach allows the attackers to tailor each intrusion chain to the target’s architecture and security posture.
The toolset also includes MicroSocks, an open-source SOCKS5 proxy available on GitHub. Leveraging publicly available code lowers development costs and complicates attribution, since the same tools are used by legitimate administrators, penetration testers, and unrelated threat actors. This blurs the line between benign and malicious activity and reinforces the need for context-aware detection rather than simple tool-based blocking.
Given the clear shift toward PowerShell-centric LOTL operations, organizations in Russian government, construction, and industrial sectors should prioritize strict PowerShell governance (constrained language mode, script block logging, and code signing), regular patching of exposed services such as TrueConf Server (BDU:2025-10114), and continuous monitoring of Task Scheduler entries and remote administration software directories. Deploying modern EDR solutions, centralizing log collection, and training IT staff to recognize LOTL patterns significantly improve the chances of detecting campaigns like Head Mare’s at an early stage and limiting their impact.
