Researchers at Kaspersky have observed a fresh wave of targeted intrusion activity by the Head Mare threat group against organizations in Russia and Belarus. The actors have shifted from single backdoors to a resilient, multi‑stage toolchain that blends diverse technologies and execution paths, improving evasion and persistence across victim environments.
Initial access: spearphishing with polyglot attachments
The campaign still begins with spearphishing emails carrying a malicious attachment. This time, the payload drops the PhantomRemote backdoor, enabling remote command execution on the compromised host. To bypass static content filters, the operators use a polyglot file—a single file crafted to be valid under multiple formats so different applications parse it successfully, weakening checks by secure email gateways and DLP tools.
Resilient backdoor chain and technology diversification
Unlike earlier activity observed in March, the 2025 wave introduces a chained toolkit: PhantomRemote (initial foothold), PhantomCSLoader (loader), and PhantomSAgent (secondary agent). The components span PowerShell, C++, and C#, use different launch mechanisms and internal logic, yet implement a similar command‑and‑control (C2) model. This diversification reduces the chance that a single signature or behavior rule disables the entire operation—if one stage is blocked, others can continue functioning.
SSH tunneling for covert remote access
In multiple cases, the operators configured SSH tunneling to route C2 traffic and administrative tools through an allowed, legitimate protocol. By proxying communications over SSH, the group blends with normal network patterns, complicating detection at perimeter devices and within network monitoring systems.
MITRE ATT&CK mapping and why it evades point IoC blocking
The observed techniques align with MITRE ATT&CK tactics and techniques, including T1566.001 (Spearphishing Attachment), T1059 (Command and Scripting Interpreter, including PowerShell), T1572 (Protocol Tunneling), and T1021.004 (Remote Services: SSH). Multi‑stage architecture and protocol tunneling emphasize behavior over static indicators; blocking a hash or IP is rarely sufficient. Industry reporting, such as the Verizon Data Breach Investigations Report, consistently highlights phishing and the misuse of legitimate tools as dominant initial‑access and post‑compromise patterns, underscoring the need for TTP‑centric detection rather than reliance on indicators alone. See MITRE references: T1566.001, T1059, T1572, T1021.004.
Strategic context: layered, modular campaigns as the new normal
The parallel use of several malware “branches” suggests coordination by one or more sub‑teams operating under the Head Mare umbrella. Mature actors increasingly build redundancy, accelerate tooling updates, and rotate infrastructure to outpace detection. More broadly, social engineering remains a dependable initial access vector across sectors, while “living off the land” with interpreters like PowerShell is routinely seen in post‑exploitation phases. Public guidance from CISA and Microsoft consistently warns defenders to monitor and constrain PowerShell, scripting engines, and remote administration tools to reduce attacker dwell time.
Defensive recommendations: from email hardening to threat hunting
Harden email security: deploy sandboxing that can detonate and reconstruct containerized and polyglot files; enforce SPF, DKIM, and DMARC; apply strict policies on risky attachment types and macros. Modern content disarm and reconstruction (CDR) can further reduce risk from embedded payloads.
EDR/XDR and behavior analytics: prioritize detection of suspicious PowerShell and other interpreters (e.g., encoded commands, AMSI bypass attempts), lateral movement precursors, and anomalous outbound C2 patterns. Shift emphasis from IoCs to TTP signatures and behavioral baselines.
Network controls: monitor and restrict SSH tunneling (egress controls on TCP/22, unusual long‑lived interactive sessions, TLS‑wrapped SSH, nonstandard ports), enforce segmentation, and apply least privilege for remote services and management interfaces.
Execution policy and application control: enforce script controls (e.g., Constrained Language Mode), AppLocker/WDAC policies, signed binaries, and an inventory to block unauthorized loaders and droppers.
Security operations: conduct proactive threat hunting for loader artifacts, persistence mechanisms, and tunneling indicators; maintain current YARA and Sigma rules; run regular phishing simulations and targeted awareness training to reduce click‑through rates.
Head Mare’s evolving arsenal is a timely reminder to move from point filtering of attachments to multi‑layered, behavior‑driven defense. Investments in EDR/XDR telemetry, deep content inspection, protocol tunneling controls, and continuous user education materially lower the probability of compromise and accelerate incident response.
