Head Mare and Twelve join forces to attack Russian entities

Introduction In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups. The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools. This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs. Technical details Head Mare’s toolkit The attackers used various publicly available tools, including open-source software and leaked proprietary tools, to achieve their goals. mimikatz; ADRecon; secretsdump; ProcDump; Localtonet; revsocks; ngrok; cloudflared; Gost; fscan; SoftPerfect Network Scanner; mRemoteNG; PSExec; smbexec; wmiexec; LockBit 3.0; Babuk. Some of these tools were mentioned in our previous report on Head Mare, while others were new to their arsenal. Notable new tools Among the tools used by Head Mare were some not previously employed by the hacktivists but seen in attacks by other groups. For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies. This is an interesting fact, suggesting that Twelve and Head Mare may be sharing tools. In addition to CobInt, the attackers used their own PhantomJitter backdoor, installed on servers for remote command execution. This tool appeared in the group’s arsenal in August 2024. We described its modus operandi in a story accessible to the subscribers of our Threat I