RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: head-mare (2 articles)Clear
threat
2026-05-08

Two pro-Ukraine hacker groups appear to be teaming up to attack Russian companies - sharing servers and tools across phishing and espionage operations

Update on the Head Mare campaign we covered April 28: Kaspersky now reports that BO Team (also known as Black Owl) and Head Mare appear to be coordinating cyber operations against Russian organizations, sharing command-and-control infrastructure on the same compromised hosts. The likely division of labor: Head Mare phishes for initial access, then BO Team takes over for malware deployment. BO Team has shifted from destructive attacks to covert espionage, and in Q1 2026 hit 20 Russian organizations across manufacturing, telecoms, and oil and gas. The group uses BrockenDoor and Remcos backdoors. Earlier BO Team campaigns hit a Russian drone supplier and the federal digital signature authority.

bo-teamblack-owlhead-marephantomcorefollow-uppro-ukraine-hacktivistsrussiakasperskybrockendoorremcosmanufacturingtelecomsoil-gasukrainian-military-intelligence
Check
If your organization operates in Russia or has Russian subsidiaries, search proxy logs for BrockenDoor or Remcos C2 infrastructure since January. Hunt phishing emails referencing manufacturing, telecom, or oil and gas subjects with malicious documents.
Affected
Russian organizations across manufacturing, telecoms, and oil and gas - BO Team's Q1 2026 target list. By extension, Russian subsidiaries of Western multinationals operating in these sectors. The pattern of pro-Ukraine hacktivists coordinating with state-aligned operations means defenders cannot treat hacktivist incidents as opportunistic - they may be one stage of a longer espionage operation.
Fix
Block known BrockenDoor and Remcos C2 indicators per Kaspersky's published IoCs. Monitor for the phishing→malware deployment handoff pattern: phishing email landing followed within days by C2 traffic from a different actor. For organizations not in Russia: this is a template for how hacktivist groups in other regional conflicts may coordinate; expect the same pattern in Middle East and APAC tensions.
threat
2026-04-27

Pro-Ukrainian hackers chain three TrueConf bugs to deploy web shells and create rogue admin accounts in Russian networks (CVE chain patched August 2025)

Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.

phantomcorehead-mareung0901pro-ukrainiantrueconfrussiaweb-shellrogue-adminpositive-technologies
Check
Check every TrueConf Server install in your environment is patched to August 27, 2025 or later, and audit user accounts for any named 'TrueConf2' or similar.
Affected
TrueConf Server installations unpatched since August 27, 2025 - any organization that delayed the August update is exposed. Critical infrastructure, defense, and government organizations using TrueConf for offline-capable conferencing are particularly exposed because TrueConf is heavily used in those sectors.
Fix
Update TrueConf Server to the August 27, 2025 release or later. Audit local TrueConf admin accounts for unfamiliar usernames - the rogue 'TrueConf2' account is a defining indicator. Hunt server logs for PHP web shell activity and TrueConf-server outbound connections to unfamiliar domains. PhantomCore typically pivots into the broader network within days.