Head Mare Group Deploys New Tools in Attacks on Enterprises in Russia and Belarus

Kaspersky Lab researchers have uncovered a fresh wave of attacks by the Head Mare group targeting companies in Russia and Belarus. The hackers continue to refine their methods for gaining initial access and maintaining persistence in compromised systems.

Expanded Arsenal

Unlike earlier campaigns in March 2025, which relied on a single backdoor, the latest attacks in the summer of 2025 involved a chain of multiple backdoors. The group deployed PhantomRemote, PhantomCSLoader, and PhantomSAgent malware, and in some cases also established SSH tunnels to secure remote access to victim infrastructure.

This layered approach suggests the attackers hoped that even if one backdoor was detected and removed, others would remain active and maintain access.

Initial Access

Head Mare operations continue to begin with phishing campaigns. The most recent emails carried attachments embedded with the PhantomRemote backdoor, which enables remote command execution on infected devices. To avoid detection, the attackers used a polyglot technique—combining multiple file formats into a single attachment without breaking functionality.

Persistence Techniques

Beyond the initial infection, the group relied on additional malware to ensure long-term control. PhantomCSLoader and PhantomSAgent were deployed as part of a chained persistence model. These backdoors, written in PowerShell, C++, and C#, differ in technical implementation but share a similar communication model with their command-and-control (C2) servers. This redundancy ensures that if one component is detected, others can continue operating undisturbed.

Organizational Structure

Kaspersky researchers suggest that the group’s evolving toolkit may point to activity by one or more subgroups. These subgroups appear to pursue the same overarching objectives, rely on overlapping toolsets, but demonstrate slight differences in their operational styles.