The cyberthreat landscape continues to evolve at a relentless pace, with hacktivist groups exhibiting ever-greater skills in stealth, lateral movement, and persistence. In September 2024, a series of coordinated attacks targeted Russian companies, exposing not just technical overlap between two known threat collectives—Head Mare and Twelve—but also a new level of sophistication in the arsenal and techniques employed. Analysis of these attacks reveals crucial lessons for defenders, notably in the spheres of trusted relationships, supply chain vulnerabilities, and the expansion of compromise vectors beyond traditional phishing exploits.
The investigation into the September attacks demonstrated a marked convergence between Head Mare and Twelve, both in toolsets and infrastructure. Historically, Head Mare operated with distinct methods and malware choices. However, the September intrusion waves showed Head Mare heavily relying on utilities, backdoors, and command-and-control (C2) channels previously exclusive to Twelve.
This convergence signals more than mere tool sharing; it suggests at minimum a strategic partnership, if not operational joint ventures. From a defensive standpoint, this is critical: attackers who blend and adapt toolchains can do so to confuse, delay, or evade incident responders who rely on past indicators and group attributions.
From a cybersecurity posture point of view, the continual mixing and augmentation of toolsets by adversaries make static, signature-based detection far less reliable. Living-off-the-land binaries (LOLBins) and dual-use IT utilities complicate efforts to distinguish legitimate admin activity from malicious access.
Additionally, exploitation of unpatched vulnerabilities (notably CVE-2023-38831 in WinRAR and the notorious ProxyLogon exploit for Microsoft Exchange, CVE-2021-26855) remains a staple of their campaign. The ProxyLogon vulnerability is especially worrisome: despite being patched for years, it remains highly effective against organizations running legacy systems like Windows Server 2012 R2 or Exchange Server 2016.
This highlights a persistent, industry-wide Achilles heel: slow or incomplete patching of business-critical platforms that cannot be easily updated due to dependencies, operational inertia, or lack of resources. For attackers, these systems present a perennial soft target.
Persistence is further reinforced by deploying tunneling tools like Localtonet, which are installed to run continuously as services through tools such as Non-Sucking Service Manager (NSSM). By doing so, Head Mare ensures that remote access is persistent, resilient, and trivial to restart—a model mirroring legitimate service management best practices.
Again, a notable defense challenge emerges: attackers’ use of mainstream admin tools and service managers blurs the line between routine operations and compromise, impacting the efficacy of automated anomaly detection and alerting systems.
In one observed case, the ubiquitous Windows command prompt (
Such operational security on the part of threat actors increases the likelihood of “silent infections”—compromises that are either undetected for extended periods or leave incident responders with few forensic breadcrumbs for post-attack investigations.
C2 architectures are further strengthened via tunneling utilities like cloudflared and Gost, which can circumvent NAT firewalls and provide secure channels by leveraging infrastructure under attackers’ control, including Cloudflare’s global network. These tunnels obscure malicious traffic, presenting as legitimate outbound connections, and facilitate flexible, on-demand command delivery.
The adversaries’ focus on credential access included classic dumping utilities (mimikatz, secretsdump) as well as custom Go-based tools that extract highly sensitive NTDS and SYSTEM/SECURITY registry hives. The latter can grant near-total control of a compromised domain, underlining the catastrophic implications of attackers gaining even brief domain admin-level access.
Moreover, attackers used this foothold to automate the spread of malicious command interpreters and launch PowerShell one-liners that pulled additional payloads from attacker-controlled infrastructure. These routines are executed under local or domain administrator context, further entrenching the attackers’ hold.
Furthermore, the attackers’ routine use of service managers to run their tools as persistent background services—masquerading as system or update processes—illustrates the necessity for defenders to baseline “normal” service installation and be relentlessly vigilant for new, unexplained services or executables in sensitive directories.
Of note: these ransomware payloads come equipped with built-in scripts for log wiping and system cleansing. This ensures that by the time system administrators realize an incident has occurred, opportunities for meaningful forensic analysis have all but vanished.
Organizations should take heed: robust cyber resilience demands more than just “best practices.” It requires readiness for adversaries who collaborate, experiment, and iterate their TTPs (tactics, techniques, and procedures) with a ruthlessness once reserved for state-sponsored campaigns.
As the barriers between hacktivist agendas and financially or politically motivated cybercrime fade, the days of thinking in terms of isolated threat groups are over. Defensive strategies must evolve to face a more interconnected, adaptive, and resourceful adversary ecosystem—one that leverages the Windows platform not merely as a target, but as a toolkit for persistent, invisible, and devastating compromise.
Source: securelist.com Head Mare and Twelve: Joint attacks on Russian entities
The Evolving Modus Operandi: Tying Head Mare and Twelve Together
The investigation into the September attacks demonstrated a marked convergence between Head Mare and Twelve, both in toolsets and infrastructure. Historically, Head Mare operated with distinct methods and malware choices. However, the September intrusion waves showed Head Mare heavily relying on utilities, backdoors, and command-and-control (C2) channels previously exclusive to Twelve.This convergence signals more than mere tool sharing; it suggests at minimum a strategic partnership, if not operational joint ventures. From a defensive standpoint, this is critical: attackers who blend and adapt toolchains can do so to confuse, delay, or evade incident responders who rely on past indicators and group attributions.
The Arsenal: Expanding Reach With New and Old Tools
Both groups deployed a range of publicly available, open-source, and even leaked proprietary security and penetration testing tools. Among the tools identified were:- Credential Dumpers: mimikatz, secretsdump, ProcDump
- Reconnaissance: ADRecon, fscan, SoftPerfect Network Scanner
- Remote Admin: mRemoteNG, PSExec, smbexec, wmiexec
- Traffic Tunneling and Proxies: Localtonet, revsocks, ngrok, cloudflared, Gost
- Ransomware: LockBit 3.0, Babuk
- Backdoors and Implants: CobInt, PhantomJitter
From a cybersecurity posture point of view, the continual mixing and augmentation of toolsets by adversaries make static, signature-based detection far less reliable. Living-off-the-land binaries (LOLBins) and dual-use IT utilities complicate efforts to distinguish legitimate admin activity from malicious access.
Shifting Initial Access: Beyond Phishing to Supply Chain Weaknesses
Previously, Head Mare’s attack pattern was straightforward: phishing emails with booby-trapped documents or executables. The 2024 campaigns, however, revealed a shift: attackers now actively exploit relationships and trusted access between companies and their contractors. With privileged access to business automation platforms and Remote Desktop Protocol (RDP) systems, compromised contractors became a stealthy entry point.Additionally, exploitation of unpatched vulnerabilities (notably CVE-2023-38831 in WinRAR and the notorious ProxyLogon exploit for Microsoft Exchange, CVE-2021-26855) remains a staple of their campaign. The ProxyLogon vulnerability is especially worrisome: despite being patched for years, it remains highly effective against organizations running legacy systems like Windows Server 2012 R2 or Exchange Server 2016.
This highlights a persistent, industry-wide Achilles heel: slow or incomplete patching of business-critical platforms that cannot be easily updated due to dependencies, operational inertia, or lack of resources. For attackers, these systems present a perennial soft target.
Persistence Redefined: Moving Beyond Scheduled Tasks
Establishing beachheads remains a core tactic for sustained attacks. Where Head Mare previously relied on scheduled tasks, the group now creates privileged local accounts on compromised servers, particularly business automation platforms. These accounts are used to transfer and run malicious tools interactively via RDP.Persistence is further reinforced by deploying tunneling tools like Localtonet, which are installed to run continuously as services through tools such as Non-Sucking Service Manager (NSSM). By doing so, Head Mare ensures that remote access is persistent, resilient, and trivial to restart—a model mirroring legitimate service management best practices.
Again, a notable defense challenge emerges: attackers’ use of mainstream admin tools and service managers blurs the line between routine operations and compromise, impacting the efficacy of automated anomaly detection and alerting systems.
Anti-Detection: Masquerading, Cleansing, and Operating Under the Radar
In their attempts to remain invisible, Head Mare has evolved anti-detection methodologies. Their Masquerading techniques involve renaming utility executables to mimic legitimate system files. For example, files like rclone (commonly associated with data exfiltration) are dropped aswusa.exe in C:\ProgramData, and tunnelers like cloudflared become winuac.exe in C:\Windows\System32.In one observed case, the ubiquitous Windows command prompt (
cmd.exe) was renamed and relocated. Additionally, attackers proactively remove evidence of their presence—uninstalling services, wiping system and event logs using PowerShell command history, and deleting artifacts upon completion of attacks.Such operational security on the part of threat actors increases the likelihood of “silent infections”—compromises that are either undetected for extended periods or leave incident responders with few forensic breadcrumbs for post-attack investigations.
Command-and-Control: Adaptive, Distributed, and Hard to Block
Head Mare’s evolving C2 approach involves both custom backdoors (PhantomJitter) and shared tools (CobInt), alongside a distributed and redundant web of IP addresses and domains. Download locations for payloads, such as PhantomJitter and cloudflared, rotate regularly and use both direct IP access and compromised or attacker-owned domains.C2 architectures are further strengthened via tunneling utilities like cloudflared and Gost, which can circumvent NAT firewalls and provide secure channels by leveraging infrastructure under attackers’ control, including Cloudflare’s global network. These tunnels obscure malicious traffic, presenting as legitimate outbound connections, and facilitate flexible, on-demand command delivery.
Automation at Scale: PowerShell Script Sophistication
A standout aspect of recent attacks is the deployment of highly automated, multipurpose PowerShell scripts. One such script—proxy.ps1—handles end-to-end setup for network pivoting:- Downloads and installs tunneling tools (cloudflared, Gost)
- Installs these tools as Windows services using familiar service names to masquerade as legitimate
- Facilitates remote or local extraction of downloaded archives
- Provides complete uninstall capabilities to cover tracks
- Configures and launches services with specific parameters, storing all executables and configuration files in high-trust directories like
System32
Living-off-the-Land: Blending In With Legitimate Network Traffic
To maximize stealth, the attackers launched familiar reconnaissance utilities and post-exploitation tools. For host and network mapping, tools like fscan and SoftPerfect Network Scanner were joined by ADRecon, which the group had not previously employed. ADRecon harvested Active Directory configuration data across multiple domains—giving attackers detailed blueprints of privileged accounts, domain trusts, and nested group memberships.The adversaries’ focus on credential access included classic dumping utilities (mimikatz, secretsdump) as well as custom Go-based tools that extract highly sensitive NTDS and SYSTEM/SECURITY registry hives. The latter can grant near-total control of a compromised domain, underlining the catastrophic implications of attackers gaining even brief domain admin-level access.
Privilege Escalation: Leveraging Inherent System Trust
The pivot from traditional privilege escalation exploits to abuse of legitimate business automation software demonstrates a shrewd understanding of enterprise IT environments. By leveraging the inherent administrative rights of such platforms—often granted broad permissions for functional reasons—attackers executed commands and created privileged accounts without tripping red flags commonly associated with privilege escalation exploits.Moreover, attackers used this foothold to automate the spread of malicious command interpreters and launch PowerShell one-liners that pulled additional payloads from attacker-controlled infrastructure. These routines are executed under local or domain administrator context, further entrenching the attackers’ hold.
A Double-Edged Sword: Dual-Use Tools and Service Installation
A double risk comes from the use of widely available dual-use software. Tools like Localtonet, gost, and ngrok are all legitimate remote connectivity and traffic tunneling solutions frequently used in IT troubleshooting and network development. This duality means that whitelisting by hash or even by process name often fails, and blocking these applications outright may cripple business processes reliant on remote operations—especially in a hybridized, post-pandemic office environment.Furthermore, the attackers’ routine use of service managers to run their tools as persistent background services—masquerading as system or update processes—illustrates the necessity for defenders to baseline “normal” service installation and be relentlessly vigilant for new, unexplained services or executables in sensitive directories.
Exfiltration and Ransomware: The Final Stage
Amidst network reconnaissance and credential harvesting, exfiltration of sensitive data remains a core objective. Attackers routed stolen data through proxies and tunnels, making attribution and containment complex. Ransomware variants like LockBit 3.0 and Babuk were deployed, often as the final blow—encrypting files after stealthy exfiltration.Of note: these ransomware payloads come equipped with built-in scripts for log wiping and system cleansing. This ensures that by the time system administrators realize an incident has occurred, opportunities for meaningful forensic analysis have all but vanished.
Defensive Learnings: Raising the Bar for Resilience
These campaigns underscore several action points for defenders seeking to harden Windows environments against such advanced threats:- Patch Management: Organizations must prioritize not merely critical, but all published security updates, especially for externally facing servers. Legacy platform risk needs direct executive assessment—if you’re running out-of-support systems, you’re courting disaster.
- Least Privilege: Business automation and IT management software should be sandboxed to the greatest degree possible, with separate, tightly controlled admin accounts.
- Tool Egress Monitoring: All anomalous service creations, particularly those matching known dual-use tunneling tools, should trigger security reviews. Service names and executable locations deserve special scrutiny.
- Zero Trust: Audit access granted via contractors or partners, deploy monitoring for unusual remote connections, and test your detection and response to “living-off-the-land” scenarios where standard admin tools are used maliciously.
- Enhanced Logging: Mandate immutable or remote log storage, since attackers actively wipe event and system logs on compromised machines. Consider endpoint detection solutions with memory and behavioral analytics, not just file- or signature-based detection.
- Supply Chain Assessment: Don’t neglect vendor and contractor risk—attackers are increasingly using supply chain relationships as their entry point.
The Road Ahead: Weaponized Collaboration Among Threat Groups
The September attacks against Russian enterprises are a stark warning. Hacktivist groups, emboldened by alliances and armed with automation, now operate at a technical level comparable to sophisticated criminal or advanced persistent threat actors. Their ability to blend established and new tools, co-opt legitimate IT utilities, and automate persistence and lateral movement make them more dangerous—and harder to evict—than ever.Organizations should take heed: robust cyber resilience demands more than just “best practices.” It requires readiness for adversaries who collaborate, experiment, and iterate their TTPs (tactics, techniques, and procedures) with a ruthlessness once reserved for state-sponsored campaigns.
As the barriers between hacktivist agendas and financially or politically motivated cybercrime fade, the days of thinking in terms of isolated threat groups are over. Defensive strategies must evolve to face a more interconnected, adaptive, and resourceful adversary ecosystem—one that leverages the Windows platform not merely as a target, but as a toolkit for persistent, invisible, and devastating compromise.
Source: securelist.com Head Mare and Twelve: Joint attacks on Russian entities
Last edited:
