Head Mare is a hacktivist group that first made itself known in 2023 on the social network X (formerly Twitter). In their public posts, the attackers reveal information about some of their victims, including organization names, internal documents stolen during attacks, and screenshots of desktops and administrative consoles.
By analyzing incidents in Russian companies, Kaspersky researchers identified how Head Mare conducts its attacks, the tools it uses, and established the group’s connection with the PhantomDL malware.
Read more…
Source: Kaspersky
Related:
- UK manufacturers under cyber fire with 80% reporting attacks
April 1, 2026
Nearly 80 percent of British manufacturers say they’ve been hit by a cyber incident in the past year, as new research suggests disruption on the factory floor is no longer an exception but business as usual. According to security outfit ESET, 78 percent of UK manufacturers admit to suffering at least one cyber incident in the ...
- A laughing RAT: CrystalX combines spyware, stealer, and prankware features
April 1, 2026
In March 2026, Kaspersky researchers discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware‑as‑a‑service) with three subscription tiers. It caught the researchers attention because of its extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, ...
- Anthropic confirms it leaked 512,000 lines of Claude Code source code — spilling some of its biggest secrets
April 1, 2026
An Anthropic employee accidentally leaked the source code for one of the most popular Artificial Intelligence (AI) assistants out there – Claude Code. Security researcher Chaofan Shou posted on X, saying “Claude Code source code has been leaked via a map file in their npm registry!” The tweet itself was viewed more than 30 million times ...
- Iran targets M365 accounts with password-spraying attacks
March 31, 2026
Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes. Tel Aviv-based Check Point Research on Tuesday said that the attackers used multiple source IP addresses to target numerous Microsoft 365 accounts, affecting ...
- North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
March 31, 2026
Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package “axios.” Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named “plain-crypto-js” into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify ...
- Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure
March 31, 2026
Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The affected software also includes the official Python SDK of Telnyx. These ongoing supply chain attacks ...