In February 2026, a campaign attributed to the Head Mare group began targeting educational and scientific institutions, alongside organizations in the energy sector across Russia. This malicious activity was active since at least December 2025, utilizing an attack vector that involved deceptive video conference invitations. Victims who clicked on the invitation links were instructed to install a service to join the video call, which inadvertently led to the installation of a new backdoor identified as PhantomPxPigeon on their systems.