{ "type": "Domain", "indicator": "analytisec.space", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/analytisec.space", "alexa": "http://www.alexa.com/siteinfo/analytisec.space", "indicator": "analytisec.space", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4212129467, "indicator": "analytisec.space", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699333741cad45bac3386ab6", "name": "Into the heart of it: taking apart the new Head Mare toolkit", "description": "The Head Mare group has significantly ramped up malicious activities targeting Russian organizations, particularly noticeable in late 2025 and early 2026. This surge in cyber threats is characterized by specific infrastructure use, attack tactics, and distinctive code features that connect these activities to the pro-Ukrainian stance of the group.\n\nA key element of the toolkit utilized by Head Mare is the PhantomHeart PowerShell backdoor, which establishes a remote access channel through HTTP communication with a Command and Control (C2) server. This backdoor can also deploy an SSH tunnel upon the operator's request. During its initialization, PhantomHeart creates a victim identifier (clientId) based on the MAC address of the compromised system's wired network adapter. This identifier facilitates ongoing communication with the C2 server and ensures that the backdoor configuration remains specific to the targeted host, enhancing the stealth and persistence of the malware.", "modified": "2026-03-18T15:24:09.499000", "created": "2026-02-16T15:10:44.480000", "tags": [ "head mare", "powershell", "head", "mare", "phantomheart", "windows", "bdu202510114", "http", "post", "system", "litemanager", "mimikatz" ], "references": [ "https://securelist.ru/head-mare-phantomheart-and-phantomproxylite/114753/" ], "public": 1, "adversary": "Head Mare", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 19 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.ru/head-mare-phantomheart-and-phantomproxylite/114753/", "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/", "IOCs2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "Head Mare" ], "malware_families": [ "Ps.phatnomlatch", "Win64.phantomsscp" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699333741cad45bac3386ab6", "name": "Into the heart of it: taking apart the new Head Mare toolkit", "description": "The Head Mare group has significantly ramped up malicious activities targeting Russian organizations, particularly noticeable in late 2025 and early 2026. This surge in cyber threats is characterized by specific infrastructure use, attack tactics, and distinctive code features that connect these activities to the pro-Ukrainian stance of the group.\n\nA key element of the toolkit utilized by Head Mare is the PhantomHeart PowerShell backdoor, which establishes a remote access channel through HTTP communication with a Command and Control (C2) server. This backdoor can also deploy an SSH tunnel upon the operator's request. During its initialization, PhantomHeart creates a victim identifier (clientId) based on the MAC address of the compromised system's wired network adapter. This identifier facilitates ongoing communication with the C2 server and ensures that the backdoor configuration remains specific to the targeted host, enhancing the stealth and persistence of the malware.", "modified": "2026-03-18T15:24:09.499000", "created": "2026-02-16T15:10:44.480000", "tags": [ "head mare", "powershell", "head", "mare", "phantomheart", "windows", "bdu202510114", "http", "post", "system", "litemanager", "mimikatz" ], "references": [ "https://securelist.ru/head-mare-phantomheart-and-phantomproxylite/114753/" ], "public": 1, "adversary": "Head Mare", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 19 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "analytisec.space", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "analytisec.space", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780215872.057701 }