PhantomCore

PhantomCore is a custom backdoor used by the threat actor Head Mare and also referenced in reporting on a suspected Ukrainian APT activity cluster. It is also referred to in the provided content as PhantomDL in some reporting. The malware’s primary purpose is to provide attackers with a remote command shell on an infected Windows system. In the February 2026 campaign described in the content, a new PhantomCore variant was delivered to Russian organizations through phishing emails impersonating a scientific research organization and offering a contract. The emails carried password-protected archives containing deceptive .pdf.lnk shortcut files; execution of a shortcut downloaded a PowerShell loader, opened a decoy document, and retrieved a malicious DLL named USOCachedData.txt (MD5: 6EA2912050632ACD186CE790634B6D44), which was in fact a new PhantomCore variant. Persistence was established via PSFactoryBuffer COM hijacking by setting HKCR\CLSID{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32(Default) to $APPDATA\USOShared\USOCachedData.txt. The sample in that campaign was written in C++, used per-string byte-wise XOR obfuscation, and communicated with command-and-control servers using JSON-formatted HTTP POST requests: one request registered the bot with base64-encoded host data including bot ID, hostname, local IP address, and DNS server, and a second request polled for commands using the bot identifier. Observed PhantomCore-related infrastructure in the content includes the download URL hxxps://1cbit-dev[.]com/devices/firmware/beta/update.html, a follow-on payload URL hxxps://defendcore[.]online/download/1.zip, and command-and-control domains cosmetic-shop[.]online, moscow-media[.]online, cheap-market[.]online, and cheap-zone[.]online. In the same intrusion chain, attackers deployed a Golang utility, TemplateMaintenanceHost.exe, via a scheduled task named "Windows Templates Maintenance Task" to launch the built-in Windows ssh.exe client and create reverse tunnels, allowing SOCKS5 proxying and access into the victim’s local network. The campaign reportedly affected several hundred users in Russian government, logistics, financial, and industrial organizations. Separate reporting in the content also links PhantomCore to attacks exploiting NTLM-related phishing techniques against Russian organizations and to an Exchange espionage campaign in which 65 servers across 26 countries were compromised, with about one-third of victims appearing to be government systems; that activity also involved collection of NTLM hashes and deployment of PhantomCore.