BO Team

BO Team is a pro-Ukrainian hacktivist group, also known as Black Owl, Hoody Hyena, and Lifting Zmiy, that has been active since at least January or early 2024. The group targets Russian organizations and companies, including state-owned entities and sectors such as healthcare, manufacturing, telecommunications, oil and gas, logistics, internet service providers, scientific research, digital-signature services, and industrial environments. Reporting also describes attacks against Russian drone-related organizations and online services associated with Russia’s ruling party. BO Team has been publicly linked to cooperation with Ukraine’s military intelligence agency HUR/GUR in multiple operations, including attacks against a Russian scientific research center, online services of Russia’s ruling party, the federal digital-signature authority Osnovanie, logistics company Eltrans+, ISP Orion Telecom, and drone supplier Gaskar Group. BO Team has also been reported alongside the Ukrainian Cyber Alliance in destructive operations against Gaskar Group and other industrial environments. The group commonly gains initial access through targeted phishing emails with malicious attachments, including password-protected RAR archives and files disguised as legitimate documents. Kaspersky reported BO Team phishing campaigns tailored to Russian targets, including insurer- and bank-themed lures and decoy documents themed as internal investigations. BO Team has used living-off-the-land techniques and legitimate remote access tools, and has used RDP and SSH for lateral movement. Malware and tooling associated with BO Team in the provided content include BrockenDoor, ZeronetKit, Remcos, DarkGate, Babuk ransomware, Mythic, Cobalt Strike, HandleKatz, NanoDump, AnyDesk, and SDelete. BrockenDoor has been observed as a backdoor delivered via phishing, including a C#-rewritten version that checks for a Russian keyboard layout before execution. In at least one case, BrockenDoor downloaded and installed the Go-based ZeronetKit backdoor, which supports remote shell access, file transfer, and TCP tunneling. Reporting also states BO Team uses post-exploitation activity for sabotage, data theft, persistence, endpoint discovery, LSASS dumping, Active Directory database extraction, backup destruction, file deletion, and extortion. The content indicates BO Team initially emphasized destructive activity but later expanded toward more covert operations, including cyber espionage. Kaspersky reported that BO Team targeted 20 organizations in Q1 2026 and described it as a serious and continuously evolving threat in the Russian cyber threat landscape. Separate reporting described BO Team as a major threat to Russian state institutions and critical infrastructure. There is reporting that BO Team appears to be coordinating some operations with the group Head Mare against Russian organizations, based on overlapping infrastructure and tools and command-and-control systems observed on the same compromised host. Kaspersky said the exact nature of the BO Team–Head Mare relationship remains unclear, but suggested a possible division of labor in which Head Mare obtains initial access through phishing and BO Team conducts malware deployment and follow-on operations.