BrockenDoor
BrockenDoor is a backdoor malware family used in phishing-led intrusions targeting Russian organizations. It has been linked in the provided reporting to BO Team (also known as Black Owl, Hoody Hyena, and Lifting Zmiy), a pro-Ukraine hacktivist group active since at least early 2024, and has been observed alongside other malware including Remcos and DarkGate. Initial access is typically achieved through targeted phishing emails with malicious attachments, including password-protected RAR archives and executables disguised as legitimate documents, sometimes using Unicode right-to-left override filename masquerading or PDF icons and spacing to conceal the .exe extension.
Researchers described BrockenDoor as a previously unknown backdoor and later observed an updated version rewritten in C#. In the 2025 BO Team campaign, the rewritten variant would only execute if a Russian keyboard layout was present. Earlier analyzed samples stored the main code in the resource section and encrypted it with XOR using the key d=k,j:Z:M<-JLa+.~kX,gTemp. BrockenDoor communicates with command-and-control infrastructure over port 6180 in at least one documented variant, attempting to contact wmiadap[.]cfd or wmiadap[.]sbs. After connecting, it profiles the victim by sending the victim identifier, username, computer name, OS version, network adapter information, running processes, and a desktop file listing.
Documented BrockenDoor capabilities include changing its polling interval, writing and executing files received from C2, self-deletion, and executing commands via cmd.exe or PowerShell. In the newer C# rewrite, abbreviated commands replaced earlier names, including spi for polling interval changes, rp for creating and launching a received file, sd for delayed self-destruction via PowerShell, and ec for command execution through cmd.exe or PowerShell; rl was declared but not implemented at the time of analysis.
BrockenDoor has also been used as a delivery mechanism for follow-on payloads. In one observed case, it downloaded and executed an updated ZeronetKit backdoor and was used to copy that payload into the Windows Startup folder because ZeronetKit could not establish persistence on its own. On at least one infected host in an earlier campaign, attackers used PowerShell to download and execute the Tuoni post-exploitation tool via rundll32.
High-confidence indicators mentioned in the content include MD5 a8e35c05fd6324119b719aca8ab85f57 for one BrockenDoor sample; the masqueraded filename Scan_Kartochka_[CompanyName]_annfdp.exe; C2 domains wmiadap[.]cfd and wmiadap[.]sbs over port 6180; and, in the 2025 campaign context, delivery via a password-protected archive named Приказ_протокол.rar.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
В ходе анализа мы обнаружили, что BO Team обновила свой инструментарий: теперь атакующие рассылают новую версию бэкдора BrockenDoor, переписанную на C#, а также используют его для установки обновленной версии бэкдора ZeronetKit.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesВ новой кампании, зафиксированной в сентябре 2025 года, группировка BO Team продолжает использовать фишинговые письма для заражения пользователей.
The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.
Execution
3 techniquesКоманда exec_command Выполнить команду, используя интерпретатор командной строки... cmd.exe /C $command ... powershell.exe -noprofile –command "$command"
Удалить себя через команду: powershell.exe Start-Sleep 5; Remove-Item «$selfname» -Force
Команда ec ... cm (ранее cmd ): выполнить команду cmd.exe /C $command
Persistence
1 techniqueZeronetKit не способен самостоятельно закрепляться в зараженной системе, поэтому злоумышленники при помощи BrockenDoor копируют скачанный бэкдор в автозагрузку. "cmd.exe" / C copy "$appdata\Microsoft\msfch.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\startup"
Privilege Escalation
1 techniqueZeronetKit не способен самостоятельно закрепляться в зараженной системе, поэтому злоумышленники при помощи BrockenDoor копируют скачанный бэкдор в автозагрузку. "cmd.exe" / C copy "$appdata\Microsoft\msfch.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\startup"
Stealth
1 techniqueВнутри архива содержится исполняемый файл с иконкой PDF-файла и расширением .exe , отделенным от имени файла большим количеством пробелов — таким образом, в проводнике содержимое архива выглядит как вполне легитимный документ.
Discovery
6 techniquesбэкдор отправляет на сервер... информацию об установленных сетевых адаптерах
бэкдор отправляет на сервер свой идентификатор, имена пользователя и компьютера
бэкдор отправляет на сервер... список запущенных процессов
бэкдор отправляет на сервер... версию операционной системы
бэкдор отправляет на сервер... список файлов, найденных на рабочем столе пользователя
В отличие от образцов из предыдущих кампаний, новая версия вредоносного файла не запустится, если в системе не установлена русская раскладка клавиатуры.
Collection
2 techniquesво вредоносном архиве лежал только один исполняемый файл... в архивах находились карточка предприятия... PDF... а также LNK-файл
Вложенный RAR-архив с именем Приказ_протокол.rar был защищен паролем для предотвращения автоматического сканирования антивирусом, при этом пароль предположительно указан в теле письма.
Command and Control
2 techniquesВ одном из случаев в качестве полезной нагрузки BrockenDoor загружал и выполнял ZeronetKit.
Remcos (Remote Control & Surveillance) — это вредоносное программное обеспечение класса троянских программ удаленного доступа (RAT).
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor deployed by BO Team after phishing-based initial access to expand access and conduct further operations.
Used alongside ZeronetKit; copies the downloaded ZeronetKit backdoor to startup to provide persistence.
Backdoor used by BO Team in phishing campaigns against Russian companies. The newer version was rewritten in C#, shows a lure document, checks for a Russian keyboard layout before execution, polls C2 for commands, can execute programs and shell commands, self-delete, and is used to download/install ZeronetKit and copy it into startup for persistence.
Backdoor malware used by BO Team for remote access and control of compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.