A pro-Ukrainian hacktivist group known as BO Team, also operating under aliases such as Black Owl, Lifting Zmiy, and Hoody Hyena, has emerged as a formidable threat to Russian organizations in 2025.
This group, which publicly declared its intentions via a Telegram channel in early 2024, has been implicated in a series of devastating cyberattacks targeting critical industries including government, technology, telecommunications, and manufacturing sectors.
Emerging Threat in the Cyber Landscape
According to the Report, Kaspersky Lab’s telemetry confirms that all detected indicators of compromise (IOCs) related to Black Owl are localized to Russia, underscoring a geographically focused campaign aimed at causing maximum infrastructural damage while pursuing financial extortion.
.png
)
Black Owl employs a meticulously crafted attack chain, beginning with spear phishing campaigns featuring malicious attachments designed to install backdoors like DarkGate, Remcos, and Broken Door.
These phishing emails, often disguised as legitimate correspondence from companies in automation or energy sectors, leverage social engineering tactics to trick victims into executing payloads.
Once inside, the group uses tools like SDelete for data destruction and Babuk ransomware for encryption, demanding substantial ransoms to restore access.
Their use of Living off the Land (LotL) techniques utilizing built-in Windows tools like PowerShell and wmic.exe along with custom starters like av_scan.exe for launching destructive utilities, highlights a high degree of technical sophistication.
Sophisticated Attack Chain
Additionally, Black Owl’s persistence mechanisms, such as creating scheduled tasks disguised as legitimate updates like “MicrosoftEdgeUpdate,” ensure prolonged access to compromised systems.
Their operations also include credential theft via LSASS dumps and Active Directory database extraction using tools like HandleKatz and ntdsutil, enabling lateral movement through RDP and SSH protocols within networks.
Unlike other hacktivist groups that prioritize rapid data theft or destruction, Black Owl’s attacks can span months, indicating a strategic approach to maximizing both disruption and financial gain.
This prolonged timeline, coupled with destruirve actions like deleting backup files and shadow copies via vssadmin.exe, leaves victims with little recourse but to meet ransom demands.
Their motivations appear dual-fold: ideological alignment with the pro-Ukrainian cause in the context of the Russian-Ukrainian conflict, and financial profiteering through ransomware payments.
While their public rhetoric on Telegram serves as psychological warfare and media positioning, Kaspersky researchers note that Black Owl operates with significant autonomy, employing unique tools and tactics not commonly seen among other pro-Ukrainian hacktivist clusters.
This independence, alongside minimal evidence of coordination with other groups, positions Black Owl as a uniquely dangerous actor in the current cyber threat landscape.
Organizations are urged to update software, maintain regular backups, and deploy comprehensive security solutions to counter this evolving threat.
Indicators of Compromise (IOCs)
| Category | Description | Example |
|---|---|---|
| Broken Door | Malicious executable filenames | scan_kartochka_[company_name]_annꬵdp.exe |
| DarkGate | Malicious executable filenames | scan_tz_site_[company_name]_annꬵdp.exe |
| SDelete Runner | Custom starter for data deletion | av_scan.exe (MD5: 5aac8f8629ea001029b18f99eead9477) |
| Network Infrastructure | Command and Control (C2) domains | wmiadap[.]xyz, invuln[.]xyz |
| IP Addresses | Attacker-controlled IPs | 194.87.252[.]171, 193.124.33[.]172 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
