Pro-Ukraine Hacktivists Join Forces
A recent report by Kaspersky reveals that pro-Ukraine hacktivist group BO Team is coordinating its cyber operations with another group, Head Mare, in attacks targeting Russian organizations. Researchers identified overlapping infrastructure and tools used by both groups, suggesting some level of coordination.
BO Team, also known as Black Owl, has been known to operate autonomously, with its own resources and approaches to deploying malicious tools. However, the new report suggests that the group may be working together with Head Mare, which has its own custom malware and exploits newly disclosed vulnerabilities in phishing campaigns.
Background on BO Team
BO Team first surfaced in early 2024 via a Telegram channel and has since positioned itself alongside other pro-Ukraine hacktivist groups. The group has expanded its capabilities over the past year, shifting from primarily destructive attacks toward more covert operations, including cyber espionage.
In the first quarter of 2026, BO Team targeted 20 organizations, according to Kaspersky, shifting its focus from healthcare entities to companies in manufacturing, telecommunications, and the oil and gas sector. The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.
Head Mare's Tactics
Head Mare, which first emerged in 2023 on the social platform X, is known for using its own custom malware, including PhantomDL and PhantomCore, and for exploiting newly disclosed vulnerabilities in phishing campaigns. The group's tactics have been observed in attacks against Russian and Belarusian targets, but until now, there had been little evidence linking them operationally to BO Team.
One possible scenario of cooperation between the two groups is a multi-stage attack, in which Head Mare gains initial access to a victim's network through phishing, followed by BO Team deploying malware to expand access and conduct further operations.
Implications of the Partnership
The overlap in infrastructure and tools used by BO Team and Head Mare points to at least some level of coordination in operations against Russian organizations. This partnership could potentially lead to more sophisticated and effective attacks, making the two groups a more significant threat in the Russian cyber threat landscape.
According to Kaspersky, BO Team remains a serious and continuously evolving threat, and the partnership with Head Mare could further enhance their capabilities. As the cyberwar between Ukraine and Russia continues to escalate, it is essential to monitor the activities of these hacktivist groups and their potential collaborations.
- BO Team and Head Mare have targeted Russian and Belarusian organizations, including companies in manufacturing, telecommunications, and the oil and gas sector.
- The groups use various tactics, including phishing, malware deployment, and exploitation of newly disclosed vulnerabilities.
- The partnership between BO Team and Head Mare could lead to more sophisticated and effective attacks, making them a more significant threat in the Russian cyber threat landscape.
The report by Kaspersky highlights the importance of staying vigilant and proactive in the face of evolving cyber threats. As the situation continues to unfold, it is crucial to monitor the activities of these hacktivist groups and their potential collaborations to stay ahead of the threats they pose.
Source: The Record