Hacktivist Group BO Team Uses New Backdoor Against Russian Organizations
In early September 2025, researchers at Kaspersky Lab uncovered a new campaign by the hacktivist group BO Team, which has been targeting Russian organizations across multiple sectors. The attackers have updated their toolkit and are now deploying a rewritten version of the BrockenDoor backdoor.
Background on BO Team
BO Team—also known as Black Owl, Lifting Zmiy, and Hoody Hyena—first appeared in early 2024 through a Telegram channel. The group has a reputation for destructive campaigns focused on crippling IT infrastructure. In some cases, it has also carried out data encryption and extortion. Analysts note that the group poses a dual threat: causing operational damage while also seeking financial gain. Its main targets are government institutions and large enterprises.
Attack Vector: Targeted Phishing
Access to victim systems is typically achieved through tailored phishing emails that contain malicious archives. The messages are adapted for specific organizations, increasing the likelihood of success.
One observed lure alleged abuse of a voluntary health insurance (VHI/DMS) policy. The attached archive contained an executable file disguised as a PDF. The attackers obscured the true .exe extension by adding a long sequence of spaces between the filename and extension. The archive was password-protected, with the password included in the body of the phishing email. If opened, a decoy document appeared, masquerading as an “internal investigation” protocol.
Unlike previous campaigns, the malware will not execute unless the Russian keyboard layout is installed, indicating a deliberate focus on Russian-speaking users.
Evolution of BrockenDoor
The updated BrockenDoor backdoor has been fully rewritten in C#. Analysts suggest this switch simplifies development for the attackers and benefits from the wide availability of C# obfuscators and packers that conceal malicious content.
To complicate analysis further, the operators now use abbreviated command names instead of descriptive ones. For example:
set_poll_interval→spirun_program→rp
Functionally, however, BrockenDoor remains consistent with earlier versions. Once active, it connects to the attackers’ command-and-control server and exfiltrates data such as username, computer name, OS version, and files located on the desktop. If the system is deemed valuable, the malware receives additional commands to escalate the attack.
Deployment of ZeronetKit
The campaign also featured an updated version of another backdoor known as ZeronetKit, written in Go and previously linked to BO Team operations. Together, BrockenDoor and ZeronetKit represent an expanded toolkit designed for both persistence and deeper compromise.
Expert Commentary
“As part of the current campaign, the attackers have updated their toolkit: the BrockenDoor backdoor, already known to us, has been rewritten in C#, and new commands for network communication have been added to the ZeronetKit malware, also known since 2024,” explained Oleg Kupreev, a cybersecurity expert at Kaspersky Lab.
Kupreev added that the phishing emails and decoy documents were likely customized for each victim:
“The attackers did not use generic templates but adapted the attachments in each specific attack to resemble legal documents, urging the victim to urgently review their contents. We will continue to closely monitor the activity of the BO Team group.”
