Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
Banner Mobile V1
Crowdstriker 970×120
New cyber attack campaign by the BO Team group

New cyber attack campaign by the BO Team group

Redazione RHC : 25 October 2025 09:16

In early September 2025, Kaspersky Lab experts discovered a new campaign from the BO Team group, targeting Russian organizations across various sectors. Hacktivists updated their toolkit, targeting companies with a new version of the BrockenDoor backdoor.

The hacktivist group BO Team (also known as Black Owl, Lifting Zmiy, and Hoody Hyena) made its first appearance in early 2024 via a Telegram channel.

It primarily targets victims’ IT infrastructure and, in some cases, encrypts data and commits extortion. Researchers warn that this is a serious threat, aimed both at inflicting maximum damage on the attacked organization and at achieving financial gain . The attackers’ main targets include the public sector and large corporations.

To gain access to victims’ systems, attackers send spear-phishing emails containing malicious archives. The content of these emails appears to be customized for each specific attack.

For example, one email claimed to have detected evidence of abuse of a voluntary health insurance policy. The attached archive contained an executable file disguised as a PDF document. The actual file extension is .exe, and the attackers intentionally separated it from the file name with numerous spaces to hide the substitution. The archive was password-protected, which was provided in the body of the email.

If the victim opens the file, a decoy document appears: a fake “official investigation” report. Unlike previous campaigns, the malicious file will not run unless the Russian keyboard layout is installed on the system. This means the attacks are aimed only at Russian-speaking users.

Analysts write that the core code of the updated version of the BrockenDoor backdoor has been completely rewritten in C#, simplifying the programming process for attackers. Additionally, numerous obfuscators and packers for C# are available that can hide malicious payloads. Furthermore, full command names are now shortened to two or three characters, complicating analysis. For example, the set_poll_interval command is now called spi, and run_program is now called rp.

Overall, the backdoor’s functionality hasn’t changed significantly. BrockenDoor contacts the attackers’ server and sends various information (username and computer name, operating system version, and a list of files on the desktop). If the attackers deem this data interesting, the backdoor receives commands to further develop the attack.

The report also notes that the new campaign used BrockenDoor to install an updated version of another backdoor, ZeronetKit, written in Go, also used by BO Team.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli