A professional-Ukrainian hacktivist group often called BO Group, additionally working beneath aliases resembling Black Owl, Lifting Zmiy, and Hoody Hyena, has emerged as a formidable risk to Russian organizations in 2025.
This group, which publicly declared its intentions by way of a Telegram channel in early 2024, has been implicated in a sequence of devastating cyberattacks concentrating on important industries together with authorities, expertise, telecommunications, and manufacturing sectors.
Rising Menace within the Cyber Panorama
In response to the Report, Kaspersky Lab’s telemetry confirms that each one detected indicators of compromise (IOCs) associated to Black Owl are localized to Russia, underscoring a geographically centered marketing campaign aimed toward inflicting most infrastructural harm whereas pursuing monetary extortion.
Black Owl employs a meticulously crafted assault chain, starting with spear phishing campaigns that includes malicious attachments designed to put in backdoors like DarkGate, Remcos, and Damaged Door.
These phishing emails, typically disguised as authentic correspondence from firms in automation or power sectors, leverage social engineering techniques to trick victims into executing payloads.
As soon as inside, the group makes use of instruments like SDelete for knowledge destruction and Babuk ransomware for encryption, demanding substantial ransoms to revive entry.
Their use of Dwelling off the Land (LotL) strategies using built-in Home windows instruments like PowerShell and wmic.exe together with customized starters like av_scan.exe for launching damaging utilities, highlights a excessive diploma of technical sophistication.
Subtle Assault Chain
Moreover, Black Owl’s persistence mechanisms, resembling creating scheduled duties disguised as authentic updates like “MicrosoftEdgeUpdate,” guarantee extended entry to compromised techniques.
Their operations additionally embrace credential theft by way of LSASS dumps and Energetic Listing database extraction utilizing instruments like HandleKatz and ntdsutil, enabling lateral motion by means of RDP and SSH protocols inside networks.
In contrast to different hacktivist teams that prioritize fast knowledge theft or destruction, Black Owl’s assaults can span months, indicating a strategic method to maximizing each disruption and monetary achieve.
This extended timeline, coupled with destruirve actions like deleting backup information and shadow copies by way of vssadmin.exe, leaves victims with little recourse however to satisfy ransom calls for.
Their motivations seem dual-fold: ideological alignment with the pro-Ukrainian trigger within the context of the Russian-Ukrainian battle, and monetary profiteering by means of ransomware funds.
Whereas their public rhetoric on Telegram serves as psychological warfare and media positioning, Kaspersky researchers be aware that Black Owl operates with important autonomy, using distinctive instruments and techniques not generally seen amongst different pro-Ukrainian hacktivist clusters.
This independence, alongside minimal proof of coordination with different teams, positions Black Owl as a uniquely harmful actor within the present cyber risk panorama.
Organizations are urged to replace software program, keep common backups, and deploy complete safety options to counter this evolving risk.
Indicators of Compromise (IOCs)
| Class | Description | Instance |
|---|---|---|
| Damaged Door | Malicious executable filenames | scan_kartochka_[company_name]_annꬵdp.exe |
| DarkGate | Malicious executable filenames | scan_tz_site_[company_name]_annꬵdp.exe |
| SDelete Runner | Customized starter for knowledge deletion | av_scan.exe (MD5: 5aac8f8629ea001029b18f99eead9477) |
| Community Infrastructure | Command and Management (C2) domains | wmiadap[.]xyz, invuln[.]xyz |
| IP Addresses | Attacker-controlled IPs | 194.87.252[.]171, 193.124.33[.]172 |
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Instantaneous Updates!
