Two Pro-Ukraine Hacktivist Groups Are Now Sharing Infrastructure — and It Looks Quasi-State-Sponsored
Kaspersky researchers reported on May 7-8 that pro-Ukraine hacktivist groups BO Team (also known as Black Owl) and Head Mare appear to be coordinating their cyber operations against Russian organizations — sharing infrastructure including command-and-control systems on the same compromised host. BO Team had previously operated more autonomously than other hacktivist clusters; the consolidation makes the combined operation operationally larger, harder to attribute, and harder for Russian defenders to remediate.
In research reported by Recorded Future News on May 8, 2026, Moscow-based Kaspersky said it identified overlapping infrastructure and tools used by both groups — including command-and-control systems operating on the same compromised host. "There had previously been insufficient evidence of the group's interaction with other hacktivists," Kaspersky said of BO Team in earlier reporting. The company described one possible scenario of cooperation: a multi-stage attack in which Head Mare gains initial access through phishing, followed by BO Team deploying malware to expand access and conduct further operations. "While the exact nature of the relationship between the two groups remains unclear," Kaspersky's researchers told The Record, the overlap "points to at least some level of coordination in operations against Russian organizations."
The strategic implication is meaningful. BO Team has documented prior collaboration with Ukraine's Defense Intelligence (HUR) on attacks against major Russian targets — a Russian drone supplier, the federal digital signature authority, the country's national court system. Head Mare has separately been tied to Twelve, another Russia-targeting hacktivist cluster, with which it has shared C2 infrastructure and tooling. The new BO Team / Head Mare overlap brings together two clusters that were previously believed to operate independently. The consolidated operational footprint, with quasi-state-sponsored character via BO Team's HUR ties, sits in a gray zone that Kaspersky and other vendors have not formally characterized as state-sponsored — but which clearly differs from what hacktivism looked like even a year ago.
| BO Team / Head Mare Coordination Profile | |
|---|---|
| Detail | Information |
| Disclosure | Kaspersky research, May 7-8, 2026 — reported by Recorded Future News (Daryna Antoniuk) |
| BO Team / Black Owl profile | Active since early 2024 via Telegram; targets Russia exclusively; documented HUR-coordinated attacks on Russian drone supplier, federal digital signature authority, national court system, scientific research center, ruling-party online services |
| BO Team backdoors | DarkGate, BrockenDoor, Remcos; deletes backups using Microsoft SDelete; deploys Babuk ransomware in some cases |
| BO Team Q1 2026 targeting | 20 organizations targeted; sector shift from healthcare to manufacturing, telecommunications, oil and gas; shift from primarily destructive to covert espionage operations |
| BO Team operational quirk | May wait weeks or months between initial access and action — unusual for hacktivists who typically aim to destroy or steal data quickly |
| Head Mare profile | Active since 2023 on X (formerly Twitter); targets Russia and Belarus exclusively; sectors include government, transportation, energy, manufacturing, environment |
| Head Mare custom malware | PhantomDL (Go-based backdoor); PhantomCore aka PhantomRAT (predecessor; remote access trojan); LockBit for Windows encryption; Babuk for Linux/ESXi encryption |
| Head Mare initial access | Phishing with malicious files using double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe); CVE-2023-38831 in WinRAR exploitation; CVE-2021-26855 (ProxyLogon) for Microsoft Exchange |
| Coordination evidence (per Kaspersky) | Overlapping infrastructure and tools; C2 systems operating on same compromised host; possible multi-stage attack with Head Mare initial access then BO Team escalation |
| HUR (Ukrainian military intelligence) ties | Documented for BO Team; not formally documented for Head Mare; HUR coordination puts BO Team in a gray zone between hacktivism and state-sponsored operations |
| Broader hacktivist landscape | 14+ state-sponsored or pro-Ukraine groups have targeted Russia and former Soviet states with destructive or espionage campaigns over the past year (per Cyber Security Intelligence) |
What Each Group Brings to the Combined Operation
BO Team's distinguishing characteristic, per Kaspersky's June 2025 profile, is patience: the group may wait weeks or even months between initial access and observable action — an unusual delay for hacktivists, who typically aim to destroy or steal data quickly. The toolkit is broad. The group deploys backdoors including DarkGate, BrockenDoor, and Remcos, and disguises malware as legitimate Windows software. After compromising a network, BO Team uses Microsoft's SDelete tool to remove backups and virtual infrastructure, and in some cases deploys Babuk ransomware for encryption-and-ransom. The group has worked with Ukraine's Defense Intelligence (HUR) on attacks against a major Russian drone supplier, Russia's federal digital signature authority Osnovanie, a scientific research center, and the country's ruling-party online services. The May 2025 attack on Russia's national court system Pravosudiye — which wiped roughly 33 percent of national court filings, approximately 89 million files — is among BO Team's most consequential demonstrated capabilities.
Head Mare's distinguishing characteristic is initial-access tradecraft. The group exploits relatively recent vulnerabilities — most often CVE-2023-38831 in WinRAR for arbitrary code execution via specially crafted archives — and uses convincing phishing with malicious files using double extensions, such as the Russian-language file name "решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe." Custom Head Mare malware includes PhantomDL, a Go-based backdoor, and PhantomCore (also known as PhantomRAT), a remote access trojan that is PhantomDL's predecessor. Unlike most pro-Ukraine hacktivists, Head Mare also encrypts victims' systems for ransom: LockBit for Windows, Babuk for Linux and VMware ESXi. The group exclusively targets organizations in Russia and Belarus, with sectors spanning government, transportation, energy, manufacturing, and environment.
Why the Multi-Stage Attack Pattern Matters Operationally
Kaspersky's framing of the cooperation — Head Mare for initial access, BO Team for escalation and post-compromise — would be a textbook division of labor in a state-sponsored operation. Head Mare's strength is the phishing-and-exploitation front end; BO Team's strength is the patient, espionage-style escalation back end. If the two groups are coordinating on this division of labor, the threat profile for Russian and Belarusian organizations consolidates into something larger than either group represented separately. The consolidated kill chain looks like this: Head Mare phishing → PhantomDL / PhantomCore foothold → handoff to BO Team infrastructure → BrockenDoor or DarkGate persistence → weeks-to-months patience → SDelete-based anti-recovery → optional Babuk ransom or pure data theft.
BO Team's 2026 evolution toward more covert operations including cyber espionage adds a second dimension. In Q1 2026, the group targeted 20 organizations and shifted its focus from healthcare entities to companies in manufacturing, telecommunications, and oil and gas — sectors where data exfiltration has long-tail strategic value beyond the immediate disruption value of court-system wipers. The combination of Head Mare's initial-access front end with BO Team's patient-espionage back end, against high-value sectors, is the threat profile that consolidates this development from hacktivist news into nation-state-adjacent threat intelligence.
What This Means for Defenders Outside Russia
BO Team and Head Mare have, to date, exclusively targeted organizations in Russia and Belarus. The defender takeaway for organizations operating elsewhere is therefore qualified: this is meaningful context for any organization with Russia, Belarus, or CIS exposure (subsidiaries, suppliers, customers, energy operations, or financial settlement exposure), and it is leading-indicator threat intelligence for the broader pattern of pro-Ukraine hacktivism's consolidation toward state-sponsored capability. If any expansion to non-Russia targets occurs — whether deliberate, accidental, or third-party-supply-chain mediated — that would represent a meaningful threat-landscape change. For now, the operational guidance below is calibrated to organizations with Russia or Belarus exposure.
The BO Team / Head Mare consolidation reads as a mirror image of the broader Russia-Western infrastructure dynamic. The CyberSignal's coverage of Poland's ABW spy-agency disclosure documented Russian special services targeting Western water infrastructure, while this Kaspersky disclosure documents the reverse vector: pro-Ukraine quasi-state hacktivists targeting Russian manufacturing, telecommunications, and oil and gas. For ongoing analysis of the threat-actor landscape on both sides of this conflict, The CyberSignal's threat-intelligence coverage tracks emerging TTPs and the consolidation pattern across nominally independent actors.
Defender Actions for Organizations with Russia / Belarus Exposure
- Treat phishing as the primary initial-access vector for both groups. Head Mare's tradecraft uses business documents with double extensions and Russian-language file names. Train Russian and Belarusian operations staff specifically on this pattern. Add inbound email gateway rules that flag double-extension attachments (.pdf.exe, .docx.exe, etc.) regardless of language.
- Hunt for the named tooling. BrockenDoor, DarkGate, and Remcos (BO Team); PhantomDL and PhantomCore / PhantomRAT (Head Mare); SDelete misuse for backup destruction; LockBit and Babuk encryptor variants. Add YARA rules and EDR detection coverage for these specific malware families and tools.
- Patch CVE-2023-38831 in WinRAR and CVE-2021-26855 (ProxyLogon) in Microsoft Exchange across your Russia and Belarus environments. These are Head Mare's documented exploitation paths. The Exchange vulnerability is from 2021 — its continued exploitability indicates substantial unpatched legacy infrastructure in the target environment, but the same lesson applies anywhere outdated systems persist.
- Prepare for hybrid destructive-and-espionage outcomes. BO Team's 2026 shift toward covert espionage means infections may persist for weeks before destructive activity. Assume detection windows are smaller than indicators suggest. Off-platform, immutable backups with credentials separated from production environments are the difference between a 24-hour recovery and the multi-week recovery seen in prior BO Team court-system attacks.
- Update threat-actor matrices to reflect coordinated rather than independent operations. Re-attribute prior incidents originally tagged to one group only after reviewing the new Kaspersky research. Build cross-actor detection logic — alerts that fire on the combination of Head Mare initial-access tooling followed by BO Team backdoors are higher-fidelity than alerts on either alone.
The CyberSignal Analysis
Signal 01 — Hacktivism is consolidating toward quasi-state-sponsored capability
The pro-Ukraine hacktivist landscape has now produced two confirmed coordination clusters: Head Mare with Twelve (documented 2024-2025), and now Head Mare with BO Team. BO Team's documented HUR ties give the consolidated cluster a quasi-state-sponsored character without formal state attribution. The pattern recognizable in this is the gradual professionalization and consolidation of what began as decentralized hacktivism. The same dynamic has played out in other geopolitical conflicts: Anonymous-style decentralized actions in 2011-2014 gave way to more organized clusters in subsequent years. The Russia-Ukraine conflict appears to be running the same arc on a faster timeline, with the consolidation happening within roughly two years of initial mobilization. For threat-intelligence consumers, the practical implication is that hacktivist threat actors should be tracked with the same rigor applied to state-sponsored APT groups — the boundary between the two categories is now more administrative than technical.
Signal 02 — The patient-then-destructive operational model is the threatening combination
BO Team's documented willingness to wait weeks or months between initial access and action is the operationally distinctive element here. Most hacktivists optimize for fast destruction-and-publicity. BO Team's slower tempo more closely resembles state-sponsored espionage — and pairs naturally with Head Mare's initial-access front end. Defenders against fast hacktivists rely on rapid containment; defenders against patient adversaries need persistent telemetry, longer log retention, and more aggressive credential rotation cadence. If BO Team / Head Mare's coordination produces multi-month dwell times before destructive action, the standard hacktivism defense playbook will produce false negatives. Russian and Belarusian organizations operating with the assumption that pro-Ukraine actors will move quickly may already be compromised in ways their existing controls don't surface.
Signal 03 — The legal and diplomatic implications are running ahead of the policy framework
Hacktivism with documented state-intelligence coordination raises questions that international law has not yet cleanly answered. Sovereign immunity, attribution norms, and retaliation calculus all become more complicated when a hacktivist cluster has demonstrable ties to a national intelligence service. For now, the framework gap is operationally tolerated because the activity is tightly bounded geographically — pro-Ukraine actors targeting Russia and Belarus, in the context of an active military conflict. If the consolidation pattern continues and produces hacktivist-state-coordinated campaigns in less constrained contexts (e.g., pro-Israel actors targeting Iran-linked infrastructure during regional escalations, or pro-China actors targeting Taiwan-aligned organizations), the framework gap will become more visible. The Russia-Ukraine cyber conflict is the test case for how the international community handles state-coordinated hacktivism; the answers being established now will set norms for the next decade.
