At the start of September 2025, Kaspersky researchers observed a renewed campaign by the hacktivist collective BO Team—also tracked as Black Owl, Lifting Zmiy and Hoody Hyena—against Russian organizations across several sectors. The operators’ objectives remain disruption of IT infrastructure, data theft and extortion, with prioritization of the public sector and large enterprises.
Initial access: tailored phishing and convincing “official documents”
The campaign relies on targeted phishing that delivers password-protected archives customized for each victim organization. In one scenario, emails alleged misuse of corporate voluntary medical insurance (DMS) and attached a protected archive. Inside, an executable masqueraded as a PDF by padding the filename with long whitespace and hiding the .exe extension. Upon launch, a decoy document—styled as an “internal investigation protocol”—was displayed to reduce suspicion.
Notably, the malware checks the keyboard layout and will not run if a Russian layout is absent. This is a clear targeting signal toward Russian-speaking environments, not a security control.
The approach aligns with MITRE ATT&CK techniques T1566 (Phishing) and T1204 (User Execution). Consistent with the Verizon Data Breach Investigations Report (DBIR) 2024, the human element remains a dominant factor—DBIR attributes a majority of breaches to human-driven patterns, with phishing among the top social engineering methods.
BrockenDoor rewritten in C#: obfuscation options and compact command set
The most significant technical change is a full migration of the BrockenDoor backdoor to C#. This stack gives attackers easy access to commodity obfuscators and packers, complicating static and behavioral analysis, and streamlining development and scaling. The command interface has also been compressed: verbose strings were replaced with 2–3 character mnemonics (for example, set_poll_interval → spi, run_program → rp), reducing opportunities for string‑based detection.
Core functionality and telemetry collection
Feature-wise, BrockenDoor maintains familiar capabilities. It establishes a connection to command-and-control (C2), gathers basic host telemetry (user and machine names, OS version), and enumerates files on the desktop. If operators deem the host valuable, the backdoor receives additional tasking for deployment and post‑exploitation.
ZeronetKit in Go: second stage with expanded network operations
In the current wave, BrockenDoor frequently serves as a dropper for an updated ZeronetKit backdoor written in Go. Researchers note newly added network-oriented commands that improve the resiliency of the adversary’s infrastructure and complicate incident response, including efforts to contain lateral movement and sever C2 channels.
Targeting and lure customization pivot to business context
BO Team appears to have abandoned generic phishing templates. Email narratives and attachments are tuned to each victim’s legal context and business processes—recently centering on DMS/employee health insurance with “urgent” calls to review. This customization increases click-through rates and delays detection by email security and end users.
Defensive measures mapped to MITRE ATT&CK
Email security: enforce SPF, DKIM and DMARC; detonate attachments in sandbox; block delivery of executables inside archives and files with hidden/double extensions or abnormal whitespace in filenames.
Endpoint controls: deploy EDR/NGAV with behavior rules tuned to .NET/C# loaders; enable Microsoft Attack Surface Reduction (ASR); block child process spawning from Office applications; force file extensions to be visible in the OS.
Network visibility: monitor egress to unknown C2 endpoints; collect DNS and TLS telemetry; restrict unsanctioned proxy/VPN usage. Segment networks and apply least privilege to limit lateral movement and blast radius.
Security awareness: run regular, realistic phishing simulations and measure susceptibility to improve resilience to targeted social engineering.
Important: a keyboard-layout check is an indicator of targeting, not protection. Relying on such traits as a “default firewall” is risky; layered controls and rapid response are essential.
The BO Team campaign illustrates how quickly threat tooling evolves: a C# rewrite of BrockenDoor, aggressive obfuscation and a two‑stage chain with ZeronetKit improve operational effectiveness. Organizations should strengthen mail hygiene, endpoint and network visibility, and align controls with the MITRE ATT&CK framework. Updating detections, hardening policies, and rehearsing response will shorten the kill chain—reducing downtime and the likelihood of data loss or extortion.
