VYPR
researchPublished May 8, 2026· Updated May 17, 2026· 1 source

Pro-Ukraine Hacktivist Groups BO Team and Head Mare Coordinate Cyber Operations Against Russia

Pro-Ukraine hacktivist groups BO Team and Head Mare are increasingly coordinating their cyber operations against Russian and Belarusian targets, according to new research from Kaspersky.

Researchers at Kaspersky have identified evidence of operational coordination between two pro-Ukraine hacktivist groups, BO Team and Head Mare, in their ongoing cyber campaigns against Russian and Belarusian targets The Record. While both groups have historically operated independently, the discovery of overlapping infrastructure—including command-and-control systems hosted on the same compromised servers—suggests a new level of collaboration The Record.

The technical mechanism of this suspected partnership appears to follow a multi-stage attack pattern. According to Kaspersky, Head Mare likely handles the initial network intrusion through phishing campaigns, while BO Team follows up to deploy malware, expand access, and conduct further operations The Record. This division of labor allows the groups to leverage their respective strengths: Head Mare is known for utilizing custom malware like PhantomDL and PhantomCore, as well as exploiting newly disclosed vulnerabilities, while BO Team has increasingly focused on covert cyber espionage The Record.

BO Team, also known as Black Owl, has evolved significantly since emerging in early 2024. Once primarily focused on destructive attacks, the group has shifted toward more sophisticated operations, targeting 20 organizations in the first quarter of 2026 alone The Record. Their current operational scope includes the manufacturing, telecommunications, and oil and gas sectors, moving away from previous targets in the healthcare industry The Record.

To maintain persistence and expand their reach, the attackers utilize targeted phishing emails containing malicious files disguised as legitimate documentation The Record. Once inside a network, they deploy a variety of backdoors and malware, including BrockenDoor, Remcos, and DarkGate The Record. These tools enable the groups to maintain long-term access and exfiltrate sensitive data from their targets The Record.

Historically, BO Team has demonstrated a high degree of autonomy and has been linked to operations involving Ukrainian military intelligence, including attacks on a major Russian drone supplier and the country’s federal digital signature authority The Record. Head Mare, which surfaced in 2023, has similarly maintained a consistent focus on Russian and Belarusian entities The Record.

This development highlights the increasing professionalization and strategic alignment of hacktivist groups involved in the ongoing conflict between Ukraine and Russia. As these actors refine their tactics and share infrastructure, they pose a more persistent and evolving threat to regional critical infrastructure and corporate networks The Record. Security teams operating in the region should remain vigilant for the specific malware families and phishing techniques associated with these groups as they continue to adapt their operational models The Record.

Synthesized by Vypr AI
Pro-Ukraine Hacktivist Groups BO Team and Head Mare Coordinate Cyber Operations Against Russia · VYPR