HQ/EMEAFind out how we can help your business
A relatively lesser-known pro-Ukraine hacker group dubbed Black Owl has surfaced as a considerable threat to Russian state entities and essential infrastructure.
Identified as BO Team, or Black Owl, this group has been functioning since early 2024 and appears to operate independently, employing a unique set of tools and strategies.
Among the group’s most significant actions was a cyberattack in May 2025 that reportedly incapacitated about one-third of Russia’s national electronic court filing system.
Ukraine’s military intelligence agency (HUR) has previously recognised collaboration with the BO Team in several operations, including breaches targeting Russia’s federal digital signature authority and a scientific research institution.
Black Owl commonly initiates its cyberattacks through malware-laden phishing emails.
According to reports, the Black Owl Team typically initiates access via phishing emails containing convincing malicious attachments.
Notably, the group remains dormant within infiltrated systems for extended durations, sometimes weeks or months, before carrying out attacks.
This tactic diverges from typical hacktivist behaviour, which frequently entails immediate data destruction or theft. The group’s toolkit reportedly consists of several backdoors, such as DarkGate, BrockenDoor, and Remcos.
After infiltrating a system, the BO Team has been documented deleting backups and virtual infrastructure using utilities like Microsoft’s SDelete.
Babuk ransomware encrypts data and demands a ransom in certain instances. The hackers often disguise their malware as legitimate Windows applications.
All identified BO Team targets have been Russian organisations, including state-owned enterprises and businesses in the technology, telecommunications, and manufacturing sectors.
The group frequently promotes its attacks on Telegram, using the platform to intimidate victims and draw media attention.
Researchers have noted that this newly identified cybercriminal group poses a distinctive threat within the pro-Ukraine cyber landscape. Unlike other hacktivist groups, the BO Team operates with minimal apparent collaboration or resource-sharing, suggesting high operational autonomy.
This detail differentiates the group as a unique and formidable presence in Russia’s current cyber threat landscape.
