Now analysts know almost everything about BO Team.
BO Team for the year markedly changed the approach to attacks on Russian organizations. The group is less like noisy hacktivists with showbreaking infrastructure damage and is increasingly acting as a team for hidden operations, including cyber espionage. In 2026, interest shifted to the production, oil and gas sector and telecom industry, according to a new отчётеreport by Kaspersky.
Previously, BO Team was more often associated with attacks on medical institutions, but the company’s latest data show a different picture. In the first quarter of 2026 alone, researchers counted about 20 attacks, including those against industrial, oil and gas and telecommunications companies.
Intruders still get primary access through targeted phishing. To consolidate in the infrastructure, BO Team uses the famous Backdoors BrockenDoor and ZeronetKit, as well as the new ZeroSSH tool. The analysis showed that the group’s arsenal has become more flexible: malware is more often refined for a specific target, and the operations themselves look less demonstrative and more prepared.
During the study, experts gained access to the original code of ZeronetKit, one of the key backlords of BO Team. The code helped to study the architecture of the tool, the logic of controlling infected systems and the behavior of the malware inside the attack. For infrastructure advocates, the analysis is important at least a list of compromise indicators: the source shows how the group builds operations and what opportunities it lays in its own tools.
The researchers also found signs of a possible BO Team co-operation with the Head Mare group. The exact format of interaction is still unclear, but intersections in tools and infrastructure indicate at least the coordination of attacks against Russian organizations. One of the likely options looks like a multi-stage operation: Head Mare could provide initial access, for example, through phishing mailings, and BO Team then implemented backdoors and developed an attack inside the network.
The company’s experts are tracking the activity of BO Team for more than a year and a half. In a short time, the group strengthened the arsenal with custom tools, changed the set of targets and probably began to interact with other teams. The set of signs speaks of a more dangerous model: instead of single high-profile incidents, BO Team increasingly chooses covert penetration, data collection and long-term work in the victim’s infrastructure.
BO Team for the year markedly changed the approach to attacks on Russian organizations. The group is less like noisy hacktivists with showbreaking infrastructure damage and is increasingly acting as a team for hidden operations, including cyber espionage. In 2026, interest shifted to the production, oil and gas sector and telecom industry, according to a new отчётеreport by Kaspersky.
Previously, BO Team was more often associated with attacks on medical institutions, but the company’s latest data show a different picture. In the first quarter of 2026 alone, researchers counted about 20 attacks, including those against industrial, oil and gas and telecommunications companies.
Intruders still get primary access through targeted phishing. To consolidate in the infrastructure, BO Team uses the famous Backdoors BrockenDoor and ZeronetKit, as well as the new ZeroSSH tool. The analysis showed that the group’s arsenal has become more flexible: malware is more often refined for a specific target, and the operations themselves look less demonstrative and more prepared.
During the study, experts gained access to the original code of ZeronetKit, one of the key backlords of BO Team. The code helped to study the architecture of the tool, the logic of controlling infected systems and the behavior of the malware inside the attack. For infrastructure advocates, the analysis is important at least a list of compromise indicators: the source shows how the group builds operations and what opportunities it lays in its own tools.
The researchers also found signs of a possible BO Team co-operation with the Head Mare group. The exact format of interaction is still unclear, but intersections in tools and infrastructure indicate at least the coordination of attacks against Russian organizations. One of the likely options looks like a multi-stage operation: Head Mare could provide initial access, for example, through phishing mailings, and BO Team then implemented backdoors and developed an attack inside the network.
The company’s experts are tracking the activity of BO Team for more than a year and a half. In a short time, the group strengthened the arsenal with custom tools, changed the set of targets and probably began to interact with other teams. The set of signs speaks of a more dangerous model: instead of single high-profile incidents, BO Team increasingly chooses covert penetration, data collection and long-term work in the victim’s infrastructure.
