A new wave of cyberattacks by the Russian-aligned hacktivist group “Black Owl Hacker” also known as BO Team has been observed targeting critical sectors in Russia, with a particular emphasis on stealing financial data and disrupting organizational infrastructure.
Operating since early 2024, Black Owl Hacker has differentiated itself by orchestrating advanced attacks on government, technology, telecommunications, and manufacturing entities within Russia, using sophisticated phishing schemes, custom malware, and destructive tools.
Attack Lifecycle
The BO Team’s typical attack chain commences with spear-phishing campaigns leveraging meticulously crafted emails that mimic reputable companies specializing in technology automation.
According to the Report, these emails contain malicious attachments embedded with remote access tools such as Remcos RAT, DarkGate, and the custom backdoor BrockenDoor.
Upon execution, these payloads connect to attacker-controlled command-and-control (C2) servers, laying the foundation for further operations.
Phishing messages are rendered highly convincing through the use of visually accurate domain forgeries and decoy documents, including fake business proposals and verification links to legitimate corporate data, which improves the probability of user interaction and malware execution.
In parallel, the malware operates in the background, establishing persistence and preparing for escalation.
Once initial access is secured, the attackers employ “Living off the Land” (LotL) techniques, exploiting legitimate Windows binaries (e.g., PowerShell, WMIC, schtasks) to execute reconnaissance, manipulate system defenses, and create scheduled tasks disguised as system updates (such as “MicrosoftEdgeUpdate”).
These moves facilitate stealthy lateral movement and persistent foothold establishment while evading traditional security solutions.
BO Team employs a multi-pronged approach to credential theft, using a blend of built-in system tools and third-party utilities to dump credentials from memory (LSASS), leveraging Procdump, HandleKatz, NanoDump, and clever rundll32-comsvcs.dll abuse.
When domain controllers are accessible, ntdsutil is deployed to extract the Active Directory database, targeting further privilege escalation and domain-wide reconnaissance.
Persistence is maintained via scheduled tasks that launch tunneling tools (like wgl.exe/GO Simple Tunnel), ensuring covert connections to the C2 infrastructure.
Discovery operations are similarly well-developed, with custom PowerShell scripts extracting information about users, running processes, antivirus solutions, and remote desktop sessions.
The attackers also mask file timestamps and log their activities with obfuscated, base64-encoded commands to minimize forensic footprints.
Destruction and Ransomware Deployment
The endgame for Black Owl Hacker often involves the deployment of destructive malware and ransomware.
The group has been observed using Babuk ransomware variants to encrypt data and demand hefty ransoms in Bitcoin, often accompanied by threatening notes that promise irretrievable data loss if demands are not met.
Prior to encryption, the attackers deploy custom utilities like av_scan.exe (SDelete runner) to wipe backup files and destroy shadow copies, ensuring data recovery becomes virtually impossible.
Unlike many groups in the pro-Ukrainian or hacktivist ecosystem, Black Owl Hacker exhibits operational independence, possessing its own set of unique Tactics, Techniques, and Procedures (TTPs) as well as custom-built tooling.
No direct collaborative technical linkages have been established between BO Team and other threat clusters, underscoring the group’s singular focus and strategic autonomy.
Experts recommend organizations maintain robust backup procedures, keep systems patched, and employ advanced endpoint protection solutions.
Employee training in phishing recognition and digital hygiene remains paramount, given the group’s reliance on sophisticated social engineering.
Leveraging threat intelligence and monitoring for Indicators of Compromise (IoCs) is essential for early detection and response.
Indicators of Compromise (IOCs)
| Category | Indicator: File Hash/Domains/IPs | Description/Notes |
|---|---|---|
| Broken Door | 7d958333b0705834885e45bc720392e0, 33f7690769ea899a7e804df67c15db62 | Malicious executables, backdoor payloads |
| DarkGate | 5f4b879537af29b224198d4e18399fe7, 26b44188dbbe93eabcf93f446462efd0 | Remote access trojans |
| SDelete Runner | 5aac8f8629ea001029b18f99eead9477 | av_scan.exe (data wiper) |
| Babuk Ransomware | 0010b361f4f599aefe10e49a37af85ba | e_win.exe (encryptor) |
| GO Simple Tunnel | c99e34cac21fefe10eaf3303ff447131 | Tunneling tool |
| Cobalt Strike | 60567d0b90209bcedff4a841bdc086a7, 2c9d37c1edbfcac4313f691838130263 | Beacon payloads |
| HandleKatz | 40278bfb0de306ec2b81954c7691eaad | Credential dumping tool |
| Network C2 Domains | wmiadap[.]xyz, mofcomp[.]space, invuln[.]xyz, railradman[.]site | C2 infrastructure |
| Network IPs | 194.190.152[.]251, 194.87.252[.]171, 193.124.33[.]172 | C2 endpoints |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/russian-hacker-black-owl-hacker-targets-key-industries/&media=https://i1.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEhjlWr5JLhM1C3hvdcWLq3idD3tjA7-JwZb6gHR9WO4ZmHHvGptj0n67P0wL9qQCKS-sJAuwbOBYV_j4nSGCOZ_ezamOnGvbXtuWyKF3tSPQiM6RGoUKVk1UMcGjKfPIQh8797WTqc_hJKANDlths1CbH6QFsxjwQChjbIndISw5UrKZ1XysTBDfSylc/s16000/Black%20Owl.webp?resize=1068,580&ssl=1&description=A new wave of cyberattacks by the Russian-aligned hacktivist group "Black Owl Hacker" also known as BO Team has been observed.){kind=link}