Pro-Ukraine BO Team and Head Mare hackers appear to team up in attacks against Russia

A pro-Ukraine hacktivist group known as BO Team appears to be coordinating its cyber operations with another group, Head Mare, in attacks targeting Russian organizations, according to a new report.

Researchers at Moscow-based cybersecurity firm Kaspersky said they identified overlapping infrastructure and tools used by both groups — including command-and-control systems operating on the same compromised host — suggesting some coordination.

In previous reports, Kaspersky said BO Team, also known as Black Owl, operates more autonomously than other pro-Ukraine hacktivist groups, with its own resources and approaches to deploying malicious tools.

“There had previously been insufficient evidence of the group’s interaction with other hacktivists,” Kaspersky said.

In earlier campaigns, BO Team has worked with Ukrainian military intelligence, including in attacks targeting a major Russian drone supplier, the country’s federal digital signature authority and a scientific research center.

Both BO Team and Head Mare have focused their activity on Russian and Belarusian targets, but until now there had been little evidence linking them operationally.

One possible scenario of cooperation, according to Kaspersky, is a multi-stage attack in which Head Mare gains initial access to a victim’s network through phishing, followed by BO Team deploying malware to expand access and conduct further operations.

BO Team first surfaced in early 2024 via a Telegram channel and has since positioned itself alongside other pro-Ukraine hacktivist groups. The group has expanded its capabilities over the past year and shifted from primarily destructive attacks toward more covert operations, including cyber espionage, the report said.

In the first quarter of 2026, the group targeted 20 organizations, according to Kaspersky, shifting its focus from healthcare entities to companies in manufacturing, telecommunications and the oil and gas sector.

The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.

“BO Team remains a serious and continuously evolving threat in the Russian cyber threat landscape,” researchers said.

Head Mare, which first emerged in 2023 on the social platform X, is known for using its own custom malware, including PhantomDL and PhantomCore, and for exploiting newly disclosed vulnerabilities in phishing campaigns.

While the exact nature of the relationship between the two groups remains unclear, researchers say the overlap in infrastructure and tools points to at least some level of coordination in operations against Russian organizations.