## Pro-Ukraine Hacktivists Coordinate Attacks Researchers at **Kaspersky** have uncovered evidence suggesting that **BO Team** and **Head Mare**, two pro-Ukraine hacktivist groups, are coordinating their cyberattacks targeting Russian organizations. The report highlights overlapping infrastructure and shared tools, indicating a collaborative effort to infiltrate and disrupt Russian entities. **Kaspersky**'s findings reveal that the groups share command-and-control (C2) systems operating on the same compromised hosts. This shared infrastructure suggests a level of coordination previously undocumented between these groups. ### BO Team's Evolution **BO Team**, also known as Black Owl, has been previously identified by **Kaspersky** as operating more autonomously compared to other pro-Ukraine hacktivist groups. The group possesses its own resources and employs unique approaches in deploying malicious tools. Prior to this report, there was limited evidence linking **BO Team** with other hacktivist entities. **BO Team** has been linked to attacks targeting critical Russian infrastructure, including a major drone supplier, the country's federal digital signature authority, and a scientific research center. These attacks have been attributed to collaboration with Ukrainian military intelligence. ### Head Mare's Role **Head Mare** emerged in 2023 on the social platform X and is known for its custom malware, including PhantomDL and PhantomCore. The group is also known for exploiting newly disclosed vulnerabilities in phishing campaigns. Their focus, like **BO Team**, has been primarily on Russian and Belarusian targets. ### Multi-Stage Attack Scenario **Kaspersky** proposes a potential cooperation scenario where **Head Mare** gains initial access to a victim's network through phishing tactics. Following the initial breach, **BO Team** then deploys malware to expand access and conduct further operations within the compromised network. This division of labor highlights a sophisticated level of coordination between the two groups. ### Shifting Tactics Since its emergence in early 2024, **BO Team** has evolved from primarily destructive attacks to more covert operations, including cyber espionage. In the first quarter of 2026, the group targeted 20 organizations, shifting its focus from healthcare to manufacturing, telecommunications, and the oil and gas sector, according to **Kaspersky**. The attackers commonly employ targeted phishing emails containing malicious files disguised as legitimate documents to gain initial access. They then deploy backdoors such as BrockenDoor, along with other malware including Remcos and DarkGate. Researchers at **Kaspersky** emphasize that “**BO Team** remains a serious and continuously evolving threat in the Russian cyber threat landscape.” While the exact nature of the relationship between **BO Team** and **Head Mare** remains unclear, the overlapping infrastructure and tools strongly suggest a coordinated effort in their operations against Russian organizations.