Pro-Ukraine BO Team, Head Mare Hackers Collaborate on Russian Attacks

Kaspersky researchers have uncovered a convergence between the pro‑Ukraine hacktivist group BO Team and the advanced threat actor Head Mare, revealing that the two have begun sharing infrastructure and tools to conduct joint operations against Russian targets. The analysis shows overlapping command‑and‑control (C2) servers, identical IP ranges and domain patterns, and the use of the same custom implants and scripts across both campaigns.

The shared C2 architecture enables coordinated intrusions, allowing the groups to amplify the scale and effectiveness of their attacks while making attribution more complex. According to Kaspersky, both BO Team and Head Mare have deployed the same backdoor families and have been observed exploiting identical vulnerability sets, suggesting a deliberate pooling of resources rather than coincidental overlap.

The partnership highlights a shift in the cyber‑threat landscape of the Russia‑Ukraine conflict, where hacktivist collectives are aligning with more sophisticated APT actors to boost their capabilities. Security teams are advised to treat this collaboration as a heightened risk, especially for organizations operating in or adjacent to the region.

To defend against this blended threat, organizations should monitor for the identified TTPs, enrich their threat‑intelligence feeds with the latest IOCs, and ensure robust network segmentation and monitoring. Kaspersky has already disseminated the detailed indicators of compromise to its customers and the broader security community to facilitate timely detection and response.