Catching an Owl by the Tail: BO Team Tactics and Tools

    Monday, June 2, 2025 In: Threat Research Print

    Date: 06/02/2025

    Severity: Medium

    Summary

    "Catching an Owl by the Tail: BO Team Tactics and Tools" is an investigative report detailing the operations of the hacktivist group BO Team (also known as Black Owl, Lifting Zmiy, and Hoody Hyena). The group primarily targets Russian companies, aiming to destroy infrastructure, encrypt data, and extort money. The analysis of their tactics, techniques, and procedures (TTPs) reveals BO Team as a highly destructive and financially motivated threat actor.

    Indicators of Compromise (IOC) List 

    URL/Domain

    invuln.xyz

    railradman.site

    dzeninfra.site

    dzeninfra.xyz

    sso.dzeninfra.site

    sso.dzeninfra.xyz

    wincertfm.store

    wmiadap.xyz

    wmiadap.sbs

    wmiadap.cfd

    IP Address

    194.190.152.251

    194.113.106.51

    193.124.33.172

    45.144.30.144

    193.124.33.184

    194.190.152.149

    194.87.252.221

    194.87.252.171

    Hash

    7d958333b0705834885e45bc720392e0

    33f7690769ea899a7e804df67c15db62

    05202240d7d4a00cbe55239ed173c6e5

    cab999df17597905d9fba571f4820e5c

    c3d5c48e7e8cd11ab662dcb832088341

    a8e35c05fd6324119b719aca8ab85f57

    129320d55187af9466000db22e7fac2a

    6ed7fc14397c4f4fe87080230554a887

    2d1774df16ae4ab014a75c5e30133a90

    4c406d91db54765ae7f843ecdb759085

    5f4b879537af29b224198d4e18399fe7

    353302ef3297119ad7e15d131b85c04d

    26b44188dbbe93eabcf93f446462efd0

    eed9223ff9bc5a20f5fa6114aa9cc6be

    5aac8f8629ea001029b18f99eead9477

    0010b361f4f599aefe10e49a37af85ba

    c99e34cac21fefe10eaf3303ff447131

    373b22dca89f57c138c83cb99a6c6120

    5c8887f6bbfd92134523e8e49c701112

    9b7695bfbff339d78a58eb528e13c784

    e5b120a763afdceeb4c0d028bbcd9d7c

    9f1eca64a49c2accf8770e9fd932402a

    8351fa0448a85ffe8bcd1fbef20ed801

    4793753ef5800f2adc088e359d61b793

    6c3deaa478e0e19c8757e1ba5ba1dd5a

    4d73fb057eab0cfd19d38feb7e1db8c2

    5feefe39dbd8b4a7f06a6062dc6c57be

    60567d0b90209bcedff4a841bdc086a7

    7b108826350e3a5fb72b5bff3e269b54

    a0c0315bc451fcdec26c770c9c0ff2de

    2c9d37c1edbfcac4313f691838130263

    45a535e2c3b7e75d6d084def457ae565

    a2210e271dd14f44532d6f86b4487725

    fc2636f8847b1f2d8bdc78bbf684add3

    c072a8e594245564d111b650cc348fcb

    aef6e0b2a390af31ada9835c10d0d5ca

    26df73f85436774aa04e293c619a9961

    64e29fabdc6905ee04f82dbb53880056

    38ad4de5df310c6cf0f274c413770c45

    42a280cecb0e56012e83c23bd7b5afe9

    b30e8dbbc9d20d20d1ac44eba44bb04e

    d4fdd7962677cca27096a9d656dc6b11

    d0d5e6dffa4b5863c8222cf6819014c6

    ee2e6a3cd470494d3d3197564bdd5075

    762625af777a9655bbcce8538e69216e

    59e9ca36e36cfe02b0efe3e230ec68a1

    105ab2390e5f9d1d51b9be11f51db883

    56c17b051e98ed20e0ea95ed0f442253

    37627532b09b0a3f72df19749558d20b

    830fec8a9079a3eea95bb55d147a6715

    1424b7837a2f15654a5d4b73caf570e1

    20e306869f5741ca23919894ca55fc62

    73834b9bff2daf507da726b1098d3b9a

    658b51c867648c45289bd21a113234c4

    78abda180b36b8a0c29cb4e354516c73

    4932581023a8ce9ee40bebb7bdc0d0aa

    2a3ea25cb6b71c06c141f10905d97742

    73ff516c0e6979471b24f36ba96e81e7

    d1731317af07655e5abe5d0eb50eb8cb

    35cc88496ddf000694ffe3f0d385386b

    e3c9308a8475ae5812d0987c4f7c671f

    a49d38c87e64077a5eece1262700afd7

    e66f77c9834827e3657a5d9ed4cda9f8

    a9909f7cbf6e776028934f24fb4c23ee

    40278bfb0de306ec2b81954c7691eaad

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "railradman.site" or siteurl like "railradman.site" or url like "railradman.site" or domainname like "wmiadap.sbs" or siteurl like "wmiadap.sbs" or url like "wmiadap.sbs" or domainname like "wincertfm.store" or siteurl like "wincertfm.store" or url like "wincertfm.store" or domainname like "invuln.xyz" or siteurl like "invuln.xyz" or url like "invuln.xyz" or domainname like "wmiadap.xyz" or siteurl like "wmiadap.xyz" or url like "wmiadap.xyz" or domainname like "dzeninfra.site" or siteurl like "dzeninfra.site" or url like "dzeninfra.site" or domainname like "dzeninfra.xyz" or siteurl like "dzeninfra.xyz" or url like "dzeninfra.xyz" or domainname like "sso.dzeninfra.site" or siteurl like "sso.dzeninfra.site" or url like "sso.dzeninfra.site" or domainname like "sso.dzeninfra.xyz" or siteurl like "sso.dzeninfra.xyz" or url like "sso.dzeninfra.xyz" or domainname like "wmiadap.cfd" or siteurl like "wmiadap.cfd" or url like "wmiadap.cfd"

    Detection Query 2 :

    dstipaddress IN ("45.144.30.144","194.113.106.51","194.87.252.221","194.87.252.171","193.124.33.184","194.190.152.251","193.124.33.172","194.190.152.149") or srcipaddress IN ("45.144.30.144","194.113.106.51","194.87.252.221","194.87.252.171","193.124.33.184","194.190.152.251","193.124.33.172","194.190.152.149")

    Detection Query 3 :

    md5hash IN ("33f7690769ea899a7e804df67c15db62","e5b120a763afdceeb4c0d028bbcd9d7c","2d1774df16ae4ab014a75c5e30133a90","353302ef3297119ad7e15d131b85c04d","7d958333b0705834885e45bc720392e0","a8e35c05fd6324119b719aca8ab85f57","5f4b879537af29b224198d4e18399fe7","20e306869f5741ca23919894ca55fc62","40278bfb0de306ec2b81954c7691eaad","cab999df17597905d9fba571f4820e5c","c3d5c48e7e8cd11ab662dcb832088341","5aac8f8629ea001029b18f99eead9477","05202240d7d4a00cbe55239ed173c6e5","129320d55187af9466000db22e7fac2a","6ed7fc14397c4f4fe87080230554a887","4c406d91db54765ae7f843ecdb759085","26b44188dbbe93eabcf93f446462efd0","eed9223ff9bc5a20f5fa6114aa9cc6be","0010b361f4f599aefe10e49a37af85ba","c99e34cac21fefe10eaf3303ff447131","373b22dca89f57c138c83cb99a6c6120","5c8887f6bbfd92134523e8e49c701112","9b7695bfbff339d78a58eb528e13c784","9f1eca64a49c2accf8770e9fd932402a","8351fa0448a85ffe8bcd1fbef20ed801","4793753ef5800f2adc088e359d61b793","6c3deaa478e0e19c8757e1ba5ba1dd5a","4d73fb057eab0cfd19d38feb7e1db8c2","5feefe39dbd8b4a7f06a6062dc6c57be","60567d0b90209bcedff4a841bdc086a7","7b108826350e3a5fb72b5bff3e269b54","a0c0315bc451fcdec26c770c9c0ff2de","2c9d37c1edbfcac4313f691838130263","45a535e2c3b7e75d6d084def457ae565","a2210e271dd14f44532d6f86b4487725","fc2636f8847b1f2d8bdc78bbf684add3","c072a8e594245564d111b650cc348fcb","aef6e0b2a390af31ada9835c10d0d5ca","26df73f85436774aa04e293c619a9961","64e29fabdc6905ee04f82dbb53880056","38ad4de5df310c6cf0f274c413770c45","42a280cecb0e56012e83c23bd7b5afe9","b30e8dbbc9d20d20d1ac44eba44bb04e","d4fdd7962677cca27096a9d656dc6b11","d0d5e6dffa4b5863c8222cf6819014c6","ee2e6a3cd470494d3d3197564bdd5075","762625af777a9655bbcce8538e69216e","59e9ca36e36cfe02b0efe3e230ec68a1","105ab2390e5f9d1d51b9be11f51db883","56c17b051e98ed20e0ea95ed0f442253","37627532b09b0a3f72df19749558d20b","830fec8a9079a3eea95bb55d147a6715","1424b7837a2f15654a5d4b73caf570e1","73834b9bff2daf507da726b1098d3b9a","658b51c867648c45289bd21a113234c4","78abda180b36b8a0c29cb4e354516c73","4932581023a8ce9ee40bebb7bdc0d0aa","2a3ea25cb6b71c06c141f10905d97742","73ff516c0e6979471b24f36ba96e81e7","d1731317af07655e5abe5d0eb50eb8cb","35cc88496ddf000694ffe3f0d385386b","e3c9308a8475ae5812d0987c4f7c671f","a49d38c87e64077a5eece1262700afd7","e66f77c9834827e3657a5d9ed4cda9f8","a9909f7cbf6e776028934f24fb4c23ee")

    Reference:    

    https://securelist.ru/bo-team/112753/


    Tags

    Threat ActorBOTeamBlackOwlLifting ZmiyHoody HyenaRussiaCritical Infrastructurehacktivist

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.