BO Team phishing campaign targeting Russian companies with password-protected RAR archives
Campaign
Summary
Hide ▲
Show ▼
BO Team ran an early September 2025 phishing campaign that targeted Russian companies and used password-protected RAR archives to deliver backdoor payloads. The operation mattered because it delivered BrockenDoor and ZeronetKit, expanding the group’s ability to gain access to victims’ systems. The activity is consistent with a targeted, multi-stage intrusion delivery chain rather than a one-off lure.
Related Happenings
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
H score36
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
North American cryptocurrency company hit by network compromise
Incident
H score31
First: 28.04.2026 11:00
Last: 28.04.2026 11:00
Sources 1
About this happening:
A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
North American cryptocurrency company hit by network compromise
IncidentAbout this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
H score65
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Silver Fox South Asia phishing campaign
Campaign
H score34
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Timeline
-
26.09.2025 15:45 2 articles · 9mo ago
BO Team phishing campaign targeting Russian companies with password-protected RAR archives
Initial DisclosureIn **early September 2025**, **BO Team** began using **password-protected RAR archives** in a phishing operation against **Russian companies**. The initial delivery stage was designed to introduce **BrockenDoor** and **ZeronetKit** through a staged attachment-based workflow.
Show sources
- New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45
- New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45