Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

BrockenDoor

BrockenDoor is a backdoor malware family used in phishing-led intrusions targeting Russian organizations. It has been linked in the provided reporting to BO Team (also known as Black Owl, Hoody Hyena, and Lifting Zmiy), a pro-Ukraine hacktivist group active since at least early 2024, and has been observed alongside other malware including Remcos and DarkGate. Initial access is typically achieved through targeted phishing emails with malicious attachments, including password-protected RAR archives and executables disguised as legitimate documents, sometimes using Unicode right-to-left override filename masquerading or PDF icons and spacing to conceal the .exe extension.

Researchers described BrockenDoor as a previously unknown backdoor and later observed an updated version rewritten in C#. In the 2025 BO Team campaign, the rewritten variant would only execute if a Russian keyboard layout was present. Earlier analyzed samples stored the main code in the resource section and encrypted it with XOR using the key d=k,j:Z:M<-JLa+.~kX,gTemp. BrockenDoor communicates with command-and-control infrastructure over port 6180 in at least one documented variant, attempting to contact wmiadap[.]cfd or wmiadap[.]sbs. After connecting, it profiles the victim by sending the victim identifier, username, computer name, OS version, network adapter information, running processes, and a desktop file listing.

Documented BrockenDoor capabilities include changing its polling interval, writing and executing files received from C2, self-deletion, and executing commands via cmd.exe or PowerShell. In the newer C# rewrite, abbreviated commands replaced earlier names, including spi for polling interval changes, rp for creating and launching a received file, sd for delayed self-destruction via PowerShell, and ec for command execution through cmd.exe or PowerShell; rl was declared but not implemented at the time of analysis.

BrockenDoor has also been used as a delivery mechanism for follow-on payloads. In one observed case, it downloaded and executed an updated ZeronetKit backdoor and was used to copy that payload into the Windows Startup folder because ZeronetKit could not establish persistence on its own. On at least one infected host in an earlier campaign, attackers used PowerShell to download and execute the Tuoni post-exploitation tool via rundll32.

High-confidence indicators mentioned in the content include MD5 a8e35c05fd6324119b719aca8ab85f57 for one BrockenDoor sample; the masqueraded filename Scan_Kartochka_[CompanyName]_ann‮fdp.exe; C2 domains wmiadap[.]cfd and wmiadap[.]sbs over port 6180; and, in the 2025 campaign context, delivery via a password-protected archive named Приказ_протокол.rar.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
BO Team

В ходе анализа мы обнаружили, что BO Team обновила свой инструментарий: теперь атакующие рассылают новую версию бэкдора BrockenDoor, переписанную на C#, а также используют его для установки обновленной версии бэкдора ZeronetKit.

via securelist rusecurelist.ru
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

В новой кампании, зафиксированной в сентябре 2025 года, группировка BO Team продолжает использовать фишинговые письма для заражения пользователей.

T1566.001Spearphishing AttachmentEvidence1

The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence1

Команда exec_command Выполнить команду, используя интерпретатор командной строки... cmd.exe /C $command ... powershell.exe -noprofile –command "$command"

T1059.001PowerShellEvidence2

Удалить себя через команду: powershell.exe Start-Sleep 5; Remove-Item «$selfname» -Force

T1059.003Windows Command ShellEvidence1

Команда ec ... cm (ранее cmd ): выполнить команду cmd.exe /C $command

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

ZeronetKit не способен самостоятельно закрепляться в зараженной системе, поэтому злоумышленники при помощи BrockenDoor копируют скачанный бэкдор в автозагрузку. "cmd.exe" / C copy "$appdata\Microsoft\msfch.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\startup"

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

ZeronetKit не способен самостоятельно закрепляться в зараженной системе, поэтому злоумышленники при помощи BrockenDoor копируют скачанный бэкдор в автозагрузку. "cmd.exe" / C copy "$appdata\Microsoft\msfch.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\startup"

Stealth

1 technique
T1036MasqueradingEvidence2

Внутри архива содержится исполняемый файл с иконкой PDF-файла и расширением .exe , отделенным от имени файла большим количеством пробелов — таким образом, в проводнике содержимое архива выглядит как вполне легитимный документ.

Discovery

6 techniques
T1016System Network Configuration DiscoveryEvidence1

бэкдор отправляет на сервер... информацию об установленных сетевых адаптерах

T1033System Owner/User DiscoveryEvidence1

бэкдор отправляет на сервер свой идентификатор, имена пользователя и компьютера

T1057Process DiscoveryEvidence1

бэкдор отправляет на сервер... список запущенных процессов

T1082System Information DiscoveryEvidence1

бэкдор отправляет на сервер... версию операционной системы

T1083File and Directory DiscoveryEvidence1

бэкдор отправляет на сервер... список файлов, найденных на рабочем столе пользователя

T1614.001System Language DiscoveryEvidence1

В отличие от образцов из предыдущих кампаний, новая версия вредоносного файла не запустится, если в системе не установлена русская раскладка клавиатуры.

Collection

2 techniques
T1560Archive Collected DataEvidence1

во вредоносном архиве лежал только один исполняемый файл... в архивах находились карточка предприятия... PDF... а также LNK-файл

T1560.001Archive via UtilityEvidence1

Вложенный RAR-архив с именем Приказ_протокол.rar был защищен паролем для предотвращения автоматического сканирования антивирусом, при этом пароль предположительно указан в теле письма.

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1

В одном из случаев в качестве полезной нагрузки BrockenDoor загружал и выполнял ZeronetKit.

T1219Remote Access ToolsEvidence1

Remcos (Remote Control & Surveillance) — это вредоносное программное обеспечение класса троянских программ удаленного доступа (RAT).

INDICATORS OF COMPROMISE

IOCs tracked for this family

27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
16 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
7 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app9 months ago
hash.md5●●●●●●●●●●●●View more in app9 months ago
uri●●●●●●●●●●●●View more in app9 months ago
uri●●●●●●●●●●●●View more in app9 months ago
hash.md5●●●●●●●●●●●●View more in app9 months ago
hash.md5●●●●●●●●●●●●View more in app9 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the record mediaNews
May 8, 2026
Pro-Ukraine BO Team and Head Mare hackers appear to team up in attacks against Russia | The Record from Recorded Future News

A backdoor deployed by BO Team after phishing-based initial access to expand access and conduct further operations.

Read more
the hacker newsNews
Sep 26, 2025
New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks

Used alongside ZeronetKit; copies the downloaded ZeronetKit backdoor to startup to provide persistence.

Read more
securelist ruNews
Sep 25, 2025
Как изменились инструменты группы BO Team | Securelist

Backdoor used by BO Team in phishing campaigns against Russian companies. The newer version was rewritten in C#, shows a lure document, checks for a Russian keyboard layout before execution, polls C2 for commands, can execute programs and shell commands, self-delete, and is used to download/install ZeronetKit and copy it into startup for persistence.

Read more
the hacker newsNews
Jun 6, 2025
New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

Backdoor malware used by BO Team for remote access and control of compromised systems.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching27

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.