Trusted Design

Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities

概要

Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.

Created: 2026-04-16

Indicators

• URL - https://pweobmxdlboi.com/sokcs.exe -
• FileHash-SHA256 - 8dda063860120a04bf3c7679f6a02a14aee4b5d2c3efc4dbd638dabce8a288a5 -
• hostname - mosreg.docworldme.com -
• domain - pweobmxdlboi.com -
• URL - https://mosreg.docworldme.com/mfa/Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy.rar -
• domain - naryncity.kg -
• URL - https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/ -
• hostname - admin.inboxsession.info -
• URL - https://caspiannews.com/news-detail/russia-kazakhstan-sign-memorandum-for-new-cross-border-gas-pipeline-project-2025-10-10-0/ -
• FileHash-SHA256 - 66962bb324a7c5a57ba0e9663bba156576a7e6aa5c6c1401c315b3d32f8d467d -
• URL - https://altaviva.ru/contacts/rsocx.rar -
• FileHash-SHA256 - a44827d002d7d1a74963b80e6af8a7257977f44c89caff66f126b7d1cad1fd11 -
• FileHash-MD5 - 6a49982272ba11b7985a2cec6fbb9a96 -
• hostname - inbox.mailkeyboard.com -
• FileHash-SHA256 - 3da644eec41a32d72d3632b76a524d836f39f3b9854eda5d227cdf7fc4c7b543 -
• URL - https://message.mailboxarea.cloud/steal/ru.exe- -
• URL - https://ss.qwadx.com/spoolsvc.rar -
• FileHash-SHA1 - c17e4752c548261c30361353c33f28f5bb9c4ba5 -
• domain - inboxsession.info -
• domain - allcloudindex.com -
• hostname - auth.allcloudindex.com -
• URL - https://ex.wincorpupdates.com/sokcs.exe -
• domain - altaviva.ru -
• domain - wincorpupdates.com -
• hostname - ss.qwadx.com -
• hostname - ex.wincorpupdates.com -
• domain - docworldme.com -
• URL - https://auth.allcloudindex.com/147/sokcs.exe -
• URL - https://admin.inboxsession.info/teal/ru.rar -
• URL - https://adm-govuz.com/rev.rar -
• domain - mailboxarea.cloud -
• domain - france-deguisement.fr -
• domain - adm-govuz.com -
• URL - http://64.7.198.66/resosk443.exe -
• FileHash-SHA256 - f78dad5a95bb01f14c822addc8e4ec17b3c95b7e42f27f68f678fb43a9e56d63 -
• URL - https://inbox.mailkeyboard.com/medic/medicru.rar -
• domain - mailkeyboard.com -
• URL - https://france-deguisement.fr/wp-content/samba.exe -
• URL - https://naryncity.kg/minjust.gov.kg/kgnotary.rar -
• domain - 40minwater.uz -
• domain - 40gov.uz -
• FileHash-SHA256 - e179bf035b9d9d17f8a76ecfc1ebf3b19b69f8ea05421f0d4507ded9e60c657c -
• hostname - message.mailboxarea.cloud -

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る