Hydra Saiga Covert Espionage and Infiltration of Critical Utilities

Threat Overview

Hydra Saiga, also known as Yorotrooper, ShadowSilk, and Silent Lynx, is a state‑sponsored threat actor linked to Kazakhstan. Active since 2021, the group has targeted critical water and energy infrastructure across Central Asia, Europe, the Middle East, and beyond. Their operations combine custom implants written in Rust, Go, Python, and PowerShell with “living‑off‑the‑land” techniques, all coordinated through the Telegram Bot API.

Attack Lifecycle

Initial Access – Phishing attachments (ISO, RAR, Word) with obfuscated macros; exploitation of exposed web‑hosting credentials; and exploitation of default passwords on government portals.

Execution & Persistence – PowerShell backdoors loaded from executable loaders; scheduled tasks and registry run keys named for legitimate Windows services.

Privilege Escalation & Lateral Movement – LSASS dumps, WDigest enablement, SAM hive extraction, and WMI or PsExec to deploy reverse SOCKS5 proxies.

Defense Evasion – Disabling Microsoft Defender, Windows Firewall, and employing Base64 obfuscation.

Collection & Exfiltration – Screenshots with PRTSC, RAR archives, custom Go/Python stealers for browser credentials, and exfiltration via curl to HTTPS endpoints.

Command & Control – Telegram Bot API (https://api[.]telegram[.]org) for command dispatch, with C2 servers hosted on providers such as BitLaunch, PSB Hosting, and QHoster.

Infrastructure

Key C2 and staging IPs (sanitized):

  • 185[.]106[.]92[.]127 – Host for secondary payloads
  • 64[.]7[.]198[.]46 – Resocks executable host
  • 64[.]7[.]198[.]66 – Resocks executable host
  • 65[.]38[.]120[.]38 – SOCKS server
  • 65[.]38[.]121[.]107 – HTTP file server
  • 72[.]5[.]43[.]100 – SOCKS server
  • 78[.]128[.]112[.]209 – Resocks server
  • 81[.]19[.]136[.]241 – Resocks server
  • 82[.]115[.]223[.]210 – JLORAT C2
  • 85[.]209[.]128[.]171 – Secondary payload host
  • 88[.]214[.]26[.]37 – Exfiltration endpoint
  • 96[.]9[.]125[.]168 – Resocks server
  • 141[.]98[.]82[.]198 – C2 server

Compromised domains (sanitized):

  • adm-govuz[.]com – Hosting secondary payloads
  • inboxsession[.]info – Hosting secondary payloads
  • altaviva[.]ru – Compromised website
  • allcloudindex[.]com – Hosting secondary payloads
  • wincorpupdates[.]com – Hosting secondary payloads
  • france-deguisement[.]fr – Compromised website
  • mailkeyboard[.]com – Hosting malicious archives
  • mailboxarea[.]cloud – Hosting secondary payloads
  • docworldme[.]com – Hosting malicious archives
  • naryncity[.]kg – Compromised website
  • pweobmxdlboi[.]com – Hosting secondary payloads
  • qwadx[.]com – Hosting secondary payloads

Victimology & Geopolitical Context

Hydra Saiga has compromised at least 34 organizations across 8 countries, focusing on government, energy, water, healthcare, and legal sectors. Their water campaign targeted the Syr Darya and Amu Darya basins, aligning with Kazakhstan’s strategic interests in the North Aral Sea restoration. The gas and SCADA attempts in April 2024 targeted Russian gas distribution systems and European SCADA endpoints, suggesting testing of capabilities beyond their typical region.

Attribution

Forensic analysis of Telegram C2 timestamps shows a consistent UTC+5 working pattern. Operators were active on every working day except for March 10 and March 25, dates that correspond to Kazakhstani national holidays. This, combined with the use of Kazakhstani infrastructure and alignment with the Tomiris cluster, strongly indicates that Hydra Saiga operates on behalf of the Kazakhstani state.

Recommendations

  • Block all outbound traffic to api[.]telegram[.]org and monitor for anomalous HTTPS connections to known C2 ASNs.
  • Implement strict email security controls to detect phishing with malicious attachments and enforce attachment sandboxing.
  • Enforce least‑privilege and monitor for LSASS dumps, SAM hive extraction, and WDigest enablement.
  • Deploy host‑based detection for PowerShell obfuscation, Base64 payloads, and the use of curl or wget to external domains.
  • Regularly audit scheduled tasks and registry run keys for unknown persistence mechanisms.
  • Enable logging for Windows Defender and firewall changes to detect disabling attempts.

Conclusion

Hydra Saiga remains a resilient, state‑aligned threat actor capable of sophisticated, multi‑stage attacks against critical infrastructure. Continuous intelligence gathering, proactive detection, and rigorous defense hardening are essential to mitigate the evolving risk posed by this group.

For full analysis, visit: hxxps://www[.]vmray[.]com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/ and hxxps://otx[.]alienvault[.]com/pulse/69b9c851cbfb047db0776d59.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading