← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities
WHITE Hydra Saiga AlienVault 2026-03-17 Modified: 2026-03-17
63
IOCs
HIGH VOLUME
Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.
kazakhstanjloratcustom implantsespionagecentral asiawater resourcescritical infrastructureenergy sectortelemiristelegram
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
JLORAT Telemiris
Indicators of Compromise (63)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 6a49982272ba11b7985a2cec6fbb9a96 2026-03-17
FileHash-SHA1 c17e4752c548261c30361353c33f28f5bb9c4ba5 2026-03-17
FileHash-SHA256 3da644eec41a32d72d3632b76a524d836f39f3b9854eda5d227cdf7fc4c7b543 2026-03-17
FileHash-SHA256 66962bb324a7c5a57ba0e9663bba156576a7e6aa5c6c1401c315b3d32f8d467d 2026-03-17
FileHash-SHA256 8dda063860120a04bf3c7679f6a02a14aee4b5d2c3efc4dbd638dabce8a288a5 2026-03-17
FileHash-SHA256 a44827d002d7d1a74963b80e6af8a7257977f44c89caff66f126b7d1cad1fd11 2026-03-17
FileHash-SHA256 e179bf035b9d9d17f8a76ecfc1ebf3b19b69f8ea05421f0d4507ded9e60c657c 2026-03-17
FileHash-SHA256 f78dad5a95bb01f14c822addc8e4ec17b3c95b7e42f27f68f678fb43a9e56d63 2026-03-17
IPv4 141.98.82.198 2026-03-17
IPv4 168.100.11.127 2026-03-17
IPv4 172.86.75.237 2026-03-17
IPv4 179.60.150.151 2026-03-17
IPv4 193.149.129.181 2026-03-17
IPv4 193.176.182.155 2026-03-17
IPv4 195.38.162.147 2026-03-17
IPv4 195.85.115.196 2026-03-17
IPv4 64.7.198.46 2026-03-17
IPv4 64.7.198.66 2026-03-17
IPv4 65.38.120.38 2026-03-17
IPv4 65.38.121.107 2026-03-17
IPv4 72.5.43.100 2026-03-17
IPv4 72.5.43.178 2026-03-17
IPv4 78.128.112.209 2026-03-17
IPv4 81.19.136.241 2026-03-17
IPv4 82.115.223.210 2026-03-17
IPv4 85.209.128.171 2026-03-17
IPv4 88.214.26.37 2026-03-17
IPv4 96.9.125.168 2026-03-17
URL http://64.7.198.66/resosk443.exe 2026-03-17
URL https://adm-govuz.com/rev.rar 2026-03-17
URL https://admin.inboxsession.info/teal/ru.rar 2026-03-17
URL https://altaviva.ru/contacts/rsocx.rar 2026-03-17
URL https://auth.allcloudindex.com/147/sokcs.exe 2026-03-17
URL https://caspiannews.com/news-detail/russia-kazakhstan-sign-memorandum-for-new-cross-border-gas-pipeline-project-2025-10-10-0/ 2026-03-17
URL https://ex.wincorpupdates.com/sokcs.exe 2026-03-17
URL https://france-deguisement.fr/wp-content/samba.exe 2026-03-17
URL https://inbox.mailkeyboard.com/medic/medicru.rar 2026-03-17
URL https://message.mailboxarea.cloud/steal/ru.exe- 2026-03-17
URL https://mosreg.docworldme.com/mfa/Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy.rar 2026-03-17
URL https://naryncity.kg/minjust.gov.kg/kgnotary.rar 2026-03-17
URL https://pweobmxdlboi.com/sokcs.exe 2026-03-17
URL https://ss.qwadx.com/spoolsvc.rar 2026-03-17
URL https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/ 2026-03-17
domain 40gov.uz 2026-03-17
domain 40minwater.uz 2026-03-17
domain adm-govuz.com 2026-03-17
domain allcloudindex.com 2026-03-17
domain altaviva.ru 2026-03-17
domain docworldme.com 2026-03-17
domain france-deguisement.fr 2026-03-17
domain inboxsession.info 2026-03-17
domain mailboxarea.cloud 2026-03-17
domain mailkeyboard.com 2026-03-17
domain naryncity.kg 2026-03-17
domain pweobmxdlboi.com 2026-03-17
domain wincorpupdates.com 2026-03-17
hostname admin.inboxsession.info 2026-03-17
hostname auth.allcloudindex.com 2026-03-17
hostname ex.wincorpupdates.com 2026-03-17
hostname inbox.mailkeyboard.com 2026-03-17
hostname message.mailboxarea.cloud 2026-03-17
hostname mosreg.docworldme.com 2026-03-17
hostname ss.qwadx.com 2026-03-17
References (1)
↗ https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/