{ "type": "URL", "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4237404559, "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69b9350760e55cbccb5bb598", "name": "Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T11:03:35.052000", "tags": [ "kazakhstan", "jlorat", "custom implants", "espionage", "central asia", "water resources", "critical infrastructure", "energy sector", "telemiris", "telegram" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "Hydra Saiga", "targeted_countries": [ "Armenia", "Azerbaijan", "Belarus", "Bulgaria", "Czechia", "Egypt", "Georgia", "Greece", "Iran, Islamic Republic of", "Kyrgyzstan", "Mongolia", "Morocco", "Netherlands", "Oman", "Russian Federation", "Slovakia", "South Africa", "South Georgia and the South Sandwich Islands", "Tajikistan", "Turkmenistan", "Uzbekistan" ], "malware_families": [ { "id": "JLORAT", "display_name": "JLORAT", "target": null }, { "id": "Telemiris", "display_name": "Telemiris", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Government", "Energy", "Manufacturing", "Education", "Legal", "Water", "Healthcare", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 15, "domain": 13, "hostname": 7 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 377764, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbb27ef79369f1b24cd171", "name": "EbeeMar2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:23:26.711000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "bitcoinaddress" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 93, "FileHash-MD5": 157, "FileHash-SHA1": 150, "FileHash-SHA256": 268, "CVE": 5, "domain": 135, "email": 1, "hostname": 42 }, "indicator_count": 851, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9c851cbfb047db0776d59", "name": "Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T21:32:01.754000", "tags": [ "kazakhstan", "jlorat", "custom implants", "espionage", "central asia", "water resources", "critical infrastructure", "energy sector", "telemiris", "telegram" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "Hydra Saiga", "targeted_countries": [ "Armenia", "Azerbaijan", "Belarus", "Bulgaria", "Czechia", "Egypt", "Georgia", "Greece", "Iran, Islamic Republic of", "Kyrgyzstan", "Mongolia", "Morocco", "Netherlands", "Oman", "Russian Federation", "Slovakia", "South Africa", "South Georgia and the South Sandwich Islands", "Tajikistan", "Turkmenistan", "Uzbekistan" ], "malware_families": [ { "id": "JLORAT", "display_name": "JLORAT", "target": null }, { "id": "Telemiris", "display_name": "Telemiris", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Government", "Energy", "Manufacturing", "Education", "Legal", "Water", "Healthcare", "Aviation" ], "TLP": "white", "cloned_from": "69b9350760e55cbccb5bb598", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 15, "domain": 13, "hostname": 7 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa3b3ca238e55c926abc9d", "name": "IOC - Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "Active Presence: Hydra Saiga (also known as Yorotrooper or ShadowSilk) has been active since at least 2021 and remains a significant, resilient threat as of late 2025.\n\nGeopolitical Alignment: The group demonstrates a clear state-sponsored agenda by targeting critical water and energy infrastructure in Central Asia, directly mirroring Kazakhstan\u2019s strategic interests.", "modified": "2026-04-05T02:39:58.334000", "created": "2026-03-06T02:26:04.202000", "tags": [ "bl networks", "psb hosting", "layer", "proxy http", "lure document", "golang", "jlorat sample", "ip address", "provider usage", "timeweb", "jlorat", "qhoster", "cmd curl", "domain provider", "ip resolution", "usage", "cmd certutil", "urlcache f", "cmd bitsadmin", "planethoster", "go171 cmd" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/#elementor-toc__heading-anchor-22" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 31, "domain": 13, "hostname": 7 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a6aa546645f734b4269fc8", "name": "HYDRA SAIGA: COVERT ESPIONAGE AND INFILTRATION OF CRITICAL UTILITIES", "description": "Hydra Saiga, an alleged state-sponsored threat group from Kazakhstan, has been active since at least 2021 and focuses on infiltrating government and critical infrastructure sectors, particularly in Central Asia, Europe, and the Middle East. The group employs various tactics and tools for command-and-control (C2) operations, notably utilizing the Telegram Bot API and deploying both commodity and custom malware, including payloads written in languages such as Python, PowerShell, Golang, and Rust.", "modified": "2026-04-02T09:08:24.412000", "created": "2026-03-03T09:31:00.015000", "tags": [ "hydra saiga", "march", "bl networks", "central asia", "vmray", "kazakhstan", "energy", "telegram bot", "tomiris", "figure", "powershell", "april", "telegram", "rust", "python", "jlorat", "general", "virustotal", "august", "police", "wdigest", "hoster", "slovakia", "armenia", "belarus", "indonesia", "havoc", "cluster", "hydra", "meterpreter", "lsass", "desktop", "psexec", "install", "defender", "telemiris", "february", "sandbox", "persistence", "execution", "capture" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 33, "domain": 16, "hostname": 8 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/", "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/#elementor-toc__heading-anchor-22", "IOCs.2026.2.csv" ], "related": { "alienvault": { "adversary": [ "Hydra Saiga" ], "malware_families": [ "Jlorat", "Telemiris" ], "industries": [ "Government", "Manufacturing", "Energy", "Education", "Healthcare", "Legal", "Aviation", "Water" ], "unique_indicators": 63 }, "other": { "adversary": [ "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "Hydra Saiga" ], "malware_families": [ "Jlorat", "Telemiris" ], "industries": [ "Government", "Manufacturing", "Energy", "Education", "Healthcare", "Legal", "Aviation", "Water" ], "unique_indicators": 931 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/wincorpupdates.com", "whois": "http://whois.domaintools.com/wincorpupdates.com", "domain": "wincorpupdates.com", "hostname": "ex.wincorpupdates.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69b9350760e55cbccb5bb598", "name": "Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T11:03:35.052000", "tags": [ "kazakhstan", "jlorat", "custom implants", "espionage", "central asia", "water resources", "critical infrastructure", "energy sector", "telemiris", "telegram" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "Hydra Saiga", "targeted_countries": [ "Armenia", "Azerbaijan", "Belarus", "Bulgaria", "Czechia", "Egypt", "Georgia", "Greece", "Iran, Islamic Republic of", "Kyrgyzstan", "Mongolia", "Morocco", "Netherlands", "Oman", "Russian Federation", "Slovakia", "South Africa", "South Georgia and the South Sandwich Islands", "Tajikistan", "Turkmenistan", "Uzbekistan" ], "malware_families": [ { "id": "JLORAT", "display_name": "JLORAT", "target": null }, { "id": "Telemiris", "display_name": "Telemiris", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Government", "Energy", "Manufacturing", "Education", "Legal", "Water", "Healthcare", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 15, "domain": 13, "hostname": 7 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 377764, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbb27ef79369f1b24cd171", "name": "EbeeMar2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:23:26.711000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "bitcoinaddress" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 93, "FileHash-MD5": 157, "FileHash-SHA1": 150, "FileHash-SHA256": 268, "CVE": 5, "domain": 135, "email": 1, "hostname": 42 }, "indicator_count": 851, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9c851cbfb047db0776d59", "name": "Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T21:32:01.754000", "tags": [ "kazakhstan", "jlorat", "custom implants", "espionage", "central asia", "water resources", "critical infrastructure", "energy sector", "telemiris", "telegram" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "Hydra Saiga", "targeted_countries": [ "Armenia", "Azerbaijan", "Belarus", "Bulgaria", "Czechia", "Egypt", "Georgia", "Greece", "Iran, Islamic Republic of", "Kyrgyzstan", "Mongolia", "Morocco", "Netherlands", "Oman", "Russian Federation", "Slovakia", "South Africa", "South Georgia and the South Sandwich Islands", "Tajikistan", "Turkmenistan", "Uzbekistan" ], "malware_families": [ { "id": "JLORAT", "display_name": "JLORAT", "target": null }, { "id": "Telemiris", "display_name": "Telemiris", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Government", "Energy", "Manufacturing", "Education", "Legal", "Water", "Healthcare", "Aviation" ], "TLP": "white", "cloned_from": "69b9350760e55cbccb5bb598", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 15, "domain": 13, "hostname": 7 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa3b3ca238e55c926abc9d", "name": "IOC - Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "Active Presence: Hydra Saiga (also known as Yorotrooper or ShadowSilk) has been active since at least 2021 and remains a significant, resilient threat as of late 2025.\n\nGeopolitical Alignment: The group demonstrates a clear state-sponsored agenda by targeting critical water and energy infrastructure in Central Asia, directly mirroring Kazakhstan\u2019s strategic interests.", "modified": "2026-04-05T02:39:58.334000", "created": "2026-03-06T02:26:04.202000", "tags": [ "bl networks", "psb hosting", "layer", "proxy http", "lure document", "golang", "jlorat sample", "ip address", "provider usage", "timeweb", "jlorat", "qhoster", "cmd curl", "domain provider", "ip resolution", "usage", "cmd certutil", "urlcache f", "cmd bitsadmin", "planethoster", "go171 cmd" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/#elementor-toc__heading-anchor-22" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 31, "domain": 13, "hostname": 7 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a6aa546645f734b4269fc8", "name": "HYDRA SAIGA: COVERT ESPIONAGE AND INFILTRATION OF CRITICAL UTILITIES", "description": "Hydra Saiga, an alleged state-sponsored threat group from Kazakhstan, has been active since at least 2021 and focuses on infiltrating government and critical infrastructure sectors, particularly in Central Asia, Europe, and the Middle East. The group employs various tactics and tools for command-and-control (C2) operations, notably utilizing the Telegram Bot API and deploying both commodity and custom malware, including payloads written in languages such as Python, PowerShell, Golang, and Rust.", "modified": "2026-04-02T09:08:24.412000", "created": "2026-03-03T09:31:00.015000", "tags": [ "hydra saiga", "march", "bl networks", "central asia", "vmray", "kazakhstan", "energy", "telegram bot", "tomiris", "figure", "powershell", "april", "telegram", "rust", "python", "jlorat", "general", "virustotal", "august", "police", "wdigest", "hoster", "slovakia", "armenia", "belarus", "indonesia", "havoc", "cluster", "hydra", "meterpreter", "lsass", "desktop", "psexec", "install", "defender", "telemiris", "february", "sandbox", "persistence", "execution", "capture" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "URL": 33, "domain": 16, "hostname": 8 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776703193.5475008 }