{ "type": "Domain", "indicator": "message.mailboxarea.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/message.mailboxarea.cloud", "alexa": "http://www.alexa.com/siteinfo/message.mailboxarea.cloud", "indicator": "message.mailboxarea.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": {}, "pulse_info": { "count": 0, "pulses": [], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69b9350760e55cbccb5bb598", "name": "Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities", "description": "Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.", "author_name": "AlienVault", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T11:03:35.052000", "revision": 2, "tlp": "white", "public": 1, "adversary": "Hydra Saiga", "indicators": [ { "id": 3837747552, "indicator": "allcloudindex.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 3850139028, "indicator": "docworldme.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4008006902, "indicator": "pweobmxdlboi.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4051620147, "indicator": "wincorpupdates.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573665, "indicator": "adm-govuz.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573668, "indicator": "admin.inboxsession.info", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573669, "indicator": "auth.allcloudindex.com", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573672, "indicator": "ex.wincorpupdates.com", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573673, "indicator": "message.mailboxarea.cloud", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573674, "indicator": "mosreg.docworldme.com", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4124573675, "indicator": "ss.qwadx.com", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4155175782, "indicator": "6a49982272ba11b7985a2cec6fbb9a96", "type": "FileHash-MD5", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4155184414, "indicator": "c17e4752c548261c30361353c33f28f5bb9c4ba5", "type": "FileHash-SHA1", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4155184418, "indicator": "66962bb324a7c5a57ba0e9663bba156576a7e6aa5c6c1401c315b3d32f8d467d", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4204850093, "indicator": "https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404527, "indicator": "3da644eec41a32d72d3632b76a524d836f39f3b9854eda5d227cdf7fc4c7b543", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404528, "indicator": "8dda063860120a04bf3c7679f6a02a14aee4b5d2c3efc4dbd638dabce8a288a5", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404529, "indicator": "a44827d002d7d1a74963b80e6af8a7257977f44c89caff66f126b7d1cad1fd11", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404530, "indicator": "e179bf035b9d9d17f8a76ecfc1ebf3b19b69f8ea05421f0d4507ded9e60c657c", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404531, "indicator": "f78dad5a95bb01f14c822addc8e4ec17b3c95b7e42f27f68f678fb43a9e56d63", "type": "FileHash-SHA256", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404541, "indicator": "http://64.7.198.66/resosk443.exe", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404554, "indicator": "https://adm-govuz.com/rev.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404555, "indicator": "https://admin.inboxsession.info/teal/ru.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404556, "indicator": "https://altaviva.ru/contacts/rsocx.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404557, "indicator": "https://auth.allcloudindex.com/147/sokcs.exe", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404558, "indicator": "https://caspiannews.com/news-detail/russia-kazakhstan-sign-memorandum-for-new-cross-border-gas-pipeline-project-2025-10-10-0/", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404559, "indicator": "https://ex.wincorpupdates.com/sokcs.exe", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404560, "indicator": "https://france-deguisement.fr/wp-content/samba.exe", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404561, "indicator": "https://inbox.mailkeyboard.com/medic/medicru.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404562, "indicator": "https://message.mailboxarea.cloud/steal/ru.exe-", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404563, "indicator": "https://mosreg.docworldme.com/mfa/Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404564, "indicator": "https://naryncity.kg/minjust.gov.kg/kgnotary.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404565, "indicator": "https://pweobmxdlboi.com/sokcs.exe", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404566, "indicator": "https://ss.qwadx.com/spoolsvc.rar", "type": "URL", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404567, "indicator": "40gov.uz", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404568, "indicator": "40minwater.uz", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404569, "indicator": "altaviva.ru", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404571, "indicator": "france-deguisement.fr", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404572, "indicator": "inboxsession.info", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404573, "indicator": "mailboxarea.cloud", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404574, "indicator": "mailkeyboard.com", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404575, "indicator": "naryncity.kg", "type": "domain", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4237404577, "indicator": "inbox.mailkeyboard.com", "type": "hostname", "created": "2026-03-17T11:03:36", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null } ], "tags": [ "kazakhstan", "jlorat", "custom implants", "espionage", "central asia", "water resources", "critical infrastructure", "energy sector", "telemiris", "telegram" ], "targeted_countries": [ "Armenia", "Azerbaijan", "Belarus", "Bulgaria", "Czechia", "Egypt", "Georgia", "Greece", "Iran, Islamic Republic of", "Kyrgyzstan", "Mongolia", "Morocco", "Netherlands", "Oman", "Russian Federation", "Slovakia", "South Africa", "South Georgia and the South Sandwich Islands", "Tajikistan", "Turkmenistan", "Uzbekistan" ], "malware_families": [ "JLORAT", "Telemiris" ], "attack_ids": [ "T1053.005", "T1560.001", "T1047", "T1113", "T1594", "T1204.002", "T1566.001", "T1556.002", "T1567", "T1218", "T1572", "T1555.003", "T1021.006", "T1003.001", "T1595", "T1041", "T1059.001", "T1547.001", "T1056.002", "T1562.001", "T1078", "T1027", "T1059.006", "T1071.001", "T1018", "T1046" ], "references": [ "https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/" ], "industries": [ "Government", "Energy", "Manufacturing", "Education", "Legal", "Water", "Healthcare", "Aviation" ], "extract_source": [], "more_indicators": false, "indicator_count": 63 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "message.mailboxarea.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "message.mailboxarea.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776622993.4602342 }