Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities

March 17, 2026, 11:17 a.m.

Description

Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.

External References

https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/
https://otx.alienvault.com/pulse/69b9350760e55cbccb5bb598
Tags
espionage
telegram
critical infrastructure
kazakhstan
central asia
energy sector
jlorat
2026-03-17
custom implants
telemiris
water resources

Date

  • Created: March 17, 2026, 11:03 a.m.
  • Published: March 17, 2026, 11:03 a.m.
  • Modified: March 17, 2026, 11:17 a.m.

Indicators

  • a44827d002d7d1a74963b80e6af8a7257977f44c89caff66f126b7d1cad1fd11
  • 66962bb324a7c5a57ba0e9663bba156576a7e6aa5c6c1401c315b3d32f8d467d
  • 8dda063860120a04bf3c7679f6a02a14aee4b5d2c3efc4dbd638dabce8a288a5
  • e179bf035b9d9d17f8a76ecfc1ebf3b19b69f8ea05421f0d4507ded9e60c657c
  • 3da644eec41a32d72d3632b76a524d836f39f3b9854eda5d227cdf7fc4c7b543
  • f78dad5a95bb01f14c822addc8e4ec17b3c95b7e42f27f68f678fb43a9e56d63
  • 82.115.223.210
  • 141.98.82.198
  • 193.149.129.181
  • 195.38.162.147
  • 78.128.112.209
  • 85.209.128.171
  • 64.7.198.46
  • 195.85.115.196
  • 179.60.150.151
  • 81.19.136.241
  • 65.38.121.107
  • 96.9.125.168
  • 64.7.198.66
  • 65.38.120.38
  • 193.176.182.155
  • 72.5.43.178
  • 88.214.26.37
  • 168.100.11.127
  • 72.5.43.100
  • 172.86.75.237
  • https://adm-govuz.com/rev.rar
  • https://auth.allcloudindex.com/147/sokcs.exe
  • https://pweobmxdlboi.com/sokcs.exe
  • http://64.7.198.66/resosk443.exe
  • https://inbox.mailkeyboard.com/medic/medicru.rar
  • https://altaviva.ru/contacts/rsocx.rar
  • https://naryncity.kg/minjust.gov.kg/kgnotary.rar
  • https://ex.wincorpupdates.com/sokcs.exe
  • https://admin.inboxsession.info/teal/ru.rar
  • https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/
  • https://france-deguisement.fr/wp-content/samba.exe
  • https://ss.qwadx.com/spoolsvc.rar
  • https://message.mailboxarea.cloud/steal/ru.exe-
  • https://caspiannews.com/news-detail/russia-kazakhstan-sign-memorandum-for-new-cross-border-gas-pipeline-project-2025-10-10-0/
  • https://mosreg.docworldme.com/mfa/Central_Asia-Italy_Jeenbek_Kulubaev_working-visit-to-Italy.rar
Download all indicators here!

Attack Patterns

  • Telemiris
  • JLORAT
  • Hydra Saiga

Additional Informations

  • Energy
  • Water distribution and supply
  • Education
  • Legal
  • Manufacturing
  • Healthcare
  • Government
  • Air transport
  • message.mailboxarea.cloud
  • naryncity.kg
  • 40minwater.uz
  • admin.inboxsession.info
  • auth.allcloudindex.com
  • ex.wincorpupdates.com
  • altaviva.ru
  • 40gov.uz
  • adm-govuz.com
  • docworldme.com
  • mosreg.docworldme.com
  • allcloudindex.com
  • mailboxarea.cloud
  • inboxsession.info
  • pweobmxdlboi.com
  • mailkeyboard.com
  • ss.qwadx.com
  • inbox.mailkeyboard.com
  • france-deguisement.fr
  • wincorpupdates.com
  • Czechia
  • Slovakia
  • Tajikistan
  • Uzbekistan
  • Egypt
  • Azerbaijan
  • South Africa
  • Netherlands
  • Mongolia
  • Georgia
  • South Georgia and the South Sandwich Islands
  • Bulgaria
  • Oman
  • Greece
  • Iran, Islamic Republic of
  • Belarus
  • Morocco
  • Russian Federation
  • Turkmenistan
  • Armenia
  • Kyrgyzstan