Hydra Saiga

Hydra Saiga (aka Yorotrooper, ShadowSilk, Silent Lynx) is a suspected Kazakhstan-aligned, likely state-sponsored espionage threat actor assessed active since at least 2021 and still operating into late 2025. Reporting attributes to the group campaigns targeting government, energy, and critical infrastructure organizations across Central Asia, Europe, and the Middle East, with claims of at least 34 organizations compromised across 8 countries and reconnaissance/login attempts against 200+ additional targets. A defining tradecraft element is heavy use of the Telegram Bot API for C2 (including /getUpdates), alongside a mix of commodity tooling (e.g., Havoc, resocks, Meterpreter) and custom implants/backdoors written in PowerShell, Python, Go, and Rust. Initial access described includes phishing lures such as a loader masquerading as a Turkmenistan-to-UN letter (executing a Base64-encoded PowerShell backdoor and attempting to bypass PowerShell execution policy/profiles) and a macro-enabled Word document delivered to the Royal Oman Police (download/execution of an obfuscated PowerShell backdoor from 185.106.92[.]127; that host also served a Meterpreter payload around the same time). Delivery mechanisms include ISO/RAR attachments sent from previously compromised email accounts. Post-compromise activity is characterized as hands-on-keyboard “living off the land,” with persistence via scheduled tasks and registry manipulation; credential access via LSASS dumping, SAM/SECURITY hive export, enabling WDigest, and use of FakeLogonScreen; lateral movement via nltest for DC discovery and WMI/PsExec to deploy a reverse SOCKS5 proxy; defense evasion via disabling Microsoft Defender features and the Windows firewall; collection via screenshots and RAR archiving; tool transfer via curl/wget/bitsadmin/PowerShell (often password-protected RARs); and exfiltration via curl POSTs plus browser-data stealers (PyInstaller-based, later Golang). The actor reportedly uses Censys/Shodan for recon and Acunetix for vulnerability scanning, and has used infrastructure from providers such as BitLaunch and PSB Hosting, with domains registered via QHoster. Attribution support cited includes an operator work pattern consistent with UTC+5 and inactivity on Kazakhstani holidays, plus infrastructure/tooling overlap with the Tomiris cluster (including references to JLORAT/Telemiris lineage and shared Telegram-based C2 patterns).