1. Home
  2. Groups
  3. Water Galura

Water Galura

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.[1][2]

ID: G1050
Associated Groups: GOLD FEATHER
Version: 1.0
Created: 29 September 2025
Last Modified: 23 October 2025
Version Permalink

Associated Group Descriptions

Name Description
GOLD FEATHER

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

Water Galura has encrypted files on victim networks through the generation of Qilin ransomware payloads.[1]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Water Galura operates a news channel on Telegram to make announcements for the Qilin RaaS.[1]
Enterprise T1657 Financial Theft

Water Galura has extorted victims for ransomware decryption keys and to prevent publication of data exfiltrated to their Tor data leak site.[1][3]

Software

ID Name References Techniques
S1242 Qilin Water Galura are the operators of the Qilin RaaS.[1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Account Discovery: Local Account, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Data Encrypted for Impact, Defacement: Internal Defacement, Domain or Tenant Policy Modification: Group Policy Modification, Execution Guardrails: Mutual Exclusion, Execution Guardrails, Exploit Public-Facing Application, File and Directory Discovery, File and Directory Permissions Modification, Impair Defenses: Safe Mode Boot, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Inhibit System Recovery, Local Storage Discovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, OS Credential Dumping: LSASS Memory, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Service Stop, System Network Configuration Discovery, System Service Discovery, System Shutdown/Reboot, User Execution: Malicious Link, User Execution: Malicious File, Virtual Machine Discovery
S0183 Tor Water Galura maintains a Tor-hosted data leaks site for Qilin ransomware and affiliates.[1][2] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy

References

  1. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
  2. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.
  1. Health Sector Cybersecurity Coordination Center. (2024, June 18). Qilin, aka Agenda Ransomware. Retrieved September 26, 2025.