TIARAS - Water Galura

Threat Actor Profile

High APT

Description

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025)

Confidence Score

90%

Known Aliases

Water Galura GOLD FEATHER

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (3)

T1486 - Data Encrypted for Impact

Impact

T1657 - Financial Theft

Impact

T1585.001 - Social Media Accounts

Resource Development

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel

STIX Data

{'aliases': ['Water Galura', 'GOLD FEATHER'],
 'created': '2025-09-29T20:01:50.272Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Water Galura](https://attack.mitre.org/groups/G1050) are the '
                'operators of the '
                '[Qilin](https://attack.mitre.org/software/S1242) '
                'Ransomware-as-a-Service (RaaS) who handle payload generation, '
                'ransom negotiations, and the publication of stolen data for '
                '[Qilin](https://attack.mitre.org/software/S1242) affilates '
                'recruited on Russian cybercrime forums. [Water '
                'Galura](https://attack.mitre.org/groups/G1050) have been '
                'active since at least 2022 and use a double extortion model '
                'where they demand payment for providing decryption keys and '
                'for refraining from publishing the stolen data to their leak '
                'site.(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: '
                'Sophos Qilin MSP APR 2025)',
 'external_references': [{'external_id': 'G1050',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1050'},
                         {'description': '(Citation: BushidoToken Qilin RaaS '
                                         'JUN 2024)',
                          'source_name': 'GOLD FEATHER'},
                         {'description': 'Bradshaw, A. et al. (2025, April 1). '
                                         'Qilin affiliates spear-phish MSP '
                                         'ScreenConnect admin, targeting '
                                         'customers downstream. Retrieved '
                                         'September 26, 2025.',
                          'source_name': 'Sophos Qilin MSP APR 2025',
                          'url': 'https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/'},
                         {'description': 'Thomas, W. (2024, June 12). Tracking '
                                         'Adversaries: The Qilin RaaS. '
                                         'Retrieved September 26, 2025.',
                          'source_name': 'BushidoToken Qilin RaaS JUN 2024',
                          'url': 'https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html'}],
 'id': 'intrusion-set--be8847e0-9512-45db-895e-f871ab6d3820',
 'modified': '2025-10-23T21:52:27.774Z',
 'name': 'Water Galura',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}