Back to Intelligence

Hydra Saiga, Warlock BYOVD & JanaWare: OTX Pulse Analysis — Critical Infrastructure & Ransomware Threats

SA
Security Arsenal Team
April 18, 2026
6 min read

Recent OTX pulses highlight a convergence of state-sponsored espionage and financially motivated ransomware activity. The Hydra Saiga threat actor is actively targeting critical utilities and government sectors in Central Asia and Europe using custom implants (JLORAT, Telemiris) and leveraging Telegram Bot APIs for C2 communication to blend in with normal traffic.

Simultaneously, the Warlock ransomware group has refined its attack chain, employing a BYOVD (Bring Your Own Vulnerable Driver) technique exploiting the NSec driver to deploy LockBit. Their toolkit includes TightVNC and Yuze for lateral movement. In parallel, a geofenced campaign is targeting Turkish users with a polymorphic Adwind RAT variant designed to deliver JanaWare ransomware, specifically checking system locale to ensure the payload only executes in targeted regions.

Collectively, these campaigns demonstrate a shift toward abusing legitimate drivers (BYOVD), abusing popular communication platforms (Telegram), and utilizing Java-based RATs for initial access.

Threat Actor / Malware Profile

Hydra Saiga

  • Malware: JLORAT, Telemiris (custom implants).
  • Distribution: Likely phishing or supply chain compromise targeting specific sectors (Energy, Water, Gov).
  • C2 Communication: Uses Telegram Bot API for command and control, allowing traffic to bypass traditional network defenses that allow Telegram.
  • Persistence: Living off the Land (LotL) techniques; specific details suggest reliance on scheduled tasks or service modifications.
  • Anti-Analysis: Custom implants likely lack public analysis; uses Telegram to cloak C2 traffic.

JanaWare / Adwind Cluster

  • Malware: JanaWare (Ransomware), Adwind (Java RAT).
  • Distribution: Geofenced phishing campaigns; malware checks system locale/IP before execution.
  • Payload Behavior: Adwind provides remote access; JanaWare encrypts files.
  • C2 Communication: Standard HTTP/HTTPS connections to dynamic DNS domains (e.g., duckdns.org).
  • Anti-Analysis: Polymorphic characteristics in the Java RAT to evade signature-based detection.

Warlock

  • Malware: LockBit (Ransomware).
  • Distribution: Web shells, exploited vulnerabilities (implied by "Web Shells" in pulse title).
  • Tools: TightVNC (Remote Access), Yuze (Tunneling/Proxy).
  • Persistence: BYOVD technique loading a vulnerable driver (NSec) to disable security solutions (EDR/AV).
  • Objective: Lateral movement and encryption for financial gain.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators:

  • Domains & Hostnames (Hydra Saiga): allcloudindex.com, wincorpupdates.com, docworldme.com. These appear to be C2 domains. SOC teams should block these at the DNS layer and hunt for historical DNS queries to these hosts.
  • Domains & URLs (JanaWare): elementsplugin.duckdns.org (ports 49152, 49153). Dynamic DNS usage is a strong indicator of malicious infrastructure.
  • File Hashes (Warlock & JanaWare): Multiple MD5, SHA1, and SHA256 hashes associated with JanaWare payloads and Warlock tools (TightVNC, Yuze). These should be loaded into EDR solutions for immediate scanning.

Operationalization:

  1. Blocklist: Add all domains and hostnames to perimeter firewalls and DNS sinkholes.
  2. EDR/Hunt: Use file hashes to scan endpoint filesystems and process memory.
  3. Network: Search firewall/proxy logs for connections to duckdns.org or the specific Hydra Saiga domains on non-standard ports.

Detection Engineering

YAML
---
title: Potential Hydra Saiga Telegram C2 Activity
id: 6a9b8c1d-5e0f-4a2b-9c1d-5e0f4a2b9c1d
description: Detects potential Hydra Saiga C2 communication identifying processes other than browsers contacting Telegram Bot API.
status: experimental
date: 2026/04/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6a9b8c1d5e0f/
tags:
    - attack.command_and_control
    - attack.t1102
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    filter_legit_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
    filter_legit_telegram:
        Image|contains: '\Telegram\'
    condition: selection and not 1 of filter_legit*
falsepositives:
    - Legitimate custom bots running in corporate environment
level: high
---
title: Warlock BYOVD NSec Driver Load
id: 7a0b9d2e-6f1a-5b3c-0d2e-6f1a5b3c0d2e
description: Detects the loading of the NSec driver often abused by Warlock for BYOVD attacks to disable security tools.
status: experimental
date: 2026/04/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7a0b9d2e6f1a/
tags:
    - attack.privilege_escalation
    - attack.t1068
logsource:
    category: driver_load
detection:
    selection:
        LoadedImage|contains: 'nssec.sys'
    condition: selection
falsepositives:
    - Legitimate installation of NSec software (rare)
level: critical
---
title: Suspicious Adwind Java Process Network Connection
id: 8b1c0e3f-7g2b-6c4d-1e3f-7g2b6c4d1e3f
description: Detects Java processes connecting to dynamic DNS domains often used by Adwind/JanaWare.
status: experimental
date: 2026/04/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8b1c0e3f7g2b/
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
detection:
    selection_java:
        Image|endswith:
            - '\java.exe'
            - '\javaw.exe'
    selection_dydns:
        DestinationHostname|contains:
            - 'duckdns.org'
            - 'no-ip.org'
            - 'hopto.org'
    condition: selection_java and selection_dydns
falsepositives:
    - Legitimate Java applications updating via DDNS (unlikely in enterprise)
level: medium


kql
// Hunt for Hydra Saiga C2 Domains and Adwind Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("allcloudindex.com", "docworldme.com", "wincorpupdates.com", "duckdns.org") 
    or RemoteUrl contains "api.telegram.org"
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, InitiatingProcessFileName, RemoteUrl
| order by Count desc

// Hunt for Warlock BYOVD Driver Load
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe") and ProcessCommandLine contains ".sys"
| where ProcessCommandLine contains "nssec" or ProcessCommandLine contains "driver"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine


powershell
# IOC Hunt Script for Hydra Saiga, Adwind, and Warlock Artifacts
# Requires Admin Privileges

Write-Host "[*] Starting Dark Web IOC Hunt..." -ForegroundColor Cyan

# 1. Check DNS Cache for Hydra Saiga Domains
$HydraDomains = @("allcloudindex.com", "docworldme.com", "wincorpupdates.com", "pweobmxdlboi.com")
$DNSCache = Get-DnsClientCache | Where-Object { $HydraDomains -contains $_.Entry }
if ($DNSCache) {
    Write-Host "[!] Suspicious DNS Cache Entries found (Hydra Saiga):" -ForegroundColor Red
    $DNSCache | Format-Table Entry, Data, Type
} else {
    Write-Host "[-] No Hydra Saiga domains in DNS cache." -ForegroundColor Green
}

# 2. Scan for Suspicious Files (Hashes from Pulse - Partial list for demo)
# Note: In a real scenario, compare full hash list
$SuspiciousHashes = @(
    "4f0444e11633a331eddb0deeec17fd69", # JanaWare
    "b0b912a3fd1c05d72080848ec4c92880004021a1" # Warlock Component
)

Write-Host "[*] Scanning C:\ for malicious file hashes (This may take time)..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($SuspiciousHashes -contains $hash) {
            Write-Host "[!] Malicious File Found: $($_.FullName)" -ForegroundColor Red
        }
    }

# 3. Check for NSec Driver (Warlock BYOVD)
$DriverPath = "C:\Windows\System32\drivers\nssec.sys"
if (Test-Path $DriverPath) {
    Write-Host "[!] CRITICAL: NSec Driver detected at $DriverPath (Warlock BYOVD Indicator)" -ForegroundColor Red
} else {
    Write-Host "[-] NSec driver not found." -ForegroundColor Green
}

Write-Host "[*] Hunt Complete." -ForegroundColor Cyan


# Response Priorities

**Immediate (0-24h)**:
*   Block all listed domains and `duckdns.org` at the proxy and DNS layer.
*   Scan endpoints for the NSec driver (`nssec.sys`) and terminate processes loading it.
*   Identify and isolate systems with DNS cache hits for `allcloudindex.com` or `wincorpupdates.com`.

**24h - 48h**:
*   Investigate systems in Turkey or Central Asia regions for locale-based execution anomalies.
*   Review network logs for unauthorized Telegram API usage from non-browser applications.
*   Audit Java usage on endpoints; restrict execution of unsigned JAR files.

**1 Week**:
*   Implement Kernel Driver Signing policies (e.g., Microsoft Vulnerable Driver Blocklist) to mitigate BYOVD attacks.
*   Restrict egress access to Telegram Bot API if not business required.
*   Update EDR signatures to include the specific JanaWare and Warlock file hashes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarehydra-saigalockbitjanawareadwind-ratbyovd

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Hydra Saiga, Warlock BYOVD & JanaWare: OTX Pulse Analysis — Critical Infrastructure & Ransomware Threats | Security Arsenal | Security Arsenal