Skip to content

G1050 Water Galura

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.21

Item Value
ID G1050
Associated Names GOLD FEATHER
Version 1.0
Created 29 September 2025
Last Modified 23 October 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD FEATHER 2

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact Water Galura has encrypted files on victim networks through the generation of Qilin ransomware payloads.2
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Water Galura operates a news channel on Telegram to make announcements for the Qilin RaaS.2
enterprise T1657 Financial Theft Water Galura has extorted victims for ransomware decryption keys and to prevent publication of data exfiltrated to their Tor data leak site.23

Software

ID Name References Techniques
S1242 Qilin Water Galura are the operators of the Qilin RaaS.2 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Local Account:Account Discovery Winlogon Helper DLL:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Data Encrypted for Impact Internal Defacement:Defacement Group Policy Modification:Domain or Tenant Policy Modification Mutual Exclusion:Execution Guardrails Execution Guardrails Exploit Public-Facing Application File and Directory Discovery File and Directory Permissions Modification Safe Mode Boot:Impair Defenses Disable or Modify Tools:Impair Defenses Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Inhibit System Recovery Local Storage Discovery Modify Registry Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Dynamic-link Library Injection:Process Injection Query Registry SMB/Windows Admin Shares:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Service Stop System Network Configuration Discovery System Service Discovery System Shutdown/Reboot Malicious Link:User Execution Malicious File:User Execution Virtual Machine Discovery
S0183 Tor Water Galura maintains a Tor-hosted data leaks site for Qilin ransomware and affiliates.21 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy

References

  1. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025. 

  2. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025. 

  3. Health Sector Cybersecurity Coordination Center. (2024, June 18). Qilin, aka Agenda Ransomware. Retrieved September 26, 2025.