Hide Navigation Hide TOC

Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)	Intrusion Set	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)	Intrusion Set	1
Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)	Intrusion Set	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)	Intrusion Set	1
Water Galura - G1050 (be8847e0-9512-45db-895e-f871ab6d3820)	Intrusion Set	Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	2
Qilin - S1242 (e23d2777-b85d-44fc-861e-9149d399fbb9)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3