Water Galura

Also known as: GOLD FEATHER, Water Galura

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site. BushidoToken Qilin RaaS JUN 2024 Sophos Qilin MSP APR 2025

🧭 ATT&CK G1050

Introduction

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site. BushidoToken Qilin RaaS JUN 2024 Sophos Qilin MSP APR 2025

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

MITRE ATT&CK Software

Attribution and Evidence

Information pending cataloguing.

References

[1] mitre-attack [3] Sophos Qilin MSP APR 2025 Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025. [4] BushidoToken Qilin RaaS JUN 2024 Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.