Water Hydra
Water Hydra, also known as DarkCasino, is a financially motivated threat actor described in the content as a cybercrime APT. It was first detected in 2021 and has been characterized as having evolved from an economically motivated group into an advanced persistent threat. The group has targeted financial market traders and organizations associated with banks, cryptocurrency platforms, trading services, gambling sites, and casinos. Reported campaigns used sophisticated zero-day attack chains, including exploitation of CVE-2024-21412, an Internet Shortcut Files / SmartScreen bypass vulnerability, to target financial traders and ultimately infect systems with the DarkMe trojan or RAT. Trend Micro reported that Water Hydra used internet shortcut files disguised as JPEG images, and later updated its January 2024 infection chain to execute a malicious MSI to streamline DarkMe delivery. The group previously leveraged the WinRAR zero-day CVE-2023-38831 before public disclosure to target stock traders with DarkMe, including seeding lures in forex trading forums and stock trading Telegram channels. The content consistently associates Water Hydra/DarkCasino with financially motivated operations and zero-day exploitation in trader-focused intrusion campaigns.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
DarkGate 恶意软件操作发起的新一波攻击利用现已修复的 Windows Defender SmartScreen 漏洞来绕过安全检查并自动安装虚假软件安装程序。SmartScreen 是一项 Windows 安全功能,当用户尝试运行从 Internet 下载的无法识别或可疑文件时,它会显示警告。 被追踪为 CVE-2024-21412 的漏洞是 Windows Defender SmartScreen 漏洞,允许特制的下载文件绕过这些安全警告。攻击者可以通过创建指向远程 SMB 共享上托管的另一个 .url 文件的 Windows Internet 快捷方式(.url 文件)来利用该漏洞,这将导致最终位置的文件自动执行。
This same crew previously used the WinRAR code execution vulnerability CVE-2023-38831 months before it was disclosed, again to target stock traders with the same malware.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Attributed with exploiting CVE-2024-21412 to bypass Windows SmartScreen using malicious internet shortcuts disguised as JPEGs, and previously leveraging WinRAR zero-days to deploy DarkMe.
Economically motivated intrusion activity targeting financial market traders and related financial/crypto/gambling verticals, using zero-day exploit chains to bypass Windows SmartScreen and deliver the DarkMe trojan (including via .MSI execution).
Financially motivated activity targeting financial traders via lure content in forex trading forums and stock-trading Telegram channels, leveraging Windows security feature bypasses to deliver a remote-access trojan (DarkMe).
Cybercrime activity cluster reported leveraging three Microsoft zero-days (details not specified in the excerpt).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.