Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated1 malware familyExploits CVEs in the wild

Water Hydra

Also known aswater_hydra

Water Hydra, also known as DarkCasino, is a financially motivated threat actor that some reporting describes as an APT. The group was first detected in 2021. Reported targeting includes financial market traders, as well as banks, cryptocurrency platforms, trading services, gambling sites, and casinos. Water Hydra has used zero-day exploits in its intrusion chains, including CVE-2024-21412 to bypass Microsoft Defender SmartScreen via malicious Internet Shortcut files and deliver DarkMe, and previously the WinRAR zero-day CVE-2023-38831. Reporting cited here states the group seeded DarkMe in forex trading forums and stock trading Telegram channels, and that in January 2024 it updated its infection chain exploiting CVE-2024-21412 to execute a malicious .MSI and streamline DarkMe infection. The content also notes Water Hydra has been described as evolving from an economically motivated group into an advanced persistent threat.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Financial Services
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1195
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1566
Phishing
TA0002
Execution
1 technique
T1204
User Execution
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DarkMe"...trick financial traders into ultimately infecting their PCs with DarkMe – a remote-access trojan seeded in forex trading forums and stock trading Telegram channels."1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2024-21412Microsoft Windows Internet Shortcut Files SmartScreen BypassIn the wildEvidence3

the exploitation of a zero-day vulnerability (CVE-2024–21412). This vulnerability allowed the bypass of Microsoft Defender SmartScreen through malicious .url files and WebDAV shares.

CVE-2023-38831Arbitrary Code Execution in WinRAR Archive File HandlingIn the wildEvidence1

This same crew previously used the WinRAR code execution vulnerability CVE-2023-38831 months before it was disclosed, again to target stock traders with the same malware.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
medium ahmed moh farou2News
May 25, 2024
Deep Dive: Detecting the Latest Phishing Techniques with Search-ms and WebDAV Shares | by Ahmed Farouk | Medium

Exploiting CVE-2024-21412 to bypass Microsoft Defender SmartScreen via malicious .url files and WebDAV shares in phishing activity targeting traders.

Read more
the hacker newsNews
Feb 15, 2024
Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation

Attributed with exploiting CVE-2024-21412 to bypass Windows SmartScreen using malicious internet shortcuts disguised as JPEGs, and previously leveraging WinRAR zero-days to deploy DarkMe.

Read more
the hacker newsNews
Feb 14, 2024
Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Economically motivated intrusion activity targeting financial market traders and related financial/crypto/gambling verticals, using zero-day exploit chains to bypass Windows SmartScreen and deliver the DarkMe trojan (including via .MSI execution).

Read more
register securityNews
Feb 14, 2024
Microsoft squashes security bugs under active exploitation • The Register

Financially motivated activity targeting financial traders via lure content in forex trading forums and stock-trading Telegram channels, leveraging Windows security feature bypasses to deliver a remote-access trojan (DarkMe).

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.