Suspected SAIGA Threat Actors Exploit Australian Legal Sector with EDR Bypass

Introduction

In 2025, Phishing remains to be an effective method for cybercriminals to compromise an organisation. Over the years we have seen a rise in phishing campaigns that utilise modern and advanced techniques such as Adversary-in-the-middle (AiTM). These advanced techniques have the capability to bypass traditional MFA, allowing attackers to steal credentials and maintain persistent access.

This report outlines a recent investigation that was carried out by Red Piranha’s Security Threat Researchers involving a sophisticated phishing campaign that’s targeting The Australian Legal Industry via Microsoft Office 365 environments, this campaign utilises advanced techniques including adversary-in-the-middle that can greatly increase the likelihood of gaining unauthorised access to a target environment. Red Piranha is a world leader in the collection and processing of threat intelligence and is currently the only company in the APAC region that is a member of the Cyber Threat Alliance based out of Washington DC.

This investigation was initiated after we were notified of a successful email phishing campaign that had targeted and exploited an Australian Legal Law office linked to our client. While the initial investigation focused solely on that incident, once we discovered how this group was operating and due to this group being relatively undetected throughout their entire operation we decided to do a thorough investigation into this emerging threat actor group.

Further analysis of this campaign revealed indicators that it is linked to a previously unknown phishing-as-a-service provided SAIGA Group, they’re an APT group that primarily operates out of telegram and has been active since at least January 2024. We were unable to complete attribution to this group, however, based on information we have obtained there are clear indicators that at least some of the core members are based out of Nigeria.

SAIGA Group started out by providing “bulletproof” VPS servers and shared hosting as well as being heavily involved in financial crime. By mid-2024, they shifted focus to phishing related services and their phishing-as-a-service solution SAIGA Hub. The phishing services and infrastructure they provide are vastly more expensive than most other solutions provided by other groups. Initial configuration and setup of the phishing infrastructure can cost up to $2,000 USD with a recurring monthly “maintenance” payment of $600 USD.

Successful logins and credentials are logged to a private Telegram chat between the bot and owner of that phishing domain, due to some poor design choices of the phishing infrastructure and related code, they made it quite trivial to find other phishing domains as well as the telegram bot tokens it is linked to. Throughout our investigation we have discovered 123 separate domains being used as well as at least 70 active telegram bots. This operation appears to be ramping up as new domains are discovered each day.

In response to this emerging threat, we have blocked access to all domains and services being used on all Crystal Eye appliances and have shared the intelligence we have obtained with the broader community. Indicators of compromise (IoCs), including domain names, IP addresses and hashes relating to this phishing campaign can be found in the table below.

To prevent your organisation from becoming the next victim by these advanced phishing attacks. It is recommended to enforce conditional access policies such as requiring location or device-based policies, and to implement phishing resistant authentication methods such as FIDO2 passkeys, certificate-based authentication or Windows Hello. Deployment of threat intelligence into the network stack with a TDIR program can assist in detection of these multistage attacks. Regular security awareness and training for all employees can ensure that everyone remains up to date with the latest threats.

Initial Investigation

In mid-February 2025, we were notified of a phishing email that was sent to one of our clients. The email phishing campaign had successfully targeted and exploited an Australian Legal Law office linked to this client.

After we completed an initial investigation of the phishing email and related infrastructure, we had some early indicators of how this group was operating. Due to there being no previously public information about this specific campaign, and it appears to be a fresh campaign, we took it upon ourselves to conduct a further investigation into this group.

Figure 1: Initial Email

The initial email contained both company logos, and a signature which was identical to emails sent within the targeted organisation. The view documents button in the previous screenshot linked to a suspicious looking google sites page.

Figure 2: Google Sites page from initial email

There was no additional information on that google sites page, and instead the PDF-Attachment button simply linked to the actual phishing domain which we will describe in the next section.

Phishing Page Interaction

The initial interaction with the phishing site may vary between domains depending on if Cloudflare turnstile is enabled.  If the Cloudflare turnstile is enabled, then you may be prompted to complete the Cloudflare captcha before continuing. If this is disabled visiting the phishing site will simply provide you with a Microsoft login that’s almost identical to the real site.

Figure 3: Cloudflare Turnstile

Figure 4: Microsoft Cloudflare Turnstile

Figure 5: Fake Microsoft Login form

The interaction with the phishing site works as follows:

1. Site loads various files; attach,loading.htm, JavaScript files, etc
2. Sends a POST request to an API endpoint (/api/config) that returns the phishing site configuration. This response includes the following:
   • Background Images, colours, userId, domainId, telegram chatId and bot tokens, Cloudflare key, creation and update timestamps, redirection URLs, blocked IPs, etc
   • Telegram Chat notification is sent containing visitor information.
3. After entering an email in the form, the site sends a POST request to /api/email/, which assumably proxies the initial email input to login.microsoft.com to verify the email exists, if the email exists it will return a password field as well as cookies and other information that is retrieved from login.microsoft.com. Based on the information sent and received, this will likely return company logos if the email is linked to an organisation. This response contains the following:
   • Message, sFT (FlowToken), sCtx (wctx/estsrequest), canary, sessionId, bannerLogo, bannerIllustration.
4. Upon entering the password, a POST request is sent to /api/login/. This request contains the email, password, and relevant Microsoft cookies used in the transaction, as well as the telegram chat and token information.  This login is once again proxied through to the Microsoft website, this is the final check that confirms if the credentials are valid or not.
   • If the credentials are invalid, access_denied is returned in the response. The invalid credentials are still sent in a telegram notification with the email, password, ip/ISP information.
   • If the credentials are valid, both the login details as well as the cookies obtained are sent in a telegram notification. 
5. If valid credentials are entered, login information as well as the cookies are sent in a telegram notification. As the login process has already occurred and was successful, these cookies/session tokens can be used by the attacker to access the email account without needing to go through the login process again. This file contains the following cookie information retrieved from the login process:
   • ESTSAUTHPERSISTENT, ESTSAUTH, ESTSAUTHLIGHT, buid, CCState, SignInStateCookie, fpc, esctx, x-ms-gateway-slice, stsservicecookie
   • These cookies are then automatically set and used by the attackers as well as logged to the phishing console, this functionality allows these cookies to be used in the other tools within this phishing kit.

Figure 6: SAIGA Telegram Notification

Figure 7: Telegram Cookies ([email protected])

The SAIGA Connection

During our investigation of the previous phishing site interaction, we discovered several indicators that link this phishing campaign to a phishing-as-a-service (PaaS) provider known as SAIGA Group. As there is almost no public information about this group, we decided to conduct a much deeper investigation into who they are and how they operate.

Who is SAIGA Group?

SAIGA Group is an APT group that primarily operates out of telegram, they have remained relatively undetected throughout their entire operation.

The earliest known indicator of an operation relating to SAIGA Group dates to at least January 2024, this date is the creation date of the domain saiga-store-hub.com.

Through saiga-store-hub.com, SAIGA offered a range of web hosting services which included:

• Bulletproof VPS Hosting
• OpenXchange
• Domain Registry
• Bulletproof KVM RDP
• Shared Hosting

Figure 8: SAIGA Store, billing.saiga-store-hub.com (web.archive.org)

It is currently unknown if SAIGA still provides web hosting solutions as this domain is no longer active.  

Since mid 2024, the primary operations of SAIGA Group shifted focus towards Phishing-as-a-service through the means of Saiga-hub (saiga-hub.ru, saiga-hub.com), registered in May 2024, and October 2024. Saiga Hub is where clients (threat actors) can access their phishing dashboard, configure settings related to their phishing campaigns, and can essentially be defined as a C2 server for all phishing services provided by SAIGA Group.  In the next section, we’ll dig deeper into the specific services SAIGA Hub offers.

How SAIGA Operates?

As previously mentioned, SAIGA primarily operates out of telegram where they advertise services relating to phishing and other financial crime. The services they provide can refer to the services provided on Saiga Hub and can include the following as per the advertisements and screenshots in telegram:

• SAIGA Mailer
• SMTP2SMS
• 0.365 Sorter
• Debouncer
• FM Scanner
• MX Sorter

Those are just the functionalities that are provided by Saiga-Hub, this group also offers a range of other services including:

• Office 365 Phishing and setup ($2,000usd)
• SAIGA Phishing page ($600usd/month)
• Lead generation services (5000 leads/$200usd)
• SMTP Servers
• B2BxExtractor – SAIGA Email Extractor ($1000usd)
• SAIGA All-in-one (SMTP2SMS, 0.365 Sorter, Debouncer, FM Scanner, MX Sorter) - $1k usd setup fee + $300 recurring maintenance fee/month
• Financial fraud services: Credit Cards, Bank Accounts, Transfers, ATM Deposits
• CPanel, Shells, SMS Mailers, RDP, Webmail, SSH

The following is an overview of how they operate.

1. SAIGA sells access to saiga-hub and the related functionality and tools used in the phishing campaigns.
2. SAIGA configures and sets up the phishing domain and services.
3. Once the infrastructure has been configured, the phishing domain can be added in the various templates to be used by the SAIGA Mailer.
4. Updates and logging is provided in both the phishing dashboard, as well as in Telegram.
5. Upon a successful phishing visit where a victim enters in their credentials, the entire interaction is proxied through to the real Microsoft site (as described in the previous section).
6. Once that process is complete, both the credentials and cookies are sent to the telegram channel.
7. After obtaining access to the accounts, the other tools offered by SAIGA are then utilised for further attacks. For example, extracting all email communications (FM Scanner), the emails obtained are then used to carry out future phishing attacks.

As SAIGA simply provides the various phishing services, it is entirely up to the threat actor that has obtained the credentials as to how they proceed. Some might choose to take their time (several months) and carry out a more targeted attack to other employees once they gather more information, whereas others may choose to send additional phishing emails relatively quickly.  The successful logins can also be added to the pool of their SMTP mailers.

As of March 2025, there are currently 123 known domains related to these phishing campaigns, with at least 70 unique active bots. Based on the details obtained from the phishing config, there could be up to 88 users utilising this phishing service, made up of at least 90 domain names. However, this number could potentially be much higher as multiple domains could be using the same configuration, rather than a unique config per domain.

At the core, the backend infrastructure is based upon evilginx with a custom implementation for telegram notifications. This particular evilginx implementation appears to be based upon a upon fpages, it is unclear if SAIGA had purchased this, a spin off group or if the code was simply stolen and built upon.

On each phishing domain the title is randomised based on snippets from Lorem Ipsum to evade detection. There are also similarities between this SAIGA phish-kit, and the Rockstar 2FA phish-kit. The similarities between these can be found within the “attach,loading.htm” file, with the SAIGA version incorporating fitness class names and comments. It is currently unknown if it’s a new version, or if SAIGA has just created their version based upon it. However, they are still vastly different implementations as this SAIGA version appears to be using NodeJS with the Next.js framework.

Figure 9: SAIGA Phishing Page Dashboard

How Red Piranha Found SAIGA?

The initial investigation of the domain used in the phishing campaign against one of our clients quickly enabled us to discover additional domains that have been used, as well as monitor whenever additional sites have been added. This is mostly due to the fact of there being mostly static files used within this phishing-kit.

After searching various online platforms (urlscan.io, shodan, etc) and additional OSINT, we were able to discover many active sites which are used in this phishing campaign.

Each phishing site has various API endpoints that were mentioned earlier in this report. The first API endpoint that came to our attention was the /api/config/ endpoint as this returned information about the domain as well as the telegram chats and bot tokens.

By utilising the telegram API, along with the bot tokens, we were able to scrape the information of each active bot which resulted in obtaining information about the usernames that had been communicating with the bot.  In total, we were able to discover 70 bots and 64 usernames, the bots are essentially where all the logs from the phishing campaigns are sent to.

After scraping all this information, we noticed several usernames and bots that had references to “SAIGA”.  One of the usernames that we investigated was Trailblazer_io,  we discovered a TikTok account under the name, and in the profile picture was an image of the SAIGA log output. There was also a telegram channel linked in the profile description.

After creating a telegram account, we joined that telegram channel and started to scrape all the information we could find. Not only did we discover a large quantity of financial crime being done within that channel, but we also found many advertisements for SAIGA related services.

The next step we took was to scrape data relating to the bots and the chats they were apart of in the hopes of discovering any victims of this phishing campaign so they can be informed. There was only a handful of bots that we were able to find information from due to the others using message expiry timers. But luckily for us, thanks to their apparent opsec failures, we were able to scrape thousands of messages.

After extracting the relevant information, we were able to extract over 8k credentials that had been captured. We were also able to extract at least 175 unique IP addresses that had been used to access the phishing dashboards.

Currently, we are unable to attribute this group to a specific country or a previous group, however, there are several indicators that some of the core members are based out of Nigeria. This can be inferred based on the communication within the telegram channels, as well as the IP addresses that accessed the phishing dashboard.

We are currently in the process of contacting the organisations and affected accounts.

Recommendations and Mitigation

As these more advanced phishing campaigns continue to improve and develop over time, it's important to understand that traditional MFA implementations may no longer be as effective against these types of attacks.

By implementing the following strategies, you can reduce the likelihood of these attacks being carried out against your organisation.

• Configure Conditional Access Policies
  • Require location or device-based policies. This can ensure that the account can only be accessed from a specific location or device that has been approved
  • Enforce stronger phishing resistant authentication methods (FIDO2 passkeys, certificate-based authentication, Windows Hello)
• Continuously monitor account logs and active sessions
• Deploy Secure Web Gateway and a Strong TDIR program to detect multistage attacks.
• Regularly undergo Security Awareness and Training for employees. This will ensure everyone in the organisation stays up to date with the latest information. With the increase of AI being used in phishing campaigns, identifying suspicious emails will become more difficult.

The IOCs that were discovered throughout this investigation have been added to our threat intelligence platform and pushed to all Red Piranha Crystal Eye devices. Crystal Eye’s Automated Actionable Intelligence keeps a reputation list of bad IPs that is updated on a pre-scheduled basis.

New IPs found from threat intelligence are loaded by the system and are then blocked through the Intrusion Protection System and the Intrusion Detection System. Malicious domains on the other hand are inaccessible due to Crystal Eye’s DNS Sinkholing feature. Crystal Eye also comes with anti-phishing features such as scanning to ensure cryptographic certificates are valid and match the host and detecting links that are cloaked to deceive users. 

Campaign Statistics

SAIGA Infrastructure

Detailed TTPs

IOCs

Does detecting malicious activity pose a significant challenge for your organisation?

Red Piranha’s Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.