Qilin Ransomware
Extortion Campaign
Eduarda Koop | Waratchaya Luangphairin (June) | Isaiah Johnson
I. Introduction
Ransomware remains one of the most damaging cyber threats to both public and private sectors in the U.S. In 2025, Qilin, also known as “Agenda”, emerged as one of the most active ransomware operations currently targeting organizations worldwide, including U.S. state, local, tribal, and territorial (SLTT) entities [3].
First observed in 2022, Qilin quickly became prominent after the decline of RansomHub in early 2025, absorbing many of its affiliates. Qilin operates under a Ransomware-as-a-Service (RaaS) model, in which a core group of cybercriminals develops, advertises, and leases their tools and infrastructure to other affiliate cybercriminals to conduct attacks. This group also uses a double extortion strategy, meaning that in addition to encrypting data and holding the key for ransom, they steal critical data and threaten to sell or release it as an additional form of leverage against victims [3].
This report provides an overview of Qilin ransomware and offers guidance on protecting against its threat actors. Qilin is a ransomware notorious for targeting critical infrastructure, healthcare, manufacturing, and education sectors by exfiltrating their data, encrypting their systems, and leaking confidential information to demand a ransom.
Read through to understand the current threat landscape, including Tactics, Techniques & Procedures, Indicators of Compromise, as well as defensive and mitigation strategies that can be implemented to reduce ransomware risk from the Qilin group.
II. Threat Landscape / Targets
Qilin’s targets are selected by its ransomware affiliates based on opportunity and span across multiple sectors, with the most frequently impacted being manufacturing, education, government, healthcare, critical services, and financial services. The chosen industries are strategically targeted for their high financial value, giving Qilin affiliates a better chance to extort larger ransom payments. These incidents have been observed worldwide, although activity has mostly been observed in North America and Europe. Targets that have been compromised share common infrastructure weaknesses, such as large, distributed networks, legacy systems, and misconfigured remote access services [6, 19].
Qilin’s major attack was on a UK-based healthcare organization called Synnovis. The following examples highlight major attacks between June 2022 and August 2025:
• June 2022 - Initial Discovery (Undisclosed Organization)
o The first known Qilin ransomware case was detected when attackers gained access to a company’s Virtual Private Network (VPN) and compromised an administrator account. Using Remote Desktop Protocol (RDP), they pivoted into the organization’s Microsoft System Center Configuration Manager (SCCM) server, establishing persistence for further attacks. No data exfiltration was observed, but three systems were encrypted [6, 9]
• July 2022 - Initial RaaS Appearance as ‘Agenda’
The group was first observed promoting their Ransomware-as-a-Service (RaaS) tool, named “Agenda,” which was written in the Go programming language and leased to affiliates [2, 20].
• October 2022 - Public Appearance
o Qilin made its first public appearance on a Dedicated Leak Site (DLS) under the name “Agenda,” confirming affiliate operations within the ransomware marketplace [6, 9].
• December 2022 - Technical Evolution
o Qilin was rewritten in the Rust programming language, improving its encryption speed, detection evasion, and cross-platform compatibility [2, 13].
• April 2023 - Manufacturing Sector
o Undisclosed Organization (APAC): A company in the Asia-Pacific region reported being attacked by the new Qilin variant written in Rust. The attackers used SMB, RDP, and WMI for lateral movement and abused default credentials.
Approximately 30 GB of data was exfiltrated to MEGA cloud storage over SSL [6, 9].
• January 2024 - Government Sector Attack
o Australian Court System (Australia): Qilin conducted a double-extortion attack targetingtheAustralian judicialsystem,exfiltratingsensitive audiovisualcourtfiles to pressure the system into paying [6, 19].
• March 2024 - Additional Attacks
o Qilin was linked to additional attacks across different industries and countries, including International Electro-Mechanical Services (U.S.), Felda Global Ventures Holdings Berhad (Malaysia), Bright Wires (Saudi Arabia), PT Sarana Multi Infrastruktur (Indonesia), Casa Santiveri (Spain) [8]
• May 2024 – U.S. Enterprise Attack
o Undisclosed Organization (U.S ): Qilincompromised aU.S.-basedenterpriseusing default credentials and RDP for initial access and lateral movement Data exfiltration was observed through FTP [9].
• June 2024 - Healthcare Sector Attack
o Synnovis (UK): Qilin demanded a $50 million ransom after attacking Synnovis, a pathology services provider supporting the UK National Health Service (NHS). The attack disrupted operations of multiple hospitals, caused thousands of appointment cancellations, and resulted in the theft of over 400 GB of patient data [1, 10].
• April 2025 - Corporate Sector Attack
o SK Inc. (South Korea): Qilin affiliates breached the servers of SK Inc., a major investment firm, exfiltrating over 1 TB of confidential corporate data that was later leaked online [6].
• April 2025 - Critical Infrastructure Attack
o City of Abilene (Texas, U.S.): A Qilin attack encrypted city systems and exfiltrated approximately 477 GB of data, resulting in one month of disruption to public services, including the public transit network [14]
• May 2025 - U.S. Government Attack
o Cobb County Government (Georgia, U.S.): Qilin claimed responsibility for exposing the personal and legal data of local government employees and citizens. Over 150 GB of files, including autopsy photos, driver’s licenses, and Social Security numbers, were stolen [5][6].
4 of 17
• June 2025 - Manufacturing Sector Attack
o Shinko Plastics (Japan): Qilin was confirmed to be responsible for a ransomware attack on the Japanese manufacturer Shinko Plastics, claiming to have stolen 27GB of files from the company [11].
• July 2025 - Activity Peak
o Qilin became the most active ransomware group worldwide, claiming 73 victims on its DLS, and demonstrating an increase in activity after recruiting new affiliates [7]
• August 2025 - Additional Manufacturing Sector Attacks
o Qilin claimed responsibility for two confirmed ransomware attacks to the manufacturing sector in Japan, those being Nissan Creative Box and Osaki Medical [11].
With 84 victims between August and September of 2025, the Qilin Ransomware-as-a-Service (RaaS) operation became one of the most active ransomware groups [18].
III. Tactics, Techniques, and Procedures (TTPs)
Qilin uses a wide range of Tactics, Techniques, and Procedures (TTPs) to accomplish its goals. They heavily rely on the use of AI-generated content to improve phishing campaigns, create convincing attacks, and avoid detection, be it from harvesting information about their targets or creating believable digital twins. This use of automation and AI-generated content raises the success rate of their attacks [4, 16].
The following table shows their tactics and techniques, along with the corresponding MITRE ATT&CK IDs:
DESCRIPTION
Exploit PublicFacing Applications
Initial Access
T1190
Spearphishing (Attachments and Links) T1566
Qilin threat actors take advantage of the following FortiOS and FortiProxy vulnerabilities [21]:
• CVE-2024-21762 for remote code execution
• CVE-2024-55591 for bypassing authentication.
Qilin threat actors have been observed delivering malware through malicious email attachments and links. [15]
Qilin threat actors utilize embedded PowerShell scripts to deploy the Rust variant of Qilin across VMware vCenter and ESXi servers (enterprise virtualization systems) as well as PsExec (a Windows remote-execution tool used for lateral movement) [22]. Native API
Qilin calls the Native API function “LogonUserW,” supplying valid stolen credentials embedded in its configuration. Since the credentials are valid, Windows creates a normal logon session and returns a usable user token
Persistence
AutoStart via Registry Run Keys
T1547.001
Privilege Escalation
WinlogonBased AutoStart
Allowing Network Sharing to Encrypt More Files
T1547.004
After executing, Qilin creates a RunOnce registry entry called “aster” that points to enc.exe, which is a copy of the malware dropped in the public folder. This forces Windows to automatically run the ransomware one more time on the next reboot [23].
Qilin ransomware alters Winlogon settings, so Windows automatically runs Qilin executables whenever a user signs in [23]
T1112
Privilege Escalation
Exploitation for Privilege Escalation (BYOVD)
T1068
Qilinransomwarealtersregistry settings to make admin-mapped network drives visible on all processes, giving much more access to shared folders, file servers, and network storage that can be used to encrypt data for ransom [23].
Qilin threat actors may exploit vulnerabilities in legitimate but vulnerable signed drivers (Bring Your Own Vulnerable Driver) or other software components to gain higher privileges on compromised hosts, potentially achieving kernel-level access and disabling security controls to facilitate ransomware deployment [23].
Valid Accounts: Domain Accounts
T1078.002
Defense Evasion Delete Artifacts T1562 / T1070
Qilin threat actors pivot from a lowaccess Citrix login to a high-privileged leaked/stolen Active Directory account using RDP (a remote-login tool that provides full desktop access), allowing them to push system-wide changes using GPO (Group Policy Objects) to deploy Qilin across the network [23].
Qilin hides activity by clearing Windows Event Logs, deleting or timestomping files, and self-deleting malware to hinder forensic analysis [16].
Exfiltration
Qilin threat actors review cloud admin portals to keep track of users, their roles, and whether protections like multifactor authentication are enabled, then search SharePoint, file shares, and backup consoles to locate backup paths, credentials, and snapshots, preparing to disable recovery and prioritize targets [24].
Qilin raises MaxMpxCt in Windows to help it spread faster across the network. It embeds PsExec and drops it in %Temp% under a random name to avoid file-based detection [25].
Qilin threat actors zip stolen files into archives using WinRAR. They then open Chrome in Incognito (so the browser would not save history) and upload those ZIP files to easyupload.io, a public file-sharing site, to make it seem like normal HTTPS web traffic [26].
Qilin threat actors use stolen ScreenConnect consoles to push Qilin to many customers, disable backups to block restores, force Safe Mode with networking so security tools would not start,and deleteVolumeShadowCopies to kill rollbacks. They also wipe event logs to hide activity, map more machines to prioritize targets, set a ransom-note wallpaper for leverage, use symbolic links to speed encryption, selfdelete to erase evidence, and encrypt each tenant with a unique 32-character password so one decryptor cannot be reused across victims [26]
IV. Adversary Tools and Services
Attackers using Qilin usually gain initial access by using valid accounts, often taken from credential dumps or phishing pages. Once the target is compromised, they move to reconnaissance by using VPN or RDP access to discover endpoints connected to the domain and to map the network, domain trusts, and backup servers for useful targets [18]
In the next stage of the attack chain, attackers harvest credentials with tools such as Mimikatz, search browsers and backup systems for secrets, and abuse those credentials to obtain escalated privileges and to move laterally Additionally, they deploy legitimate RMM and remote-access software (AnyDesk, ScreenConnect, Splashtop, Atera, etc.) routinely to manage compromised hosts and to load the stage for later activity, and file-transfer utilities (Cyberduck, WinSCP) and common admin applications (mspaint, notepad, iexplore) to scan and harvest for information [18].
To evade detection, Qilin actors use BYOVD (bring-your-own vulnerable driver) exploits, enable Restricted Admin, disable PowerShell-based AMSI/TLS, and disable TLS certificate validation. To tunnel C2 traffic, they use SOCKS proxy DLLs or COROXY implants, sometimes hidden behind RMM infrastructure and legitimate cloud services. For persistent remote access, they were observed using Cobalt Strike and SystemBC [18].
In one recent instance, Qilin actors employed a hybrid approach. They made use of a crossplatform Linux ransomware binary, spreading and executing it on Windows endpoints through remote-management services or safe file transfer. As a result, the group's presence was amplified on Windows, Linux, and virtualized environments. Altogether, these capabilities make Qilin a significantly dangerous threat [18].
V. Indicators of Compromise (IOC) and Detection Indicators
The table below presents the exact artifacts Qilin used, consisting of: Phishing links and a lookalike ScreenConnect domain, specific installer paths, file hashes of the ransomware and the Veeam exploit tool, Tor/C2 IPs, and the ransom note path. Taken from the GitHub page posted by Sophos Labs called “Ransomware-Qilin-STAC4365.csv” [17], these indicators show how initial access was gained, how tools were deployed, and where encryption and data theft occurred.
Indicator Data Description
File Path Name C:\Users\<username>\Documents\< MSPname>.exe
Qilin runs code on Windows directly through an executable. The .exe file showed that the ransomware binary was saved and executed as a harmless-looking file in the user’s documents folder, named after the MSP (Managed Service Provider).
SHA256
fdf6b0560385a6445bd399eba03c86 62be9e61928d6cbc268d550163a5a 0928
0b9b0715a1ffb427a02e61ae8fd11c 00b5d086eb76102d4b12634e57285 c1aba
9da70c521b929725774c3980763a4 aed9baf9de4e6f83fc8f668c3a365a5 5f82
b52917b0658cd2a9197e6bb62bade 243ee1ad164f2bb566f3a1e09dfa58 0397f
ef3e42e5fa24acaee2428ff0118feb2b e925bfe6b1ea4eccce8b70a7ac5ab2c c
URL hxxps[:]//b8dymnk3.r.us-east1.awstrack[.]me/L0/https[:]%2F%2 Fcloud.screenconnect[.]com.ms%2 FsuKcHZYV/1/010001948f5ca748c4d2fc4f-aa9e-40d4-afe9bbe0036bc608-
000000/mWU0NBS5qVoIVdXUd4 HdKWrsBSI=410
Hashes representing a different Qilin ransomware executable. They can be traced to the exact malware file, which can help defenders block them.
Represents a phishing link hosted on Amazon SES. When clicked, this URL will lead users to a fake ScreenConnect site used for credential and session theft.
File Path Name
hxxps[:]//cloud.screenconnect[.]co m.ms/suKcHZYV/1/010001948f5ca 748-c4d2fc4f-aa9e-40d4-afe9bbe0036bc608000000/mWU0NBS5qVoIVdXUd4 HdKWrsBSI=410
C:\Windows\SystemTemp\ScreenC onnect\24.3.7.9067\ru.msi
Domain cloud[.]screenconnect[.]com[.]ms
186[.]2[.]163[.]10
92[.]119[.]159[.]30
IP
109[.]107[.]173[ ]60
File Path Name C:\README-RECOVER-<victim ID>.txt
128[ ]127[ ]180[ ]156
IP
109[ ]70[.]100[ ]1 SHA256
45c8716c69f56e26c98369e626e0b4 7d7ea5e15d3fb3d97f0d5b6e899729 9d1a
Represents a fake URL used to impersonate ScreenConnect. Qilin threat actors distribute their malware pretending to be ScreenConnect updates.
A fake ScreenConnect installer used by Qilin attackers to deploy additional payloads to maintain control, disguised as a routine client update.
Fake ScreenConnect domain controlled by Qilin.
Malicious web host IP with phishing links and installer content.
Russian IP that leads to a Russian-hosted server the attacker used to connect to their fake ScreenConnect instance.
Command-and-Control (C2) host used by theattackerasanoperationalserverduring the attack.
Text file that holds a ransom note written by the Qilin threat actors.
Tor exit nodes, meaning the attackers routed their traffic through the Tor network to hide their real location. These Tor IPs appeared when they accessed the ScreenConnect server instead of their actual IP addresses.
Hashes that point to the binary Qilin attackers used to exploit Veeam CVE2023-27532.
File Path Name C:\programdata\veeam.exe
File path that locates where the Veeam exploit tool was saved.
Table 2. Detection and Monitoring Indicators for Qilin Ransomware