QILIN Gang: 15 New Victims in Global Surge Targeting Manufacturing & Healthcare — IoCs & KEV Analysis

Date: 2026-05-15 Analyst: Security Arsenal Intel Unit Source: Ransomware.live / Direct Leak Site Observation

Threat Actor Profile — QILIN

QILIN (also known as Agenda or Titan) operates a sophisticated Ransomware-as-a-Service (RaaS) model. The group is characterized by its aggressive "double extortion" tactics, encrypting victim systems while exfiltrating sensitive data to leverage on their leak site.

• Typical Ransom Demands: Range significantly, generally starting at $500,000 USD for mid-market entities and scaling into multi-million dollar demands for large enterprises.
• Initial Access Vectors: Historically reliant on phishing and compromised valid credentials (VPN/RDP). However, recent intelligence indicates a shift toward exploiting internet-facing applications, specifically remote management and email collaboration software.
• Dwell Time: QILIN operators typically maintain access for 3 to 10 days before detonating encryption, using this window for lateral movement and data staging.

Current Campaign Analysis

Based on the last 100 postings and the fresh batch of 15 victims published between 2026-05-13 and 2026-05-15, QILIN is executing a highly opportunistic yet sector-focused campaign.

Targeted Sectors

• Manufacturing (33%): Heavy targeting observed (Common Part Groupings, NR Engineering, Schulte-Lindhorst, Fab-Masters). This sector remains the primary victim due to high downtime tolerance and lower maturity in OT/IT segmentation.
• Healthcare (20%): Continued attacks on medical providers (Generation Life, B.Care Medical Center, Spirit Medical Transport).
• Other: Construction, Education, Transportation, Technology, and Energy.

Geographic Concentration

• United States: 33% of recent victims (Turner Supply, Common Part Groupings, Foot Solutions, Fab-Masters, Spirit Medical Transport, Mayer).
• Australia: 26% of recent victims (Australian College of Business Intelligence, Generation Life, Menzies Group, Bluize). This represents a localized cluster likely stemming from a specific supply chain compromise or regional phishing campaign.
• Global Spread: Additional activity in Thailand, Philippines, Germany, Canada, and Great Britain confirms global availability of QILIN affiliates.

CVE Correlation & Initial Access

The campaign correlates directly with the exploitation of recently added CISA Known Exploited Vulnerabilities (KEVs):

1. ConnectWise ScreenConnect (CVE-2024-1708): A critical path traversal vulnerability allowing RCE. Added to KEV on 2026-04-28, this is likely the primary vector for the rapid deployment seen in the last 2 weeks.
2. SmarterTools SmarterMail (CVE-2025-52691 & CVE-2026-23760): These file upload and auth bypass flaws (KEV added 2026-01-26) are being leveraged to breach email infrastructures, likely providing the initial foothold for the healthcare and education sectors.
3. Cisco Secure Firewall FMC (CVE-2026-20131): Exploitation of management interfaces indicates QILIN affiliates are actively targeting perimeter security devices to disable logging or VPNs before lateral movement.

Detection Engineering

SIGMA Rules

title: Potential ConnectWise ScreenConnect Path Traversal Exploitation
id: 8a1b2c3d-4e5f-6789-0abc-1def2a3b4c5d
description: Detects suspicious URL patterns associated with CVE-2024-1708 exploitation attempts in web server logs.
status: experimental
author: Security Arsenal
date: 2026/05/15
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '..%2f'
            - '..%5c'
            - 'Data\\Services\\'
            - 'Host.ashx'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: SmarterMail Suspicious Process Spawn
id: b2c3d4e5-6f78-90ab-cdef-1a2b3c4d5e6f
description: Detects the SmarterMail web server spawning shells or PowerShell, typical of webshell activity.
status: experimental
author: Security Arsenal
date: 2026/05/15
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'SmarterMail'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administration (rare)
level: high
---
title: Volume Shadow Copy Deletion via VssAdmin
id: c3d4e5f6-7a89-0bcd-ef12-3a4b5c6d7e8f
description: Detects commands used to delete Volume Shadow Copies, a common pre-encryption step for Qilin and other ransomware.
status: experimental
author: Security Arsenal
date: 2026/05/15
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System administrator maintenance
level: critical

KQL (Microsoft Sentinel)

// Hunt for lateral movement and data staging indicators
// Looks for SMB access to admin shares and massive file modifications within a short timeframe
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessName has "powershell.exe" or ProcessName has "wmic.exe" or ProcessName has "psexec.exe"
| where ProcessCommandLine contains "New-PSDrive" or ProcessCommandLine contains "invoke-command" or ProcessCommandLine contains "-e" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType == "FileCreated"
    | summarize FileCount = count(), TotalSizeMB = sum(FileSize / 1048576) by DeviceName, bin(Timestamp, 10m)
    | where FileCount > 100 or TotalSizeMB > 500
) on DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileCount, TotalSizeMB

PowerShell Response Script

<#
.SYNOPSIS
    Rapid Response Hardening Script for QILIN Indicators
.DESCRIPTION
    Checks for unusual scheduled tasks and recent Shadow Copy manipulation.
#>

Write-Host "[+] Starting QILIN Rapid Response Checks..." -ForegroundColor Cyan

# Check for recently created scheduled tasks (last 7 days)
Write-Host "[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-7)
Get-ScheduledTask | ForEach-Object {
    $task = $_
    $taskInfo = $task | Get-ScheduledTaskInfo
    if ($taskInfo.Date -gt $cutoffDate) {
        Write-Host "[ALERT] Recent Task Found: $($task.TaskName) - Author: $($task.Author) - Run: $($taskInfo.Date)" -ForegroundColor Red
    }
}

# Check Volume Shadow Copy Status
Write-Host "[*] Checking Volume Shadow Copy Storage Usage..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadow copies found") {
        Write-Host "[WARNING] No Shadow Copies exist on the system." -ForegroundColor Red
    } else {
        Write-Host "[INFO] Shadow Copies present." -ForegroundColor Green
    }
} catch {
    Write-Host "[ERROR] Could not query VSS." -ForegroundColor DarkRed
}

# Check for ScreenConnect Service Version
Write-Host "[*] Checking ConnectWise ScreenConnect Version..." -ForegroundColor Yellow
$service = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($service) {
    $path = (Get-WmiObject -Class Win32_Service -Filter "Name='$($service.Name)'").PathName
    if ($path -match '"([^"]+ScreenConnect\.ClientService\.exe)"') {
        $filePath = $matches[1]
        $version = (Get-Item $filePath).VersionInfo.FileVersion
        Write-Host "[INFO] ScreenConnect found at $path version $version" -ForegroundColor Cyan
        Write-Host "[REMEDIATION] Ensure this version is patched against CVE-2024-1708 (Feb 2024 patch)." -ForegroundColor Yellow
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Cyan


---

Incident Response Priorities

If QILIN is suspected or confirmed within the environment, prioritize the following T-minus actions:

1. T-Minus 60 Mins: Isolate internet-facing email gateways (SmarterMail) and remote support tools (ScreenConnect). Do not shut them down entirely if memory acquisition is required, but disconnect from the network.
2. T-Minus 30 Mins: Identify and suspend accounts with recent logon anomalies, specifically on nights/weekends, and look for VPN sessions originating from the geographic clusters noted (Australia/US).
3. T-Minus 15 Mins: Check for the existence of C:\Windows\Temp\ or AppData\ directories containing large zip archives or renamed executables (data staging).
4. Critical Assets: QILIN historically prioritizes PII (Healthcare), IP/CAD drawings (Manufacturing), and financial databases. Segregate these file servers immediately.

Containment Actions

• Urgent: Revoke all local administrator privileges for service accounts associated with ScreenConnect or Exchange.
• Secondary: Force a password reset for all accounts that have accessed the SmarterMail web console in the last 30 days.

Hardening Recommendations

Immediate (24 Hours)

• Patch Management: Apply patches for CVE-2024-1708 (ConnectWise), CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active exploit vectors.
• Access Control: Enforce MFA on all VPN, RDP, and web-based administration consoles. If hardware keys are not available, enforce conditional access policies to block login attempts from unknown geographies.

Short-term (2 Weeks)

• Network Segmentation: Remove direct internet access from management interfaces (e.g., ScreenConnect, OWA). Require VPN access to reach these administrative panels.
• Audit & Reduce Attack Surface: Conduct an external scan to identify all exposed RDP (3389) and SMB (445) services and place them behind a Zero Trust Network Access (ZTNA) solution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub