Aliases: Agenda (formerly), Qilin
Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate-heavy model, providing a Go-based encryptor (often written in Rust or Go) tailored to the target's environment.
Ransom Demands: Highly variable, typically ranging from $200,000 to $5,000,000 USD depending on victim revenue and exfiltrated data volume.
Initial Access Vectors:
- Exploit-Led: Recent intelligence strongly suggests the exploitation of internet-facing vulnerabilities (Check Point VPN, ConnectWise ScreenConnect).
- Phishing: Initial access via malicious macros or links remains a secondary vector.
TTPs:
- Double Extortion: Aggressive data theft preceding encryption. Data is published to their .onion site if negotiations fail.
- Lateral Movement: Heavy reliance on Cobalt Strike beacons, RDP (Remote Desktop Protocol), and valid credentials harvested via Mimikatz.
- Dwell Time: Typically 3–7 days. Qilin affiliates move quickly, often executing payloads within 48 hours of gaining initial access to minimize detection.
Current Campaign Analysis
Campaign Date: 2026-07-07 Observation Window: Last 100 postings (Recent 15 victims analyzed below)
Targeted Sectors
Qilin is currently executing a broad campaign but is heavily favoring Business Services (46% of recent victims), likely due to the high sensitivity of client data held by CPA firms and consultancies, increasing extortion leverage.
- Business Services (7): Wood Ellis & Wood CPA, Answer Precision Tool, Max Fordham, LabelDaddy, Grupo Inteca, Mattatuck Industrial Scrap Metal, Laughlin Nunnally Hood & Crum.
- Construction (1): Keystone Homes.
- Manufacturing (1): Precision Steel Services.
- Financial Services (1): TQ Financial Services.
- Consumer Services (1): Goodwill Manasota.
- Technology (2): Sitmatic (DE), Sisint (PT).
- Hospitality (1): Pennant Hills Golf Club.
Geographic Concentration
- Primary: United States (60% of victims) — US-based CPA firms and construction companies are the primary targets.
- Secondary: United Kingdom, Mexico, Germany, Portugal, Australia.
Victim Profile
The victims are predominantly SMBs to Mid-Market enterprises. The targeting of CPA firms and Golf Clubs suggests a focus on organizations with mature revenue streams but potentially fragmented IT security postures.
Observed Frequency
Qilin posted 15 victims between 2026-07-01 and 2026-07-06, averaging nearly 3 postings per day. This indicates a highly active affiliate network or an automated exploitation toolchain leveraging the recently disclosed CVEs.
Initial Access Vector Correlation
The recent spike correlates directly with the exploitation of the following CISA Known Exploited Vulnerabilities (KEVs):
- CVE-2026-50751 (Check Point Security Gateway): Added to KEV 2026-06-08. This improper authentication vulnerability in IKEv1 is likely being used to bypass VPN authentication, granting direct network access to US and UK targets.
- CVE-2024-1708 (ConnectWise ScreenConnect): Added to KEV 2026-04-28. As a path traversal vulnerability allowing RCE, this is a probable vector for the IT-managed service providers (MSPs) or internal IT teams within the "Business Services" sector.
- CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability allowing authenticated attackers to achieve RCE. Potential lateral move vector.
Detection Engineering
Sigma Rules
title: Potential Check Point IKEv1 VPN Exploitation CVE-2026-50751
id: 3c1b5e12-a1b2-4c5d-9e6f-1234567890ab
description: Detects suspicious IKEv1 negotiation patterns or authentication failures indicative of CVE-2026-50751 exploitation attempts.
status: experimental
date: 2026/07/07
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
category: firewall
detection:
selection:
dst_port: 500
protocol: 'IKE'
ike_version: '1'
action: 'accept' or 'deny' # Suspicious if accepted without valid auth or excessive denies
condition: selection
falsepositives:
- Legacy VPN configuration usage
level: high
tags:
- cve.2026.50751
- attack.initial_access
- qilin
---
title: ConnectWise ScreenConnect Path Traversal Exploitation CVE-2024-1708
id: d2e4f678-9b0c-1d2e-3f4a-567890123456
description: Detects path traversal strings in ScreenConnect web server logs, indicative of exploitation attempts.
status: experimental
date: 2026/07/07
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
product: webserver
service: access
detection:
selection_uri:
cs-uri-query|contains:
- '../'
- '%2e%2e'
- '..%5c'
selection_sc:
cs-uri-stem|contains: '/Guest/' # Default path often targeted
condition: all of selection_
falsepositives:
- None
level: critical
tags:
- cve.2024.1708
- attack.initial_access
- attack.remote_code_execution
- qilin
---
title: Suspicious Rclone Exfil Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects the use of rclone, a tool frequently used by Qilin affiliates for data exfiltration prior to encryption.
status: experimental
date: 2026/07/07
author: Security Arsenal Research
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rclone.exe'
- OriginalFileName: 'rclone.exe'
selection_cli:
CommandLine|contains:
- 'copy'
- 'sync'
- 'config create'
condition: 1 of selection*
falsepositives:
- Legitimate admin backup tasks
level: high
tags:
- attack.exfiltration
- qilin
KQL (Microsoft Sentinel)
// Hunt for Qilin lateral movement and staging activity
// Looks for PowerShell base64 encoding, Rclone usage, and unusual SMB access
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe") and CommandLine has "-enc")
or FileName in~ ("rclone.exe", "procdump.exe", "mimikatz.exe")
or ProcessCommandLine has any("net use", "psexec", "wmic")
| summarize count(), make_set(CommandLine) by DeviceName, Timestamp, AccountName
| order by count_ desc
PowerShell Response Script
<#
QILIN Response Hardening Script
Checks for exposed RDP, recent scheduled tasks, and VSS modifications.
Run as Administrator.
#>
Write-Host "[+] Checking RDP Exposure..." -ForegroundColor Cyan
$RDP = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($RDP.fDenyTSConnections -eq 0) { Write-Host "[ALERT] RDP is ENABLED." -ForegroundColor Red } else { Write-Host "[OK] RDP is Disabled." -ForegroundColor Green }
Write-Host "\n[+] Enumerating Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -ge (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date, Author
Write-Host "\n[+] Checking Volume Shadow Copy Service Modifications..." -ForegroundColor Cyan
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; StartTime=(Get-Date).AddDays(-1); ID=8194} -ErrorAction SilentlyContinue
if ($Events) { Write-Host "[ALERT] Recent VSS Shadow Copy Deletions detected:" -ForegroundColor Red; $Events | Select-Object TimeCreated, Message } else { Write-Host "[OK] No recent VSS deletions found." -ForegroundColor Green }
Write-Host "\n[+] Audit Complete."
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption)
- VPN Logs: Immediately audit Check Point Security Gateway logs for excessive IKEv1 requests or successful authentications from unusual geo-locations (关联 to CVE-2026-50751).
- Web Shell Hunt: Scan web servers for the presence of
aspx,jsp, orphpshells inC:\inetpub\wwwrootor/var/www/htmluploaded around the time of CVE-2024-1708 exploitation. - Service Accounts: Check for anomalous logon events (Event ID 4624) using service accounts, particularly those with privileged rights, outside of business hours.
Critical Assets for Exfiltration
Based on current victims (CPA firms, Financial Services), prioritize the search for data staging on:
- Active Directory:
NTDS.dit(often dumped viantdsutil). - Financial Systems: QuickBooks, Sage, or proprietary banking databases.
- Client Data: File servers containing PII/PHI (e.g., shared folders named
Clients,Customers,Tax).
Containment Actions (Ordered by Urgency)
- Isolate VPN Concentrators: If Check Point appliances are unpatched for CVE-2026-50751, disconnect them from the network immediately or disable IKEv1.
- Disable ScreenConnect: If ConnectWise ScreenConnect is in use and unpatched for CVE-2024-1708, stop the service and block web access to the panel.
- Credential Reset: Force reset of privileged domain admin credentials and local administrator passwords for all assets identified as compromised.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical Vulnerabilities: Apply the vendor patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect).
- MFA Enforcement: Ensure that all VPN access is protected by FIDO2 or hardware-token MFA. Push notification MFA is susceptible to fatigue attacks.
- Block Port 445 (SMB): Inbound SMB traffic from the internet or untrusted VLANs should be blocked at the firewall to impede lateral movement.
Short-Term (2 Weeks)
- Network Segmentation: Move business services and management servers (like ScreenConnect) into a dedicated administrative VLAN with strict ingress/egress rules.
- EDR Deployment: Ensure comprehensive EDR coverage on all servers and workstations, specifically configuring detection rules for
rcloneandpowershellencoded commands.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.