Back to Intelligence

QILIN Ransomware: 15 New Victims Posted — Manufacturing & Service Sector Targeting & CVE Exploitation

SA
Security Arsenal Team
April 21, 2026
6 min read

Release Date: 2026-04-21
Author: Security Arsenal Threat Intelligence Unit
Source: Ransomware.live (Live Dark Web Feed)

Threat Actor Profile — QILIN

Aliases: Agenda, Qilin.B
Model: Ransomware-as-a-Service (RaaS).
Ransom Demands: Variable, typically ranging from $500,000 to multi-million USD demands depending on victim revenue and exfiltrated data volume.

TTPs & Behavior: Qilin operates as a sophisticated RaaS operation. They typically gain initial access through exposed vulnerabilities in internet-facing applications (recently Microsoft Exchange and email appliances) or via valid credentials obtained via phishing.

  • Double Extortion: They aggressively exfiltrate sensitive data prior to encryption and utilize a dedicated leak site (DLS) to pressure victims.
  • Dwell Time: Average dwell time is estimated between 3 to 7 days, allowing for extensive lateral movement and privilege escalation.
  • Encryption: They use a custom Go-based ransomware that targets Windows and Linux ESXi hypervisors.

Current Campaign Analysis

Based on the 15 victims posted to the Qilin leak site on 2026-04-20 and 2026-04-21:

Sector Targeting

The current campaign shows a distinct pivot towards Manufacturing (27% of victims) and Business Services (20% of victims), followed by Transportation/Logistics.

  • Manufacturing: Industrial Carrocera Arbuciense (ES), Kolin Turkey (TR), Heartland Steel Products (US), Safety Engineering Laboratories (US), Huonker GmbH (DE).
  • Business Services: PTS Office Systems (US), City'Pro (FR), GUEGUEN Avocats (FR).
  • Logistics: Sea Air International Forwarders (CA), Avitrans.
  • Critical Infrastructure/Other: STERIMED (Healthcare), Roman Catholic Archdiocese of St John (Public Sector).

Geographic Distribution

The activity is globally dispersed but concentrated in North America and Europe:

  • United States: 3 Victims
  • France: 3 Victims
  • Canada: 2 Victims
  • Others: Spain, Turkey, Romania, Germany.

CVE Integration & Initial Access

The victims posted correlate with the active exploitation of several CISA Known Exploited Vulnerabilities (KEVs) added to the catalog recently. Qilin affiliates are actively scanning for and exploiting:

  1. CVE-2023-21529 (Microsoft Exchange): A deserialization vulnerability allowing authenticated attackers to execute code. This is likely used against Business Services and Legal sectors (e.g., GUEGUEN Avocats) heavily reliant on Exchange.
  2. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): File upload and auth bypass vulnerabilities. These provide unauthenticated access to email servers, serving as a primary entry point for exfiltration and deployment of web shells.
  3. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaw. Exploitation here allows bypassing perimeter defenses, likely explaining the successful compromise of Logistics and Manufacturing firms with robust network perimeters.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exchange Server Deserialization Exploit (CVE-2023-21529)
id: b4c3e9f6-1a2b-4c5d-9e6f-1a2b3c4d5e6f
description: Detects potential exploitation of Microsoft Exchange Server deserialization vulnerabilities often used by Qilin for initial access.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: '.config'
    condition: selection
falsepositives:
    - Administrative access to Exchange config files
level: high
---
title: SmarterMail Unrestricted File Upload Activity
id: d5e4f0g7-2b3c-4d5e-9f0a-2b3c4d5e6f7a
description: Detects suspicious file creation patterns in SmarterMail web directories indicative of web shell upload (CVE-2025-52691).
status: experimental
date: 2026/04/21
author: Security Arsenal
logsource:
    product: windows
    file:
        creation: true
detection:
    selection:
        TargetFilename|contains:
            - 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\'
            - 'C:\Program Files\SmarterTools\SmarterMail\MRS\'
        TargetFilename|contains:
            - '.aspx'
            - '.ashx'
    filter:
        Image|contains:
            - 'w3wp.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate SmarterMail updates
level: critical
---
title: Suspicious PsExec Lateral Movement
id: e6f5g1h8-3c4d-5e6f-0a1b-3c4d5e6f7a8b
description: Detects the use of PsExec for lateral movement, a common tactic for Qilin operators to spread across a manufacturing network.
status: experimental
date: 2026/04/21
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: 'ADMIN$'
        RelativeTargetName|endswith: 'PSEXESVC.exe'
    condition: selection
falsepositives:
    - Legitimate administrative tasks using PsExec
level: high

KQL (Microsoft Sentinel)

Hunt for potential pre-encryption staging and lateral movement associated with Qilin tooling (PowerShell and Cobalt Strike beacons).

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin-associated lateral movement and staging
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has_any ("Invoke-Expression", "IEX", "DownloadString", "FromBase64String")
| where ProcessCommandLine contains "-Enc" or ProcessCommandLine contains "EncodedCommand"
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "rundll32.exe")
| summarize Count = count(), StartTime = min(Timestamp), EndTime = max(Timestamp) by DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| where Count > 2
| project StartTime, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Count desc

PowerShell Response Script

Rapid response script to identify recent persistence mechanisms and abnormal shadow copy activity (pre-encryption).

PowerShell
# Qilin Response Check: Persistence and VSS Anomalies
Write-Host "[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -ge (Get-Date).AddDays(-7)} | Select-Object TaskName, Author, Date, State, Action

Write-Host "[*] Checking for recent Volume Shadow Copy deletions or modifications..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; ID=510, 514, 513; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
    $Events | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
} else {
    Write-Host "No recent VSS events found." -ForegroundColor Green
}

Write-Host "[*] Checking for uncommon RDP logons (Type 10) in last 24h..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type:\s*10'} |
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Format-Table


---

Incident Response Priorities

T-minus Detection Checklist:

  1. Exchange & Email Gateways: Immediate review of IIS/Exchange logs for deserialization payloads (CVE-2023-21529) and SmarterMail logs for unauthorized aspx uploads (CVE-2025-52691).
  2. Web Shell Detection: Scan web directories for recently modified .aspx, .ashx, or .php files.
  3. Lateral Movement: Look for PsExec or WMI execution (wmic.exe process call create) from non-admin accounts or unusual times.

Critical Exfiltration Assets: Qilin historically prioritizes:

  • Manufacturing blueprints and IP.
  • Client databases (HR, CRM) in Business Services.
  • Financial records and employee PII.

Containment Actions:

  1. Isolate: Segment off Exchange servers and email appliances from the network immediately if compromise is suspected.
  2. Revoke: Reset credentials for accounts that have recently logged into Exchange or Cisco FMC management consoles.
  3. Block: Firewall rules blocking outbound SMB (TCP 445) and RDP (TCP 3389) to non-internal IPs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch: Immediately apply patches for CVE-2023-21529 (Exchange), CVE-2025-52691, CVE-2026-23760 (SmarterMail), and CVE-2026-20131 (Cisco FMC).
  • Disable: If patching is not possible immediately, disable external access to SmarterMail web interfaces and restrict Exchange EWS to internal IPs only via VPN.
  • MFA: Enforce strict MFA on all management consoles (Cisco FMC, OWA) and VPNs.

Short-term (2 Weeks)

  • Network Segmentation: Ensure Manufacturing OT/IoT networks are logically separated from IT email servers to prevent lateral movement.
  • External Attack Surface Management: Scan for and disable unnecessary RDP/VPN endpoints exposed to the public internet.
  • EDR Coverage: Ensure full EDR coverage is active on all email gateway servers and management appliances, not just endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturingexchange-servercvesdarkweb-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action