QILIN Ransomware: 18 New Victims Posted — Critical Vulnerability Exploitation (SmarterMail & Cisco FMC) | Security Arsenal

Aliases & Structure: Qilin (also known as Agenda) operates a sophisticated Ransomware-as-a-Service (RaaS) model. They recruit affiliates with access to corporate networks, providing a customizable, Go-based encryptor (often touted for its speed and cross-platform capabilities).

Tactics & Motivation: The group strictly adheres to a double-extortion playbook: encrypting victim environments while exfiltrating sensitive data to pressure payment. Ransom demands typically range from $500,000 to several million, tailored to the victim's revenue.

Initial Access & TTPs: Based on recent intelligence, Qilin affiliates are heavily reliant on exploiting unpatched external-facing infrastructure rather than phishing. They leverage valid credentials obtained via infostealers or authentication bypasses to gain a foothold. Once inside, they deploy Cobalt Strike beacons for C2, use tools like AnyDesk and Advanced IP Scanner for reconnaissance, and utilize PsExec or WMI for lateral movement. Dwell time is often short (2–5 days) between initial access and detonation.

Current Campaign Analysis

Sector Targeting: The recent victimology indicates a pivot toward Business Services (Professional Services, Legal, Financial) and Construction. A notable deviation is the compromise of Semgrep (Technology), suggesting a strategic interest in source code and intellectual property. Manufacturing and Consumer Services remain secondary targets.

Geographic Concentration: The campaign is highly focused on US and GB entities, with significant activity in ANZ (Australia/New Zealand) and sporadic hits in Central Europe (CZ, AT).

Victim Profile: Victims range from mid-market businesses ($50M–$500M revenue) to large enterprises. The focus on legal (Alpert Slobin & Rubenstein) and financial firms (ExpoCredit) suggests affiliates are targeting high-data-value organizations where confidentiality is paramount.

Observed Posting Frequency: Qilin maintains a high operational tempo, averaging 3–4 victim postings per day. The gang typically threatens to leak data within 3–7 days of the initial post if negotiations fail.

CVE Correlation (Initial Access Vectors): The campaign is strongly correlated with the exploitation of the following CISA KEV vulnerabilities:

SmarterMail (CVE-2025-52691 & CVE-2026-23760): Auth bypass and unrestricted file upload. This is likely the primary vector for the Business Services sector compromises.
Cisco Secure Firewall FMC (CVE-2026-20131): Deserialization vulnerability allowing RCE. This presents a critical risk for perimeter bypass.
ConnectWise ScreenConnect (CVE-2024-1708): Continues to be a reliable access method for managed service providers (MSPs) serving the targeted sectors.

Detection Engineering

Sigma Rules

YAML

title: Potential SmarterMail Exploitation Activity
description: Detects potential web shell upload or exploitation attempts related to SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760).
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/25
tags:
  - attack.initial_access
  - attack.web_shell
  - cve.2025.52691
logsource:
  product: windows
  service: iis
detection:
  selection:
    cs-uri-stem|contains:
      - '/Services/Mail.asmx'
      - '/LiveChat/UploadFile.ashx'
    cs-method: 'POST'
  filter Legit:
    cs-user-agent|contains: 'Mozilla'  # Basic filter, adjust to environment
  condition: selection and not filter Legit
falsepositives:
  - Legitimate administrative access via web interface
level: high

---

title: Suspicious Process Execution on Cisco FMC (Linux)
description: Detects suspicious shell activity spawned by the Java/Tomcat service hosting Cisco FMC, indicative of deserialization exploits (CVE-2026-20131).
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/25
tags:
  - attack.execution
  - cve.2026.20131
  - attack.t1059.004
logsource:
  product: linux
detection:
  selection_parent:
    pparent_name|contains: 'java'  # FMC runs on Java/Tomcat
  selection_child:
    pname|contains:
      - 'sh'
      - 'bash'
      - 'nc'
      - 'curl'
      - 'wget'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative troubleshooting
level: critical

---

title: Qilin Ransomware Pre-Encryption Shadow Copy Deletion
description: Detects commands often used by Qilin affiliates to delete Volume Shadow Copies via PowerShell or CMD before encryption.
references:
  - Internal Threat Intel
author: Security Arsenal Research
date: 2026/05/25
tags:
  - attack.impact
  - attack.t1490
logsource:
  product: windows
  category: process_creation
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'shadowcopy delete'
  selection_powershell:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Get-WmiObject Win32_Shadowcopy'
      - '.Delete()'
  condition: 1 of selection_
falsepositives:
  - System administrator maintenance (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SmarterMail exploitation indicators and lateral movement
let SmarterMailServers = DeviceNetworkEvents
| where RemoteUrl contains "SmarterMail" or InitiatingProcessFileName == "MailService.exe";
union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where Timestamp > ago(7d)
| where 
    // Indicators of Web Shell activity or unusual access
    (FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and InitiatingProcessFileName in~ ("w3wp.exe", "java.exe"))
    or 
    // Data Staging - Large file moves to non-standard paths
    (FolderPath endswith ".zip" and FileSize > 10000000 and ProcessVersionInfoOriginalFileName !in~ ("WINZIP.EXE", "7zFM.exe"))
    or
    // Lateral Movement - RDP/SMB anomalous usage
    (RemotePort in (3389, 445) and InitiatingProcessAccountName != "SYSTEM" and InitiatingProcessAccountName !contains "$")
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, InitiatingProcessAccountName, FolderPath, RemoteIP, RemotePort
| order by Timestamp desc

PowerShell - Response Script

PowerShell

# QILIN Response Script: Scheduled Task Enumeration & VSS Health Check
# Requires Admin Privileges

Write-Host "[+] Checking Volume Shadow Copy Storage Health..." -ForegroundColor Cyan
$vss = Get-WmiObject -Class Win32_ShadowCopy | Measure-Object
if ($vss.Count -eq 0) {
    Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion attempt." -ForegroundColor Red
} else {
    Write-Host "[+] Found $($vss.Count) Shadow Copy snapshots." -ForegroundColor Green
}

Write-Host "\n[+] Hunting for Scheduled Tasks created in the last 7 days (Persistence)..." -ForegroundColor Cyan
$dateCutoff = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt $dateCutoff}

if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Found $($suspiciousTasks.Count) tasks created recently:" -ForegroundColor Yellow
    $suspiciousTasks | Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious recent scheduled tasks detected." -ForegroundColor Green
}

Write-Host "\n[+] Checking for common Qilin/Staging directories..." -ForegroundColor Cyan
$paths = @("C:\Windows\Temp\", "C:\ProgramData\", "C:\Perflogs")
$extensions = @("*.exe", "*.dll", "*.bat")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Include $extensions -Recurse -ErrorAction SilentlyContinue | 
        Where-Object {$_.LastWriteTime -gt $dateCutoff} | 
        Select-Object FullName, LastWriteTime | Format-Table
    }
}


---

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption):

Network Connections: Hunt for outbound Rclone or WinSCP connections to non-corporate IP addresses (Data Exfil).
Process Anomalies: Look for powershell.exe spawning from w3wp.exe (IIS) or generic Java services (SmarterMail/Cisco FMC exploitation).
Service Abuse: Check for the creation of new Windows Services or Scheduled Tasks running cmd.exe /c scripts.

Critical Assets at Risk:

Source Code Repositories: Given the targeting of Semgrep (Tech sector), exfiltration of intellectual property is a high probability.
Financial/Legal Databases: High confidentiality data likely targeted from the Business Services victims.

Containment Actions (Order of Urgency):

Isolate Mail Servers: If running SmarterMail, disconnect from the network immediately pending patch verification.
Segregate Management Consoles: Isolate Cisco FMC and similar management appliances; reset credentials for all admin accounts.
Disable Non-Essential RDP: Force-disable RDP on all workstations and servers not requiring it for immediate operations.

Hardening Recommendations

Immediate (24 Hours):

Patch Critical CVEs: Apply patches for CVE-2025-52691, CVE-2026-23760 (SmarterMail), and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active exploitation vectors.
Disable Internet-Facing RDP/VPN: Enforce MFA and restrict access via VPN allow-listing only.
Audit SmarterMail Instances: Ensure multi-factor authentication (MFA) is enforced for all webmail logins.

Short-term (2 Weeks):

Network Segmentation: Move Mail servers and Management interfaces to a dedicated VLAN with strict egress filtering (only necessary ports allowed).
EDR & Log Coverage: Ensure EDR agents are running on all management appliances (including Linux-based firewalls like FMC if supported) and web servers.
Backup Integrity: Verify that offline backups are immutable and test the restoration process for critical business services.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

QILIN Ransomware: 18 New Victims Posted — Critical Vulnerability Exploitation (SmarterMail & Cisco FMC)