QILIN Ransomware: 21 New Victims Posted — Sector Targeting Analysis & Detection Rules

Date: 2026-05-09
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intel Team

Threat Actor Profile — QILIN

Qilin (formerly known as Agenda) operates a highly aggressive Ransomware-as-a-Service (RaaS) model. The group is distinguished by its custom-written ransomware variants in Rust and Go, allowing for cross-platform compilation targeting Windows and Linux systems.

• Ransom Demands: Typically range from $500,000 to $5 million, depending on victim revenue and urgency of data restoration.
• Initial Access: Heavily reliant on exploiting external-facing services (VPN, Email Servers) and valid credentials obtained via initial access brokers. Phishing remains a secondary vector.
• Double Extortion: Strict adherence to double extortion; data is exfiltrated via tools like rclone or Mega prior to encryption execution.
• Dwell Time: Observed dwell time is short, often averaging 3–5 days between initial compromise and detonation, necessitating rapid detection capabilities.

Current Campaign Analysis

Sectors Targeted: The recent wave of 21 victims indicates a strategic pivot toward Manufacturing and Construction sectors, combined with continued targeting of Business Services and Technology.

• High Risk: Manufacturing (Exco Technologies, Sylvania, Complastex), Construction (CCD Interiors, DL Cohen Construction, Ruiz Barbarin Arquitectos).
• Opportunistic: Financial Services (Fogel Capital) and Education (Norcal Training Center).

Geographic Concentration: The campaign shows a distinct trans-Atlantic focus with heavy saturation in the Americas (US, CA, MX, AR, BR, CL) and significant activity in the UK and EU (DE, ES, IT).

Victim Profile: Victims range from mid-market enterprises (revenue $50M–$500M) to larger logistics entities. The inclusion of specialized construction and manufacturing firms suggests supply chain targeting or opportunistic scanning of specific industrial IP ranges.

Posting Frequency: A "spamming" tactic was observed on 2026-05-08, where Qilin published 10 victims in a single day. This volume suggests a high-throughput automated deployment pipeline.

CVE Correlation (Initial Access Vectors): Recent victims in the Technology and Business Services sectors strongly correlate with the active exploitation of the following CISA KEV-listed vulnerabilities:

1. CVE-2025-52691 & CVE-2026-23760 (SmarterMail): Allows unrestricted file upload and auth bypass. Likely used to compromise Business Services (Imex International, Inox Market).
2. CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. A persistent vector for Tech/Financial sectors.
3. CVE-2026-20131 (Cisco FMC): Deserialization flaw targeting network perimeter devices, likely used to breach Logistics/Transport victims.

Detection Engineering

The following Sigma rules, KQL queries, and PowerShell scripts are designed to detect Qilin TTPs specifically related to the identified CVEs and their common post-exploitation toolset.

Sigma Rules

---
title: Potential SmarterMail Exploitation CVE-2025-52691
description: Detects suspicious child processes spawned by SmarterMail web process, potentially indicating exploitation of the upload vulnerability.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'MailService.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Administrative troubleshooting
level: high
---
title: Microsoft Exchange Deserialization Exploit Attempt CVE-2023-21529
description: Detects suspicious process execution patterns associated with Exchange deserialization exploits.
status: experimental
date: 2026/05/09
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\whoami.exe'
    filter:
        CommandLine|contains: 'appcmd' # Allow legitimate IIS management
    condition: selection and not filter
falsepositives:
    - Exchange Server Management
level: critical
---
title: Qilin Ransomware Exfil Tool Rclone Execution
description: Detects execution of rclone, a tool frequently used by Qilin for data exfiltration prior to encryption.
status: experimental
date: 2026/05/09
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rclone.exe'
    condition: selection
falsepositives:
    - Legitimate admin backups (rare)
level: high

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging indicators associated with Qilin operations.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("rclone.exe", "7z.exe", "winrar.exe", "procdump.exe", "mimikatz.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "cmd.exe", "powershell.exe") or InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, FolderPath
| order by Timestamp desc

PowerShell Response Script

Rapid response script to identify potential Qilin persistence mechanisms (Scheduled Tasks) and Shadow Copy manipulation.

# Check for scheduled tasks created in the last 48 hours (High risk for Qilin persistence)
$Date = (Get-Date).AddDays(-2)
Get-ScheduledTask | Where-Object { $_.Date -gt $Date -and $_.Author -notmatch "Microsoft|Admin" } | 
    Select-Object TaskName, Author, Date, TaskPath, Actions

# Check for recent deletion or modification of Volume Shadow Copies
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; ID=510,514,513; StartTime=$Date} -ErrorAction SilentlyContinue
if ($Events) { $Events | Select-Object TimeCreated, Id, Message | Format-Table -AutoSize }
else { Write-Host "No recent VSS modification events found." }

Incident Response Priorities

T-minus Detection Checklist:

1. Network: Check firewall logs for connections to known IP addresses associated with rclone or Mega cloud storage.
2. Authentication: Audit Active Directory for user accounts created or modified within the last 7 days; look for "SVAdmin" or generic service accounts.
3. Web Shells: Scan Exchange and SmarterMail directories (e.g., C:\inetpub\wwwroot) for recently modified .aspx files.

Critical Assets at Risk:

• Manufacturing: CAD drawings, IP, and ERP databases (SAP/Oracle).
• Financial: Transaction logs and client PII.

Containment Actions (Order of Urgency):

1. Isolate: Disconnect internet-facing Exchange and SmarterMail servers from the network immediately.
2. Reset: Force-reset passwords for all privileged accounts (Domain Admins) and service accounts used on email servers.
3. Block: Firewall blocks on outbound ports 443/80 to non-whitelisted cloud storage IP ranges.

Hardening Recommendations

Immediate (24h):

• Patch: Apply security updates for SmarterMail (CVE-2025-52691, CVE-2026-23760) and Microsoft Exchange (CVE-2023-21529) immediately.
• Disable: If patching is delayed, disable external access to OWA and SmarterMail web interfaces from the internet, enforcing VPN access with MFA.
• Audit: Disable any accounts found with suspicious logon patterns (Type 10 - RemoteInteractive) on critical servers.

Short-term (2 weeks):

• Network Segmentation: Move critical file servers and backup systems to a separate VLAN with strict egress filtering.
• MFA Enforcement: Implement FIDO2 or phishing-resistant MFA for all remote access solutions (VPN, RD Gateway) and email admin consoles.
• EDR Tuning: Ensure EDR policies cover PowerShell script block logging and child process spawning for web servers.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub