Aliases: Agenda, Qilin
Operating Model: Ransomware-as-a-Service (RaaS). Qilin operates as a sophisticated affiliate model, offering a Rust-based encryptor optimized for speed and encryption complexity to its partners.
Ransom Demands: Typically ranges from $300,000 to $5 million USD, depending on victim revenue and exfiltrated data volume. They employ a strictly "name-and-shame" approach on their Tor leak site, publishing sensitive documents if deadlines are missed.
Initial Access & TTPs:
- Vectors: Historically relies on valid credentials obtained via phishing, exploitation of remote access tools (RDP), and vulnerabilities in edge networking devices.
- Recent Shift: The emergence of CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect) in their ecosystem indicates a pivot toward exploiting perimeter security management and remote support software for initial foothold.
- Double Extortion: Aggressive data theft preceding encryption. They threaten to release data and DDoS victim sites if contact is not established.
- Dwell Time: Average 3–5 days from initial access to encryption. Speed is a priority; lateral movement often occurs via Cobalt Strike beacons and custom PowerShell loaders.
Current Campaign Analysis
Sector Targeting: The latest dump (24 victims) shows a distinct pivot towards Business Services (specifically Legal and Consultancy firms like Miller & Zois and Bekman Marder) and Consumer Services/Retail (e.g., Maui Divers Jewelry). This suggests Qilin affiliates are targeting organizations with high intellectual property value and time-sensitive operations to maximize pressure on ransom payment.
Geographic Concentration:
- Primary: United States (approx. 70% of recent victims).
- Secondary: Germany, Mexico, South Korea.
Victim Profile: Targets range from mid-market ($50M–$200M revenue) to upper mid-market entities. The targeting of law firms and jewelry retailers indicates a focus on organizations with sensitive client data (PII) and high-value transaction records, rather than just operational disruption.
Escalation Patterns: Posting frequency has accelerated, with 15+ victims listed within a single 48-hour window (2026-06-10 to 2026-06-11). This bulk posting suggests a successful automated supply chain attack or the mass-exploitation of a specific vulnerability (likely CVE-2024-1708 or CVE-2026-50751) affecting managed service providers (MSPs) or shared infrastructure.
CVE Correlation: The integration of CVE-2026-50751 (Check Point Security Gateway) is a critical development. By targeting the security appliance itself, the group bypasses traditional firewall rules. Additionally, CVE-2024-1708 (ConnectWise ScreenConnect) remains a dominant vector, allowing remote code execution without user interaction.
Detection Engineering
Sigma Rules
title: Potential ScreenConnect Path Traversal Exploit CVE-2024-1708
id: 8a1b2c3d-4e5f-6789-0abc-def123456789
status: experimental
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability via suspicious URI patterns in web logs.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/12
tags:
- attack.initial_access
- attack.t1190
- cve.2024.1708
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..%255c'
- '..\'
- '%2e%2e'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Check Point VPN Authentication Anomaly Spike
id: b2c3d4e5-6789-0abc-def123456789a
status: experimental
description: Detects a high volume of failed IKEv1 authentication attempts followed by a success, indicative of brute-force or CVE-2026-50751 exploitation.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/12
tags:
- attack.initial_access
- attack.t1110.003
- cve.2026.50751
logsource:
product: firewall
detection:
selection_high_fail:
action|contains: 'deny'
service|contains: 'ike'
dst_port: 500
selection_success:
action|contains: 'accept'
service|contains: 'ike'
timeframe: 5m
condition: selection_high_fail | count() > 50 and selection_success
falsepositives:
- VPN misconfigurations
- High user turnover events
level: high
---
title: Suspicious PowerShell Base64 Encoded Command
id: c3d4e5f6-7890-1bcd-ef123456789ab
status: experimental
description: Detects PowerShell processes launched with encoded commands, a common method used by Qilin affiliates for obfuscation and lateral movement.
author: Security Arsenal Research
date: 2026/06/12
tags:
- attack.execution
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains:
- ' -enc '
- ' -EncodedCommand '
filter_legit:
ParentImage|contains:
- '\Windows\System32\'
condition: selection_img and selection_cli and not filter_legit
falsepositives:
- System management scripts
level: medium
KQL (Microsoft Sentinel)
// Hunt for Qilin-associated lateral movement and staging
// Looks for PowerShell spawning network connections (C2 beaconing) and PsExec usage
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d);
let NetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(7d);
ProcessEvents
| where FileName in~("powershell.exe", "pwsh.exe", "psexec.exe", "psexec64.exe")
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "Invoke-Expression"
| join kind=inner (
NetworkEvents
| where RemotePort in (443, 8080, 8443) // Common C2 ports
) on DeviceId, InitiatingProcessAccountId
| summarize count() by DeviceName, FileName, RemoteUrl, InitiatingProcessAccountName
| project DeviceName, Account=InitiatingProcessAccountName, Process=FileName, C2=RemoteUrl, Count_
PowerShell — Rapid Response Script
<#
.SYNOPSIS
Qilin Ransomware Pre-Encryption Triage Script
.DESCRIPTION
Checks for signs of Qilin activity: VSS shadow copy deletion, suspicious scheduled tasks, and recent PowerShell logs.
#>
Write-Host "[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
Write-Host "[!] ALERT: No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
} else {
Write-Host "[OK] Shadow copies exist." -ForegroundColor Green
}
Write-Host "\n[+] Enumerating Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Cyan
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($suspiciousTasks) {
Write-Host "[!] ALERT: Found recent scheduled tasks:" -ForegroundColor Yellow
$suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table -AutoSize
} else {
Write-Host "[OK] No recent suspicious task creation." -ForegroundColor Green
}
Write-Host "\n[+] Checking for recent PowerShell Event Log 4104 (Script Block Logging)..." -ForegroundColor Cyan
$logs = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($logs) {
$encodedScripts = $logs | Where-Object { $_.Message -match "EncodedCommand" }
if ($encodedScripts) {
Write-Host "[!] ALERT: Found encoded PowerShell scripts in the last 24 hours." -ForegroundColor Red
# Export for analysis
$encodedScripts | Export-Csv -Path "C:\Temp\Qilin_PowerShell_Triage.csv" -NoTypeInformation
} else {
Write-Host "[OK] No encoded script blocks detected recently." -ForegroundColor Green
}
}
# Incident Response Priorities
T-Minus Detection Checklist
- RMM/VPN Logs: Immediate audit of ConnectWise ScreenConnect logs for path traversal signatures and Check Point logs for IKEv1 anomalies.
- Shadow Copies: Check
vssadmin list shadows. If absent or deletion events exist in Event ID 70 (VSS Admin), assume active encryption phase is imminent. - Service Accounts: Audit Service Account logs (Event ID 4624/4625) for anomalous logon times or geographic impossibility.
Critical Asset Prioritization for Exfiltration
Based on Qilin's history, prioritize the containment of:
- Legal DMS: Document Management Systems (e.g., iManage, NetDocuments).
- ERP Databases: SQL servers hosting customer PII and financial records.
- File Servers: HR and Executive directories (common targets for leverage).
Containment Actions
- Disconnect VPNs: Immediately terminate all active VPN sessions and force MFA re-authentication.
- Isolate ScreenConnect Servers: Take RMM servers offline if internet-facing; patch CVE-2024-1708 before bringing back online.
- Suspend Service Accounts: Suspend accounts for tools like PsExec or any administrative accounts used for scheduled tasks identified in the triage script.
Hardening Recommendations
Immediate (24 Hours)
- Patch Edge Devices: Apply the patch for CVE-2026-50751 on all Check Point Security Gateways immediately.
- Patch RMM Tools: Update all ConnectWise ScreenConnect instances to the latest build to mitigate CVE-2024-1708.
- Disable Unused VPN Protocols: Disable IKEv1 on VPN concentrators if not strictly required for legacy support.
Short-term (2 Weeks)
- Implement Geo-Blocking: Restrict VPN and RDP access to source countries where business operations do not exist.
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all remote access solutions.
- Network Segmentation: Isolate RMM/Management tools from the general production network to prevent lateral movement from a compromised management server.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.