Back to Intelligence

QILIN Ransomware: Aggressive Campaign Targets Construction & Tech — Detection & Intel

SA
Security Arsenal Team
May 23, 2026
6 min read

Intelligence Briefing Date: 2026-05-23 Source: Ransomware.live & Security Arsenal Dark Web Intel Unit Threat Level: HIGH

Threat Actor Profile — QILIN

Overview: QILIN (also known as Agenda) is a Ransomware-as-a-Service (RaaS) operation that has aggressively pivoted to targeting mid-market enterprises. The group operates on an affiliate model, providing a customized Go-based ransomware payload known for its fast encryption speed and cross-platform capabilities (Windows/Linux).

TTPs & Modus Operandi:

  • Ransom Model: Double extortion. QILIN typically exfiltrates sensitive data (blueprints, client databases, source code) before encrypting systems. Demands range from $200,000 to $2M depending on victim revenue.
  • Initial Access: Historically relies on exploiting vulnerabilities in external-facing remote management software (ConnectWise ScreenConnect) and brute-forcing exposed RDP/VPN endpoints. Phishing remains a secondary vector.
  • Lateral Movement: Affiliates frequently use Cobalt Strike beacons, PowerShell remoting, and custom tools for credential dumping (Mimikatz).
  • Dwell Time: Average dwell time is approximately 3–5 days from initial access to encryption, indicating a "smash and grab" approach or automated playbook execution.

Current Campaign Analysis

Sector Targeting: The latest data (14 recent victims) reveals a distinct shift toward the Construction and Technology sectors.

  • Construction (29% of victims): ROTO Immobilien (AT), CJ Architects (US), Air Conditioning Florida & partners (US), RCR Industrial Flooring (AU).
  • Technology: Semgrep (US) — a high-value target indicating capability to breach mature security postures.
  • Manufacturing: Snyder Packaging, Buckeye Paper (US).

Geographic Concentration: The United States is the primary target zone (50% of recent victims), followed by the UK and Austria. This suggests a focus on Western economies with higher ransom-paying capacity.

CVE Correlation: This campaign strongly correlates with the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect). Construction firms and MSPs frequently utilize ScreenConnect for remote management, making them low-hanging fruit for this exploit. Additionally, CVE-2025-52691 (SmarterMail) poses a risk to the business service and tech victims observed (e.g., Porter W Yett, Semgrep).

Posting Frequency: Qilin is operating at high velocity, with 6 victims posted on a single day (2026-05-20). This suggests an automated pipeline for victim publishing or multiple active affiliates.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 8f1d6f3e-1a2b-4c5d-9e6f-7a8b9c0d1e2f
description: Detects exploitation attempts of ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708) via suspicious URI paths or webshell activity.
status: experimental
date: 2026/05/23
author: Security Arsenal Labs
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/SetupWizard.aspx'
            - '/WebService.asmx/'
            - 'Host='
            - 'Command='
    condition: selection
falsepositives:
    - Legitimate administrative setup (rare in production)
level: high
---
title: Qilin Ransomware Pre-Encryption VSS Deletion
id: a2b3c4d5-6e7f-8a9b-0c1d-2e3f4a5b6c7d
description: Detects the deletion of Volume Shadow Copies using vssadmin or wmic, a common precursor to ransomware encryption used by Qilin affiliates.
status: experimental
date: 2026/05/23
author: Security Arsenal Labs
logsource:
    category: process_creation
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'Delete Shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_*
falsepositives:
    - System administrator maintenance
level: critical
---
title: Suspicious PowerShell Child Process Execution
id: b3c4d5e6-7f8a-9b0c-1d2e-3f4a5b6c7d8e
description: Detects PowerShell spawning suspicious child processes often associated with Qilin payload execution or lateral movement (e.g., launching runDLL32 or regsvr32 with base64 encoded commands).
status: experimental
date: 2026/05/23
author: Security Arsenal Labs
logsource:
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\powershell.exe'
    selection_child:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
    selection_flags:
        CommandLine|contains: ' -enc ' or CommandLine|contains: ' -EncodedCommand '
    condition: all of selection_*
falsepositives:
    - Legitimate system administration scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and SmarterMail anomalies associated with Qilin TTPs
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Identify suspicious processes often used by Qilin (e.g. PsExec, PowerShell, Cobalt Strike)
| where FileName in~ ('powershell.exe', 'psexec.exe', 'psexec64.exe', 'wmic.exe', 'cmd.exe')
// Filter for network connections or lateral movement indicators
| where ProcessCommandLine has any("-enc", "-encodedcommand", "Invoke-Command", "New-PSSession") 
   or InitiatingProcessFileName has_any("winword.exe", "excel.exe", "powershell.exe")
// Correlate with SmarterMail web server processes if applicable
| join kind=leftouter (DeviceProcessEvents 
    | where FileName =~ "MailService.exe" or FolderPath contains "SmarterMail" 
    | project Timestamp, DeviceName, AccountName, SmarterMailActivity=ProcessCommandLine
) on DeviceName, Timestamp
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SmarterMailActivity
| order by Timestamp desc

Rapid Response Hardening Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Hardening and Detection Script
.DESCRIPTION
    Checks for indicators of Qilin activity (RDP anomalies, Scheduled Tasks) 
    and applies immediate hardening rules.
#>

Write-Host "[*] Starting Qilin Threat Hunt & Hardening..." -ForegroundColor Cyan

# 1. Check for recent Scheduled Tasks (Persistence)
Write-Host "[+] Checking for Scheduled Tasks created/modified in the last 7 days..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
    Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

# 2. Hunt for recent VSS Shadow Copy deletions
Write-Host "[+] Checking System Event Log for VSS Deletion events (Event ID 7036/1 from VSS)..."
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=(Get-Date).AddHours(-24); Id=1} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -like '*delete*' -and $_.Message -like '*shadow*'} | 
    Select-Object TimeCreated, Message | Format-List

# 3. Audit RDP Users
Write-Host "[+] Listing active RDP sessions..."
query user

# 4. Hardening: Block incoming RDP if not required (Enable Firewall Rule)
Write-Host "[!] REMEDIATION: Disabling RDP via Firewall if possible..."
# Uncomment the line below to enforce blocking
# Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
Write-Host "[*] Script complete. Review findings immediately." -ForegroundColor Green


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. ScreenConnect Audit: Immediate review of ConnectWise ScreenConnect logs for SetupWizard.aspx access or unusual WebService.asmx POST requests around 2026-05-20 to 2026-05-23.
  2. SmarterMail Review: Tech and Business Services victims should audit SmarterMail logs for authentication bypass attempts using the resetpassword.aspx or alternative path vulnerabilities.
  3. PowerShell Logs: Hunt for Invoke-Expression or encoded commands spawning from parent processes like WinWord or Excel.

Critical Assets (Exfiltration Targets):

  • Construction: Architectural blueprints (DWG/PDF), project bids, client financial data.
  • Technology: Source code repositories, signing keys, customer IAM databases.

Containment Actions:

  1. Isolate: Disconnect vulnerable assets (ScreenConnect servers, Exposed RDP hosts) from the network immediately.
  2. Reset: Force reset of credentials for all local admin accounts and service accounts used on compromised hosts.
  3. Block: Block IP addresses associated with the Tor nodes or known Qilin C2 infrastructure at the perimeter firewall.

Hardening Recommendations

Immediate (24h):

  • Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately. If patching is delayed, disable access to the SetupWizard.aspx and WebService.asmx endpoints via WAF rules.
  • Disable RDP: Ensure Remote Desktop is not exposed to the internet. Enforce MFA for all VPN/RDP access.
  • SmarterMail Update: Update SmarterMail to the latest patched version to address CVE-2025-52691.

Short-term (2 weeks):

  • Network Segmentation: Separate critical business servers (CAD/File servers) from general workstations to prevent lateral spread.
  • Endpoint Detection: Deploy EDR policies specifically monitoring for vssadmin.exe usage and unauthorized PowerShell script execution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareconstruction-sectorconnectwisetech-sector

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action