Aliases: Agenda, Qilin (formerly Agenda) Model: Ransomware-as-a-Service (RaaS)
Qilin is a sophisticated RaaS operation known for its custom Go-based encryptor and aggressive double-extortion tactics. The group typically targets mid-to-large enterprises, demanding ransoms ranging from $500,000 to several million dollars. Initial access vectors have historically included compromised VPN credentials and phishing; however, recent intelligence indicates a sharp pivot toward exploiting unpatched internet-facing infrastructure, specifically email and perimeter security appliances.
- Ransom Demands: High six to seven figures USD (negotiable).
- Extortion: Double extortion (data encryption + leak site pressure). They are known to contact victims' partners and press to force payment.
- Dwell Time: Average 3–9 days. Qilin operators move laterally quickly, often establishing persistence via Scheduled Tasks or WMI event consumers immediately after gaining access.
Current Campaign Analysis
Sector Targeting: The latest posting cycle (15 victims in 48 hours) reveals a diversified but targeted approach:
- Manufacturing: 20% of victims (Buckley Powder, Leistritz, Denso).
- Financial Services: 13% of victims (KEMBA Indianapolis Credit Union, First County FCU).
- Agriculture & Food Production: 13% of victims (SanCor, Cahbo Produkter).
- Business Services & Hospitality: Significant focus on B2B service providers (Woodfields, Travel Expert, Chase Cooper).
Geographic Concentration: While global, the current wave shows heavy concentration in North America (US, CA) and Europe (DE, GB, SE), with notable expansion into Asia-Pacific (PH, HK, JP).
Victim Profile: Targets are established entities with revenues likely exceeding $50M, specifically those with complex supply chains or high data sensitivity (e.g., Credit Unions, specialized manufacturers).
CVE & Initial Access Vectors: This campaign correlates strongly with the recent addition of CVE-2025-52691 (SmarterTools SmarterMail) and CVE-2023-21529 (Microsoft Exchange) to the CISA KEV list.
- Financial Sector Link: The targeting of Credit Unions (KEMBA, First County) aligns perfectly with the SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760), as these institutions frequently rely on on-premise mail servers.
- Manufacturing/Business Link: The targeting of broader enterprise victims suggests the use of Microsoft Exchange exploits (CVE-2023-21529) and the Meta React Server Components RCE (CVE-2025-55182) for initial web shell delivery.
Detection Engineering
The following detection logic is tailored to the specific TTPs observed in this campaign, focusing on the exploitation of email servers and the subsequent lateral movement characteristic of Qilin.
Sigma Rules
YAML
---
title: Potential SmarterMail RCE Exploitation via Web Shell
description: Detects suspicious process execution patterns indicative of SmarterMail exploitation (CVE-2025-52691). Web shells often spawn cmd.exe or powershell.exe from the IIS worker process.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_legit:
CommandLine|contains:
- 'appcmd'
- 'maintenance'
condition: selection and not filter_legit
falsepositives:
- Legitimate administration via IIS
level: high
---
title: Microsoft Exchange Deserialization Exploitation Attempt
description: Detects patterns associated with the deserialization of untrusted data in Microsoft Exchange (CVE-2023-21529). Monitors for unusual PowerShell commands spawned by MSExchange.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: 'MSExchange'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'System.Management.Automation'
- 'Serialization'
- '-EncodedCommand'
condition: selection
falsepositives:
- Exchange server maintenance scripts
level: critical
---
title: Qilin Ransomware Lateral Movement via PsExec
id: 8b8e8e2d-1f1e-4a4b-9e0a-3a5b5c6d7e8f
description: Detects the use of PsExec for lateral movement, a common technique used by Qilin operators to spread to domain controllers.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\psexec.exe'
CommandLine|contains:
- '\\'
- '-accepteula'
condition: selection
falsepositives:
- legitimate administrative tasks
level: high
KQL Hunt Query (Microsoft Sentinel)
Hunts for signs of lateral movement and staging behavior associated with Qilin tooling, specifically looking for massive file volume changes (staging) and remote service creation.
KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where (ProcessName has "powershell.exe" or ProcessName has "pwsh.exe") and
(CommandLine contains "-enc" or CommandLine contains "DownloadString" or CommandLine contains "IEX")
| extend ParentProcess = InitiatingProcessFileName
| where ParentProcess !in ("explorer.exe", "cmd.exe")
| summarize count() by DeviceName, AccountName, ParentProcess, FolderPath
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "FileCreated" and (FileName endswith ".locked" or FileName endswith ".qilin")
) on DeviceName
| project DeviceName, AccountName, ParentProcess, TargetFolder = FolderPath1
PowerShell Rapid Response Script
This script scans for indicators of Qilin staging, specifically looking for recently modified scheduled tasks and common Qilin ransomware file extensions.
PowerShell
# Qilin Ransomware Rapid Response Indicator Hunter
# Requires Administrator Privileges
Write-Host "[+] Starting Qilin Indicator Hunter..." -ForegroundColor Cyan
# 1. Check for suspicious Scheduled Tasks created in the last 7 days
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($suspiciousTasks) {
Write-Host "[WARNING] Found Scheduled Tasks created/modified in the last 7 days:" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table -AutoSize
} else {
Write-Host "[OK] No suspicious recent Scheduled Tasks found." -ForegroundColor Green
}
# 2. Scan for Ransomware Extensions (Qilin often uses generic or random, but .locked/.enc is common)
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
$extensions = @("*.locked", "*.qilin", "*.enc", "*.crypt")
$foundFiles = @()
foreach ($drive in $drives) {
Write-Host "[+] Scanning drive $drive for encrypted files..." -ForegroundColor Gray
foreach ($ext in $extensions) {
try {
$files = Get-ChildItem -Path $drive -Filter $ext -Recurse -ErrorAction SilentlyContinue -Depth 2
if ($files) { $foundFiles += $files }
} catch {
# Ignore access errors
}
}
}
if ($foundFiles) {
Write-Host "[CRITICAL] Ransomware encrypted files detected:" -ForegroundColor Red
$foundFiles | Select-Object FullName, CreationTime, LastWriteTime
} else {
Write-Host "[OK] No common ransomware extensions found on scanned drives." -ForegroundColor Green
}
# 3. Check for Qilin Ransom Note (README files)
Write-Host "[+] Scanning for README ransom notes..." -ForegroundColor Gray
$notes = Get-ChildItem -Path C:\ -Filter "README*" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -lt 1MB -and $_.Extension -eq ".txt" }
if ($notes) {
Write-Host "[WARNING] Potential ransom notes found:" -ForegroundColor Yellow
$notes | Select-Object FullName
}
Write-Host "[+] Hunt complete." -ForegroundColor Cyan
# Incident Response Priorities
**T-Minus Detection Checklist (Pre-Encryption):**
1. **Web Shell Hunt:** Immediately scan IIS logs for SmarterMail (`/Services/`) and Exchange (`/ecp/`, `/owa/`) endpoints for POST anomalies or 500 errors followed by 200 OKs.
2. **Memory Forensics:** Dump the memory of `w3wp.exe` and `MSExchange` processes to detect in-memory web shells (e.g., ASPXSpy variants).
3. **PowerShell Auditing:** Look for PowerShell logs (Script Block Logging) containing Base64 encoded payloads.
**Critical Assets for Exfiltration:**
Qilin prioritizes **PII** (Financial records, Patient data) and **Intellectual Property** (Manufacturing schematics, Proprietary formulas). Focus containment efforts on File Servers and Database Servers.
**Containment Actions:**
1. **Isolate:** Disconnect infected mail servers and domain controllers from the network immediately.
2. **Block:** Firewall rules blocking all outbound SMB/RDP traffic from non-administrative subnets.
3. **Revoke:** Reset credentials for accounts used on the compromised mail servers; assume AD has been synchronized if the DC is compromised.
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch Critical CVEs:** Apply patches for **CVE-2025-52691** (SmarterMail), **CVE-2026-23760** (SmarterMail), and **CVE-2023-21529** (Exchange). If patching is impossible, disable external access to these services immediately.
* **Disable Unauthenticated Access:** Ensure Exchange and Mail servers do not allow unauthenticated API access or internal relay.
* **MFA Enforcement:** Enforce phishing-resistant MFA (FIDO2) for all remote access (VPN) and webmail interfaces.
**Short-Term (2 Weeks):**
* **Network Segmentation:** Isolate mail servers from the rest of the Active Directory environment. They should not have bidirectional trust with the core domain.
* **EDR Deployment:** Ensure EDR sensors are active on all internet-facing boundary devices, not just workstations.
* **Script Block Logging:** Enable mandatory PowerShell Script Block Logging and Module Logging across the enterprise to detect obfuscated execution chains.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinransomwarefinancemanufacturingsmartermailcve-2025-52691
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.