Aliases: Agenda, Titan.
Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates with an aggressive affiliate model, allowing various initial access brokers (IABs) to bring victims into the fold while the core team maintains the encryption payload and leak site infrastructure.
Ransom Demands: Typically range from $500,000 to multi-million dollar USD demands, largely dictated by the victim's revenue and the sensitivity of exfiltrated data. Payment is exclusively demanded in Monero (XMR) or Bitcoin (BTC).
Initial Access Vectors: Qilin affiliates heavily exploit internet-facing applications. Recent intelligence confirms a pivot towards exploiting specific vulnerabilities in remote management software (ConnectWise ScreenConnect) and email infrastructure (SmarterTools SmarterMail). Phishing remains a secondary vector, often utilizing valid credentials obtained via info-stealers.
Double Extortion: Strict adherence. Qilin exfiltrates large volumes of data (often tens to hundreds of GBs) prior to encryption execution. They maintain a dedicated "Wall of Shame" .onion site where non-paying victims' data is published in tiers.
Dwell Time: Analysis of recent victims (e.g., Semgrep, ExpoCredit) suggests a dwell time averaging 3 to 7 days. The group operates with high velocity once inside, moving laterally and staging data rapidly to minimize detection windows.
Current Campaign Analysis
Sector Targeting: The current campaign shows a distinct skew towards Business Services (Alpert Slobin & Rubenstein, Global Retool Group, WNS Lowery, Porter W Yett) and Professional Services. Qilin is effectively targeting the supply chain—firms that hold sensitive data for multiple downstream clients. The inclusion of Technology (Semgrep) and Financial Services (ExpoCredit) indicates a broad horizontal scan for vulnerable internet-facing assets rather than vertical industry focus.
Geographic Concentration:
- Primary: United States (Sponseller, Alpert Slobin, Semgrep, Snyder Packaging)
- Secondary: United Kingdom (Hamer Childs, Porter W Yett)
- Tertiary: Australia, New Zealand, Czech Republic, Austria.
Victim Profile: Victims range from mid-market entities ($50M - $500M revenue) to larger enterprise holdings (Alpha Group Holdings). The targeting of legal and financial firms suggests a focus on high-value data for extortion leverage.
Campaign Velocity: Qilin posted 15 victims between May 20 and May 24, 2026. This high frequency indicates a successful automated exploitation pipeline, likely leveraging the recently identified CVEs below.
CVE Linkage: We assess with high confidence that the recent surge in victims is directly linked to the exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): A critical path traversal vulnerability allowing RCE. Qilin affiliates frequently use this to gain initial access to managed service providers (MSPs) or internal IT helpdesks.
- CVE-2025-52691 & CVE-2026-23760 (SmarterMail): File upload and auth bypass vulnerabilities. These provide a direct entry point into email servers, allowing for credential dumping and lateral movement to domain controllers.
- CVE-2023-21529 (Microsoft Exchange): Deserialization flaw, used for persistence or internal pivoting.
Detection Engineering
Sigma Rules
title: Potential ConnectWise ScreenConnect Auth Bypass Exploit
description: Detects suspicious process execution patterns associated with CVE-2024-1708 exploitation on ScreenConnect servers.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/26
status: experimental
tags:
- attack.initial_access
- attack.t1190
- cve.2024.1708
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrator troubleshooting via ScreenConnect
level: critical
---
title: SmarterMail Suspicious File Upload Activity
description: Detects potential exploitation of SmarterMail via web logs indicating file upload extensions often used in webshells.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/26
status: experimental
tags:
- attack.initial_access
- attack.t1190
- cve.2025.52691
logsource:
product: webserver
detection:
selection_uri:
cs-method: 'POST'
cs-uri-query|contains:
- 'Services/MailService.asmx'
- 'Services/Service.asmx'
selection_ext:
cs-uri-query|contains:
- '.aspx'
- '.ashx'
condition: all of selection_*
falsepositives:
- Legitimate email client attachments
level: high
---
title: Ransomware Data Staging via Robocopy
description: Detects the use of robocopy for mass data copying, a common precursor to exfiltration by groups like Qilin.
references:
- Internal Ransomware Investigations
author: Security Arsenal Research
date: 2026/05/26
status: experimental
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\robocopy.exe'
CommandLine|contains:
- '/COPYALL'
- '/E'
- '/ZB'
condition: selection
falsepositives:
- Legitimate system backup tasks
level: medium
KQL (Microsoft Sentinel)
// Hunt for suspicious lateral movement and remote execution indicative of Qilin post-exploitation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("wmic.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("node", "js", "VBScript", "Encode", "DownloadString")
or ProcessCommandLine matches regex @"\s\/node\s"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
PowerShell Response Script
<#
.SYNOPSIS
Checks for common Qilin pre-encryption artifacts.
.DESCRIPTION
This script checks for recent deletion of Volume Shadow Copies (VSS) and
enumerates scheduled tasks created in the last 24 hours.
#>
Write-Host "[!] Checking for VSS Deletion Events..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; ID=12343} -ErrorAction SilentlyContinue -MaxEvents 10
if ($vssEvents) {
Write-Host "[ALERT] Recent Volume Shadow Copy Deletion Detected:" -ForegroundColor Red
$vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[OK] No recent VSS deletion events found." -ForegroundColor Green
}
Write-Host "\n[!] Enumerating Scheduled Tasks created in last 24 hours..." -ForegroundColor Yellow
$tasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($tasks) {
Write-Host "[ALERT] Recently Created Scheduled Tasks (Potential Persistence):" -ForegroundColor Red
$tasks | Select-Object TaskName, Date, Author
} else {
Write-Host "[OK] No new scheduled tasks found." -ForegroundColor Green
}
Write-Host "\n[!] Checking for suspicious RDP logons (Type 10) via generic accounts..." -ForegroundColor Yellow
$rdp = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; Data=10} -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
if ($rdp) {
Write-Host "[INFO] Recent RDP Logons found. Manual review recommended." -ForegroundColor Cyan
}
---
# Incident Response Priorities
1. **T-minus Detection Checklist:**
* **ScreenConnect Logs:** immediate review of `ScreenConnect.Service` logs for `PathTraversal` or `AuthenticationError` spikes on `2026-05-20` through `2026-05-24`.
* **Web Server Logs:** Scan SmarterMail/IIS logs for `POST` requests to `Services/MailService.asmx` containing suspicious extensions or large payloads.
* **PowerShell:** Hunt for base64 encoded strings in `powershell.exe` process arguments.
2. **Critical Assets (Targeted for Exfiltration):**
* Client databases (CRM/ERP).
* Executive email archives (PST/OST files).
* Financial records (Audit reports, Tax documents).
* Source code repositories (observed in `Semgrep` victim).
3. **Containment Actions (Order by Urgency):**
* **Immediate:** Isolate systems running vulnerable versions of ConnectWise ScreenConnect and SmarterMail. Block inbound internet traffic to these management interfaces at the perimeter firewall.
* **High:** Reset credentials for all service accounts (especially those with domain admin privileges) used on the affected email servers or remote access tools.
* **Medium:** Suspend all non-essential scheduled tasks and audit WMI repository for suspicious event consumers.
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch Management:** Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2025-52691, and CVE-2026-23760 (SmarterMail) immediately. If patching is not possible, disable the services or place them behind a zero-trust VPN with strict MFA.
* **Access Control:** Enforce strict MFA on all remote access gateways. Ensure the MFA challenge cannot be bypassed (e.g., no trusted IP ranges that bypass MFA).
**Short-Term (2 Weeks):**
* **Network Segmentation:** Implement stricter segmentation between IT management tools (ScreenConnect/SmarterMail) and the rest of the internal network. These tools should not be able to initiate RDP/WinRM to domain controllers without explicit firewall rules.
* **EDR Tuning:** Configure EDR policies to flag the execution of `powershell.exe` spawned by web server processes or management utilities as "Suspicious" rather than "Informative".
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.