Back to Intelligence

QILIN Ransomware Campaign: Surge in Manufacturing & Logistics — Critical CVEs & Sigma Rules

SA
Security Arsenal Team
April 22, 2026
6 min read

Date: 2026-04-22 Source: Ransomware.live / Dark Web Leak Sites

Threat Actor Profile — QILIN

  • Aliases: Agenda, Titan
  • Model: Ransomware-as-a-Service (RaaS) with an affiliate-driven model. Recent operations suggest a shift towards high-volume affiliate activity targeting mid-market enterprises.
  • Ransom Demands: Highly variable, typically ranging from $500k to $5M, dependent on victim revenue and exfiltrated data volume.
  • Initial Access: Heavily reliant on exploiting external-facing services (VPN, Firewall appliances, Email servers) rather than pure phishing. Recent campaigns leverage deserialization vulnerabilities in Microsoft Exchange and management appliances.
  • TTPs: Double extortion standard. Known to use customized Go-based ransomware binaries. Affiliates frequently utilize Cobalt Strike beacons for C2 and PowerShell for lateral movement.
  • Dwell Time: Average observed dwell time is approximately 3 to 7 days between initial access and encryption, indicating a "smash-and-grab" approach on accessible data rather than deep persistence.

Current Campaign Analysis

Sector Targeting

Analysis of the last 15 victims posted (2026-04-20 to 2026-04-21) reveals a distinct pivot towards Manufacturing (40% of victims) and Transportation/Logistics.

  • Manufacturing: Industrial Carrocera Arbuciense (ES), Kolin Turkey (TR), Heartland Steel Products (US), Safety Engineering Laboratories (US), Huonker GmbH (DE).
  • Transportation/Logistics: Sea Air International Forwarders (CA), Avitrans (Unknown).
  • Business Services: PTS Office Systems (US), City'Pro (FR), GUEGUEN Avocats (FR).

Geographic Concentration

The campaign is globally dispersed but heavily weighted towards NATO/Western allies:

  • North America: US (5), CA (2)
  • Europe: ES (1), FR (3), DE (1), IE (1)
  • Other: TR (1), CO (1)

Victim Profile

Targets range from mid-sized specialized logistics firms (e.g., Sea Air International) to large-scale construction and manufacturing entities (e.g., Ferguson Timar). The inclusion of a Public Sector entity (Roman Catholic Archdiocese of St John, CA) suggests affiliates are casting a wide net across vulnerable verticals rather than discriminating based solely on ability to pay.

Exploitation Activity (CVEs)

The recent addition of CVEs to the CISA KEV list correlates directly with QILIN's access vectors:

  1. CVE-2023-21529 (Microsoft Exchange): Deserialization flaw. Likely used for initial access into Business Services and Healthcare (STERIMED) victims where Exchange is a critical exposed surface.
  2. CVE-2026-20131 (Cisco Secure Firewall Management Center): Deserialization flaw. Allows attackers to bypass perimeter defenses or modify firewall rules to enable C2 traffic.
  3. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): File upload and Auth bypass. These are high-value targets for establishing footholds via email servers.

Detection Engineering

SIGMA Rules

YAML
title: Potential Exchange Deserialization Exploit (CVE-2023-21529)
id: 8a7c4b1c-9d2e-4a5f-8b1c-3d2e4a5f6b7c
description: Detects suspicious processes spawned by Microsoft Exchange w3wp.exe, indicative of deserialization RCE exploitation.
status: experimental
date: 2026/04/22
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\whoami.exe'
    filter_legit_exchange:
        ParentImage|contains: '\FrontEnd\'
        CommandLine|contains: 'bin\SearchService.exe'
    condition: selection and not filter_legit_exchange
falsepositives:
    - Administrative tasks
level: high
---
title: SmarterMail suspicious File Execution (CVE-2025-52691)
id: 9d8e5c2d-0e3f-5b6a-9c2d-4e3f5b6a7c8d
description: Detects execution of scripts or binaries from the SmarterMail web root, often a sign of successful web shell upload.
status: experimental
date: 2026/04/22
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
        ParentImage|contains:
            - '\Mail Service\'
            - '\MRS\'
    condition: selection
falsepositives:
    - Rare administrative maintenance
level: critical
---
title: QILIN Lateral Movement via PsExec or WMI
id: 0e1f2g3h-4i5j-6k7l-8m9n-0o1p2q3r4s5t
description: Detects common lateral movement techniques used by QILIN affiliates (PsExec, WMI) spawning a command shell.
status: experimental
date: 2026/04/22
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        ParentImage|endswith: '\psexec.exe'
        Image|endswith: '\cmd.exe'
    selection_wmi:
        ParentImage|endswith:
            - '\wmiprvse.exe'
            - '\svchost.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: 1 of selection*
falsepositives:
    - Legitimate system administration
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for QILIN precursors: PowerShell execution with suspicious encoded commands
// and processes spawned from Exchange or Web Server roots.
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where ProcessVersionInfoOriginalFileName in ("powershell.exe", "pwsh.dll")  
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "EncodedCommand"  
| where ProcessCommandLine !contains "Microsoft.Management" 
| extend ParentEx = ProcessIntegrityLevel 
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath  
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    QILIN Response: Checks for Shadow Copy deletions and scheduled tasks created for persistence.
.DESCRIPTION
    Rapid triage script to identify indicators of QILIN preparation for encryption.
#>

Write-Host "[+] Checking for recent Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.Date -gt (Get-Date).AddDays(-7) -and 
    $_.Author -notmatch "Microsoft|System" 
} | Select-Object TaskName, Date, Author, Action | Format-Table -AutoSize

Write-Host "[+] Checking Volume Shadow Copy Storage Usage (Anomalies may indicate deletion)..." -ForegroundColor Cyan
$vss = vssadmin list shadowstorage
if ($vss -match "No shadow copies") {
    Write-Host "[!] WARNING: No Shadow Copies found. Possible deletion." -ForegroundColor Red
} else {
    $vss
}

Write-Host "[+] Checking for unusual Processes (cmd.exe spawned by w3wp.exe)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'w3wp.exe' -and $_.Message -match 'cmd.exe' } |
Select-Object TimeCreated, Message | Format-List


---

Incident Response Priorities

T-minus Detection Checklist (Before Encryption)

  • Exchange Server Logs: Hunt for w3wp.exe spawning non-standard processes (PowerShell/CMD) in the last 48 hours.
  • Cisco FMC Logs: Review admin login logs for suspicious access or configuration changes post-2026-03-19.
  • SmarterMail: Inspect C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\ for recently modified .aspx, .ashx, or .config files.

Critical Assets at Risk

QILIN affiliates prioritize exfiltration of:

  1. Intellectual Property: CAD designs, manufacturing specs (Manufacturing sector focus).
  2. Client Databases: Logistics manifests, PII (Logistics/Healthcare focus).
  3. Financial Records: Recent tax filings, payroll data.

Containment Actions

  1. Isolate: Immediately disconnect Exchange servers and Cisco FMC appliances from the network if unpatched.
  2. Revoke Credentials: Force reset of credentials for accounts that have accessed Exchange or VPN endpoints in the last 14 days.
  3. Block Network Traffic: Block outbound C2 traffic to known QILIN infrastructure (check threat feeds for recent Cobalt Strike beacons).

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760).
  • Disable External Access: If patching is not possible immediately, disable external OWA (Outlook Web Access) and isolate SmarterMail interfaces from the public internet.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all VPN and remote access gateways.

Short-term (2 Weeks)

  • Network Segmentation: Segment Manufacturing and Logistics OT/IoT networks from the corporate IT domain to prevent lateral movement.
  • Web Shell Scanning: Deploy automated scanners to identify web shells on IIS and Mail servers.
  • EDR Coverage: Ensure EDR sensors are active on all internet-facing boundary servers (Exchange, VPN, Firewalls).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturinglogisticscve-2023-21529cve-2026-20131

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action