Aliases: Agenda (formerly Titan) Operational Model: Ransomware-as-a-Service (RaaS)
QILIN (recently rebranding efforts observed as "Agenda") operates a highly aggressive RaaS model. They are known for sophisticated customization of their .NET-based encryptor, allowing them to tailor encryption to specific victim environments.
- Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD, negotiated aggressively via their Tox chat platform.
- Initial Access: Heavily relies on exploiting internet-facing applications (e.g., ConnectWise ScreenConnect, Microsoft Exchange) and compromised valid credentials obtained via infostealer logs.
- Double Extortion: Strict adherence to exfiltration-before-encryption. They operate a dedicated leak site where failure to pay results in the release of sensitive data, including architectural blueprints (targeting construction) and source code.
- Dwell Time: Average 3–5 days from initial access to detonation. They move fast, often skipping active enumeration in favor of massive internal spread.
Current Campaign Analysis
Campaign Period: 2026-05-18 to 2026-05-22
Sector Targeting: The current campaign displays a distinct pivot towards the Construction and Business Services sectors, which account for nearly 50% of the 13 recent victims. Notably, the attack on Semgrep (Technology) suggests QILIN is actively targeting developer toolchains and source code repositories.
- Top Hit: Construction (4 victims: ROTO Immobilien, CJ Architects, Air Conditioning Florida & partners, RCR Industrial Flooring).
- Secondary: Business Services & Consumer Services.
Geographic Concentration: While QILIN maintains a global footprint, this specific wave shows heavy concentration in US (6), GB (2), and AT (2). The appearance of victims in Argentina (AR) and Czechia (CZ) indicates expansion into Latin American and Central European markets.
Victim Profile: The victims range from mid-market enterprises (e.g., Snyder Packaging) to high-profile technology firms (e.g., Semgrep). The inclusion of smaller trade contractors (stucco/drywall services) alongside larger architectural firms suggests a "spray and pray" vulnerability exploitation phase targeting shared software (e.g., construction management software).
Observed Posting Frequency: High velocity. 13 victims posted within 4 days indicates an automated operational pipeline and a likely successful exploitation of a widely used remote management tool (correlating with CVE-2024-1708).
CVE Correlation: The recent spike in activity strongly correlates with the active exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): A primary vector for the Construction and Business Services victims, who rely heavily on remote management software (RMM).
- CVE-2023-21529 (Microsoft Exchange): Likely used for the Technology and Business Services sector intrusions to gain persistent webshell access.
Detection Engineering
Sigma Rules
The following rules target the specific initial access vectors and lateral movement patterns observed in QILIN's recent campaign.
title: Potential ConnectWise ScreenConnect Authentication Bypass Exploitation
description: Detects potential exploitation of CVE-2024-1708 or similar authentication bypass in ScreenConnect via suspicious path traversal or process anomalies.
author: Security Arsenal Research
date: 2026/05/24
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
- attack.initial_access
- cve.2024.1708
- qilin
logsource:
category: web
definition: 'Requirements: IIS or Nginx logs hosting ScreenConnect'
detection:
selection_uri:
Uri|contains:
- '/WebConference/'
- '/Bin/'
selection_suspicious:
Uri|contains:
- '..'
- '%2e%2e'
- '.aspx?'
condition: all of selection_*
falsepositives:
- Potential misconfigured web clients
level: high
---
title: SmarterMail Unrestricted File Upload or Auth Bypass Exploitation
description: Detects exploitation attempts against SmarterMail (CVE-2025-52691, CVE-2026-23760) frequently used in recent Qilin campaigns.
author: Security Arsenal Research
date: 2026/05/24
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
- attack.initial_access
- cve.2025.52691
- qilin
logsource:
product: windows
service: msexchange-management
definition: 'Requirements: Exchange or Mail Server logs'
detection:
selection_path:
TargetObject|contains:
- 'aspnet_client'
- 'App_Data'
- 'MRS'
selection_ext:
TargetObject|endswith:
- '.aspx'
- '.ashx'
- '.config'
condition: all of selection_*
falsepositives:
- Administrative maintenance
level: critical
---
title: Suspicious PsExec Usage with Qilin Naming Convention
description: Detects lateral movement patterns typical of Qilin operators using PsExec with specific service names observed in past incident response cases.
author: Security Arsenal Research
date: 2026/05/24
tags:
- attack.lateral_movement
- attack.execution
- qilin
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\psexec.exe'
- Image|endswith: '\psexesvc.exe'
selection_cli:
CommandLine|contains:
- '-accepteula'
- '-u '
- '-p '
selection_suspicious_name:
CommandLine|contains:
- 'UpdateService'
- 'WindowsManager'
- 'SysMaintenance'
condition: selection_img and selection_cli and selection_suspicious_name
falsepositives:
- Legitimate administrative software deployment
level: high
KQL (Microsoft Sentinel)
Hunt for data staging and lateral movement associated with QILIN's double extortion playbook. This query looks for large volume file transfers via SMB and specific process execution chains used for credential dumping.
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp > TimeFrame
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe")
| where ProcessCommandLine has "rclone"
or ProcessCommandLine has "robocopy"
or ProcessCommandLine has "vssadmin"
or ProcessCommandLine has "wbadmin"
| extend HostName = DeviceName
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > TimeFrame
| where ActionType == "InboundConnectionAccepted"
| where RemotePort in (445, 135, 139)
| summarize Count = count() by DeviceName, RemoteIP, RemotePort
) on HostName
| project Timestamp, HostName, FileName, ProcessCommandLine, RemoteIP, RemotePort, Count
| where Count > 10
| order by Timestamp desc
PowerShell Rapid Response
This script performs a triage check for Qilin indicators, specifically checking for scheduled task persistence (common in their dwell time) and suspicious modifications to the Shadow Copy service.
<#
.SYNOPSIS
Qilin Ransomware Triage Script
.DESCRIPTION
Checks for recent scheduled tasks (persistence) and VSS modification attempts.
#>
Write-Host "[+] Starting Qilin Triage Check..." -ForegroundColor Cyan
# 1. Check for Scheduled Tasks created in the last 48 hours
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddHours(-48) -and
$_.Author -notlike "*Microsoft*" -and
$_.Author -notlike "*System*"
}
if ($suspiciousTasks) {
Write-Host "[!] ALERT: Suspicious Scheduled Tasks found created recently:" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Author, Date, Action | Format-List
} else {
Write-Host "[-] No suspicious recent scheduled tasks detected." -ForegroundColor Green
}
# 2. Check for VSS Admin Deletion History (Event ID 1 from vssadmin)
Write-Host "[+] Checking Event Logs for VSS Shadow Copy Deletion attempts..."
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663; StartTime=(Get-Date).AddHours(-48)} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match "vssadmin" -and $_.Message -match "delete" }
if ($vssEvents) {
Write-Host "[!] ALERT: VSS Deletion commands detected in Security Logs!" -ForegroundColor Red
$vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[-] No VSS deletion events found in last 48 hours." -ForegroundColor Green
}
Write-Host "[+] Triage Complete. If alerts are triggered, isolate host immediately."
---
# Incident Response Priorities
**T-minus Detection Checklist (Pre-Encryption):**
1. **RMM Anomalies:** Immediate audit of ConnectWise ScreenConnect, ScreenConnect, and similar RMM logs for successful logins from unusual geolocations or at non-business hours.
2. **Exchange Web Shells:** Scan IIS directories (`C:\inetpub\wwwroot\aspnet_client`) for recently modified `.aspx` files.
3. **Mass File Renaming:** Enable detection rules for sequential file renaming or mass file extension changes (e.g., `.qilin` or generic append).
**Critical Assets Prioritized for Exfiltration:**
* **Construction:** Architectural blueprints (DWG, PDF), client contracts, project financials.
* **Tech:** Source code repositories (Git), SSH keys, customer credential databases.
**Containment Actions (Urgency Order):**
1. **Segment:** Disconnect VPN concentrators and RMM servers from the core network immediately.
2. **Reset:** Force-reset credentials for all service accounts associated with ConnectWise and Exchange.
3. **Suspend:** Suspend active directory accounts for users in the IT/Security groups to prevent lateral movement using hijacked admin tokens.
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch Management:** Apply the patch for **CVE-2024-1708 (ConnectWise)** immediately. If patching is delayed, enforce MFA on all ScreenConnect sessions and restrict access via firewall allow-lists.
* **Exchange Hardening:** Disable legacy authentication protocols on Exchange servers and apply the URL rewrite rules for **CVE-2023-21529**.
* **Account Hygiene:** Reset passwords for all local administrator accounts on exposed management servers.
**Short-term (2 Weeks):**
* **Network Segmentation:** Move RMM and Management tools (ScreenConnect, FMC) into a dedicated VLAN with strict "jump box" access requirements.
* **Zero Trust Access:** Implement Conditional Access policies that deny RDP/VPN access from unmanaged devices or unknown locations.
* **EDR Coverage:** Ensure EDR agents are deployed and reporting on all management plane servers, not just user endpoints.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.