Aliases: Agenda, Qilin (formerly known as Agenda).
Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates on an affiliate-driven model, aggressively recruiting penetration testers to breach networks using diverse initial access vectors. They are distinguished by their use of a custom Go-based ransomware variant that supports cross-platform encryption (Windows and Linux).
Ransom Demands: Highly variable, typically ranging from $300,000 to multi-million dollar demands depending on victim revenue. They strictly enforce a "name-and-shame" double extortion strategy, threatening to leak data if negotiations fail.
Tactics & Procedures (TTPs):
- Initial Access: Heavily reliant on exploiting internet-facing applications (historically VPNs, currently remote management tools like ScreenConnect).
- Lateral Movement: Standard toolsets including PsExec, WMI, and Cobalt Strike beacons.
- Double Extortion: Aggressive data exfiltration (often using Rclone or Mega) prior to encryption execution.
- Dwell Time: Short to moderate. Recent campaigns show a compression of the kill chain (3-5 days) when exploiting known CVEs like ScreenConnect, minimizing defender reaction time.
Current Campaign Analysis
Campaign Overview: Data from the QILIN leak site (2026-05-28) indicates a mass-exploitation event with 10 victims posted in a single day. The campaign demonstrates a sharp pivot toward exploiting specific management and perimeter security vulnerabilities rather than purely phishing-based entry.
Targeted Sectors:
- Healthcare: High volume of attacks (Mindpath College Health, Providence Medical Group, Dillon Family Medicine).
- Manufacturing: Significant targeting (Sinomax USA, Carton Craft Supply, LA Woodworks).
- Business Services: Professional services and real estate (Gallun Snow Associates, Mainstreet Organization of REALTORS).
Geographic Concentration: The campaign is overwhelmingly US-centric (67% of listed victims), with secondary splash damage in Australia (AU), Hungary (HU), Denmark (DK), and Saudi Arabia (SA).
Victim Profile: Targets range from mid-market enterprises (e.g., Sinomax USA) to local SMBs (e.g., Alamo Heights School District, local medical practices). This suggests Qilin affiliates are using automated vulnerability scanners to identify any unpatched instances of target software, regardless of organization size.
CVE Correlation & Vectors: The victim surge correlates directly with the exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): A critical path traversal flaw allowing RCE. Given the prevalence of ScreenConnect in managed IT environments (Healthcare/EdTech), this is the likely primary vector for the recent US victims.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation of firewall management centers suggests sophisticated bypass of perimeter defenses.
- CVE-2025-52691 (SmarterMail): Unrestricted file upload likely used for initial webshell deployment in Business Services sectors.
Detection Engineering
Sigma Rules
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 8c8d5e3a-1b4c-4d8e-9f2a-3b5c6d7e8f9a
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability leading to authentication bypass.
status: experimental
date: 2026/05/31
author: Security Arsenal Research
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: web
detection:
selection:
c-uri|contains:
- '/WebService/'
- '/Bin/'
cs-method|contains:
- 'GET'
- 'POST'
filter_auth:
cs-username|contains: 'Anonymous'
condition: selection and filter_auth
falsepositives:
- Misconfigured anonymous access testing
level: critical
---
title: Suspicious Cisco FMC Deserialization Activity
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious patterns associated with CVE-2026-20131 exploitation on Cisco Secure Firewall Management Center.
status: experimental
date: 2026/05/31
author: Security Arsenal Research
logsource:
category: web
detection:
selection_uri:
c-uri|contains:
- '/login.cgi'
- '/api/fmc_config/v1/domain/'
selection_payload:
sc-content|contains:
- 'rmi://'
- 'ldap://'
- 'javax.management'
condition: selection_uri and selection_payload
falsepositives:
- Rare administrative API usage
level: high
---
title: Qilin Ransomware Process Execution Patterns
description: Detects typical execution patterns used by Qilin ransomware including PowerShell obfuscation and stopping services.
status: experimental
date: 2026/05/31
logsource:
category: process_creation
detection:
selection_pwsh:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Enc'
- 'IEX'
- 'DownloadString'
selection_service:
CommandLine|contains:
- 'stop-service'
- 'Set-Service -StartupType Disabled'
selection_vss:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: 1 of selection_*
falsepositives:
- Legitimate system administration
level: high
Microsoft Sentinel KQL (Hunting)
// Hunt for suspicious lateral movement and mass staging associated with Qilin
let TimeFrame = 1d;
let CriticalProcs = dynamic(["psexec.exe", "wmic.exe", "powershell.exe", "cmd.exe"]);
let TargetHosts = materialize(
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (CriticalProcs)
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "DownloadString"
| summarize dcount(DeviceName) by DeviceName, AccountName
| where dcount_DeviceName > 5 // More than 5 hosts touched from one account in a day
);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 135, 5985, 8040, 8041) // Common SMB/WMI/ScreenConnect ports
| where InitiatingProcessAccountName in ((TargetHosts | project AccountName))
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
PowerShell Response Script
# Qilin Emergency Hardening and Hunt Script
# Usage: .\Check-QilinIndicators.ps1
Write-Host "[+] Initiating Qilin Campaign Hardening Checks..." -ForegroundColor Cyan
# 1. Check for Suspicious Scheduled Tasks (Common Qilin Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$dateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff -and $_.Author -ne "Microsoft" } |
Select-Object TaskName, Author, Date, Action | Format-Table -AutoSize
# 2. Audit ScreenConnect Services (CVE-2024-1708 Vector)
Write-Host "\n[*] Checking for ScreenConnect Services..." -ForegroundColor Yellow
$scService = Get-Service -Name "ConnectWise*" -ErrorAction SilentlyContinue
if ($scService) {
Write-Host "[!] CRITICAL: ConnectWise ScreenConnect Service Detected." -ForegroundColor Red
Write-Host "[!] Verify patch level immediately for CVE-2024-1708." -ForegroundColor Red
$scService | Select-Object Name, Status, StartType
} else {
Write-Host "[-] No ScreenConnect services found." -ForegroundColor Green
}
# 3. Check for VSS Deletion Attempts (Pre-Encryption)
Write-Host "\n[*] Checking Event Log 7045 for VSS manipulation..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045; StartTime=$dateCutoff} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match "vssadmin" -or $_.Message -match "shadowcopy" } |
Select-Object TimeCreated, Message | Format-List
Write-Host "\n[+] Hardening Script Complete. If anomalies found, isolate host immediately." -ForegroundColor Cyan
---
Incident Response Priorities
T-Minus Detection Checklist:
- Web Shell Hunt: Scan IIS logs and Exchange/SmarterMail directories for recently created
.aspx,.asmx, or.phpfiles (modified within 48h). - Remote Access Logs: Scrutinize ScreenConnect, RDP, and VPN logs for successful authentications from unfamiliar IP ranges, specifically checking for
AnonymousorGuestlogins. - Volume Shadow Copies: Query
vssadmin list shadowsimmediately. If zero copies exist on a file server, the encryption timer is likely ticking.
Critical Assets Prioritized for Exfiltration: Qilin historically targets:
- Healthcare: PHI/Patient databases (EHR backups).
- Manufacturing: CAD drawings, IP, and ERP databases.
- HR/Finance: Payroll tax files (W2s) and executive financial records.
Containment Actions (Urgency: High):
- Isolate: Disconnect internet-facing management servers (ScreenConnect, Cisco FMC, SmarterMail) from the internal network.
- Revoke: Reset credentials for all privileged service accounts (Domain Admins) used for remote management tools.
- Block: Firewall rules to block outbound connections to known exfil IPs and file-sharing sites (Mega, TransferNow) at the proxy level.
Hardening Recommendations
Immediate (Within 24 Hours):
- Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately or restrict access to the web interface to specific source IPs via firewall.
- Patch CVE-2026-20131: Update Cisco Secure Firewall FMC software to the patched version.
- Disable MFA Bypass: Ensure MFA is strictly enforced on all VPN and remote desktop gateways; disable "callback" or SMS-based MFA if possible (push phishing resistance).
Short-Term (Within 2 Weeks):
- Network Segmentation: Move critical backup repositories (Veeam, Commvault) to an isolated management VLAN that does not have internet access and cannot be reached from standard user VLANs.
- Egress Filtering: Implement strict egress filtering allowing only necessary business ports. Block outbound RDP (3389) and SMB (445) from the internal network to the internet.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.