Back to Intelligence

QILIN Ransomware: Escalating Campaign Exploiting Exchange & Mail Flaws — 15 New Victims

SA
Security Arsenal Team
May 13, 2026
8 min read

Date: 2026-05-13
Analyst: Security Arsenal Intel Unit
Source: Ransomware.live / Direct Leak Site Observation

Executive Summary

The QILIN ransomware operation (formerly known as Agenda) has significantly accelerated its victim posting rate over the last 72 hours, adding 15 new organizations to its leak site. This latest wave shows a distinct pivot towards exploiting vulnerabilities in email infrastructure, specifically targeting SmarterTools SmarterMail and Microsoft Exchange servers. The campaign heavily targets the Business Services sector in the US and UK, alongside critical Healthcare and Energy entities. Based on the CVEs associated with this cluster, initial access is likely achieved via unauthenticated deserialization and authentication bypass flaws.

Threat Actor Profile — QILIN

  • Aliases: Agenda, Agend
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program where skilled access brokers provide initial access, and the core team handles the encryption and negotiations.
  • Ransom Demands: Variable, typically ranging from $500,000 to $5 million, depending on victim revenue and data exfiltration volume.
  • Initial Access Vectors: Historically reliant on valid credentials (phishing) and VPN exploits (Fortinet/Pulse Secure). Current data indicates a shift toward exploiting public-facing web applications, specifically Email Security and Management servers (Exchange, SmarterMail).
  • Double Extortion: Strict adherence. Qilin exfiltrates sensitive corporate data (HR, client databases, financial records) prior to encryption and threatens to publish it if ransoms are not paid.
  • Dwell Time: Short. Recent victims suggest a dwell time of 2–5 days between initial exploit (CVE exploitation) and detonation, indicating high operational automation.

Current Campaign Analysis

Sector Targeting

The latest batch of 15 victims reveals a broad scope but a high frequency in specific verticals:

  • Business Services: 33% (LTJ Industrial, One Legal, John G Yphantides, The Gravity Group, International Customer Care)
  • Technology: 13% (Bluize, AppDirect)
  • Healthcare: 7% (Spirit Medical Transport)
  • Energy: 7% (Brand X Hydrovac)
  • Construction, Agriculture, Consumer: Distributed across remaining targets.

Geographic Concentration

  • North America (US, CA): 47% of victims. The US remains the primary target.
  • Europe (GB, FR, ES, IL): 40% of victims. Significant spike in the UK (3 victims).
  • Asia-Pacific (AU, SG): 13%.

Victim Profile

Targets range from mid-market law firms and architectural practices (e.g., Johnson Carter Architects) to tech providers like AppDirect. Revenue estimates generally fall between $10M and $200M, suggesting Qilin affiliates are targeting organizations with sufficient cyber insurance coverage but potentially immature security postures regarding mail server patching.

Observed Posting Frequency

Qilin is posting 2–4 victims per day, indicating a high volume of successful encryption events. The escalation is rapid, with victims appearing on the site within 24 hours of failed negotiations.

CVE Correlation & Attack Vector

This campaign is inextricably linked to the active exploitation of the following CISA KEVs:

  • SmarterMail (CVE-2025-52691, CVE-2026-23760): The authentication bypass and file upload flaws provide an easy entry point for unauthenticated actors to gain a foothold on the mail server, which often has domain admin privileges or easy lateral movement paths.
  • Microsoft Exchange (CVE-2023-21529): Allows deserialization of untrusted data, leading to Remote Code Execution (RCE).
  • Cisco FMC (CVE-2026-20131): Exploitation of firewall management centers could allow attackers to modify security rules to facilitate exfiltration.

Detection Engineering

SIGMA Rules

YAML
title: Potential SmarterMail Authentication Bypass Exploit
description: Detects suspicious access patterns indicative of CVE-2026-23760 exploitation on SmarterMail servers.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/13
status: experimental
logsource:
    category: webserver
    product: iis
    definition: 'Requirements: IIS Logs with cs-uri-query fields'
detection:
    selection:
        cs-uri-stem|contains: '/Services/MailSuite'
        cs-method: 'POST'
    filter_main:
        cs-uri-query|contains: 'ResetPassword'
    condition: selection and not filter_main
falsepositives:
    - Legitimate password reset activity (verify source IP and frequency)
level: critical
---
title: Microsoft Exchange Deserialization RCE Indicators
description: Detects potential exploitation of CVE-2023-21529 via suspicious process chains originating from w3wp.exe.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/13
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\w3wp.exe'
        ParentCommandLine|contains: 'MSExchange'
    selection_child:
        - Image|endswith: '\powershell.exe'
        - Image|endswith: '\cmd.exe'
        - Image|endswith: '\whoami.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Administrative maintenance on Exchange servers
level: critical
---
title: Volume Shadow Copy Deletion via VssAdmin
description: Detects the deletion of shadow copies, a common Qilin TTP used to prevent recovery.
references:
    - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/05/13
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - Legitimate system administration (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and unusual process execution patterns associated with Qilin
let Timeframe = 1h;
DeviceProcessEvents
| where Timestamp >= ago(Timeframe)
// Look for credentials dumping or system tools used for lateral movement
| where ProcessName in ("cmd.exe", "powershell.exe", "psexec.exe", "wmic.exe", "wmiexec.exe")
// Filter for suspicious flags or keywords often used by Qilin affiliates
| where CommandLine has any("shadowcopy", "delete", "share", "admin$")
// Join with Network logons to see if these processes followed a strange login
| join kind=inner (
    DeviceLogonEvents
    | where Timestamp >= ago(Timeframe + 10m) // Look back slightly further for the login event
) on DeviceId, AccountName
| summarize StartTime=min(Timestamp), ProcessCount=count() by DeviceName, AccountName, ProcessName, CommandLine
| where ProcessCount > 2 // High frequency of suspicious commands
| sort by ProcessCount desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Response Checklist - Scan for signs of compromise.
.DESCRIPTION
    Checks for recent Shadow Copy deletions, unusual scheduled tasks, and suspicious PowerShell logs.
#>

Write-Host "[+] Starting Qilin Incident Response Check..." -ForegroundColor Cyan

# 1. Check Volume Shadow Copies (Qilin T1490)
Write-Host "\n[*] Checking for Volume Shadow Copy availability..." -ForegroundColor Yellow
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
    Write-Host "[!] ALERT: No Shadow Copies found. Possible deletion event." -ForegroundColor Red
} else {
    $shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
    Write-Host "[+] Found $shadowCount shadow copies." -ForegroundColor Green
}

# 2. Check for Scheduled Tasks created in last 7 days (Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$dateCutoff = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff }

if ($suspiciousTasks) {
    Write-Host "[!] ALERT: Found recent scheduled tasks:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
    Write-Host "[+] No suspicious recent tasks found." -ForegroundColor Green
}

# 3. Check for suspicious RDP logons (Lateral Movement)
Write-Host "\n[*] Checking for RDP failures/successes in last 24h..." -ForegroundColor Yellow
$rdpEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($rdpEvents) {
    $rdpStats = $rdpEvents | Group-Object Id | Select-Object Name, Count
    Write-Host "[+] RDP Event Summary (Last 24h):" -ForegroundColor Green
    $rdpStats | Format-Table
} else {
    Write-Host "[-] No RDP events found in logs." -ForegroundColor Gray
}

Write-Host "\n[+] Check complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption)

  1. Mail Server Audit: Immediately review logs for SmarterMail and Exchange servers for suspicious POST requests to /Services/ or /api/ endpoints originating from unusual IPs.
  2. Firewall Log Review: Check Cisco FMC logs for administrative changes or suspicious outbound connections (CVE-2026-20131).
  3. Process Monitoring: Hunt for w3wp.exe spawning cmd.exe or powershell.exe (Exchange exploitation).

Critical Assets for Exfiltration

Based on Qilin's recent postings, prioritize the protection of:

  • Legal & Client Databases: High leverage data for extortion.
  • Financial Systems: QuickBooks, payroll data.
  • CAD/Blueprint Files: Construction and Engineering sectors.

Containment Actions

  1. Isolate Mail Servers: Disconnect Exchange/SmarterMail servers from the network if CVE exploitation is suspected.
  2. Reset Credentials: Force reset for privileged accounts (Domain Admins) if lateral movement is suspected.
  3. Block outbound SMB: Prevent further exfiltration via protocols like SMB over TCP 445 to external IPs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2023-21529 (Exchange) and CVE-2025-52691 / CVE-2026-23760 (SmarterMail) immediately. If patching is not possible, disable external access to these interfaces via firewall ACLs.
  • Disable Unauthenticated Endpoints: Review SmarterMail configuration and ensure anonymous upload features are disabled.
  • MFA Enforcement: Ensure MFA is active for all mail admin accounts and VPN users.

Short-term (2 Weeks)

  • Network Segmentation: Move mail servers and backups to isolated VLANs to restrict lateral movement.
  • WAF Deployment: Implement a Web Application Firewall (WAF) with rules specific to deserialization attacks and SmarterMail exploitation signatures.
  • Audit External Attack Surface: Conduct a scan to identify other exposed management interfaces (Cisco FMC, VPN concentrators) accessible from the internet.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaresmartermailexchange-serverbusiness-servicescve-2026-23760

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action