Threat Actor Profile — QILIN
QILIN (also known as Agenda and Alpha) is a Ransomware-as-a-Service (RaaS) operation that emerged in 2022. The group operates an affiliate model, recruiting technically skilled threat actors to conduct initial access and lateral movement while the core team develops and maintains the ransomware payload. Recent intelligence suggests a shift toward targeting critical infrastructure and manufacturing sectors.
Operational Characteristics:
- Ransom Demands: $700,000 to $5 million, primarily in Monero (XMR)
- Negotiation Tactics: Aggressive, with threats to increase ransom amounts if deadlines are missed
- Initial Access Methods:
- Exploitation of public-facing vulnerabilities (recent focus on VPN and remote access tools)
- Phishing campaigns with malicious attachments and links
- Compromised credentials for VPN and RDP access
- Supply chain attacks through managed service providers
Double Extortion Approach:
QILIN employs a sophisticated double extortion strategy:
- Exfiltration of sensitive data before encryption
- Threats to publish stolen data on their Tor leak site
- Secondary extortion of victims' business partners and clients
Average Dwell Time:
4-7 days from initial access to ransomware deployment, frequently delayed encryption until weekend or holiday periods to maximize impact.
Current Campaign Analysis
Sectors Being Targeted:
Based on the 15 recent victims posted between May 11-14, 2026:
| Sector | Victim Count | Percentage |
|---|---|---|
| Business Services | 6 | 40% |
| Manufacturing | 3 | 20% |
| Technology | 2 | 13% |
| Healthcare | 1 | 7% |
| Energy | 1 | 7% |
| Construction | 1 | 7% |
| Agriculture/Food Production | 1 | 7% |
| Not Found/Unclassified | 2 | 13% |
Geographic Concentration:
- United States: 7 victims (47%)
- Canada, Germany, Australia, UK, Singapore, Israel, France, Spain: 1-2 victims each
Victim Profile:
- Company sizes: Mix of mid-market ($50M-$500M revenue) and large enterprises ($500M+)
- Notable targets include AppDirect (enterprise cloud services) and Johnson Carter Architects
- Geographic spread suggests global affiliate network or opportunistic targeting based on vulnerability exposure
Observed Posting Frequency/Escalation Patterns:
- High-frequency posting: 15 victims in 4 days (average of 3-4 per day)
- Weekend targeting pattern: Notable cluster of victims posted on Monday 2026-05-13 (10 victims)
- Accelerated timeline suggests a coordinated campaign likely tied to recent vulnerability disclosures
Connection to CVEs as Initial Access Vectors:
Recent CVE additions to CISA's Known Exploited Vulnerabilities list directly correlate with QILIN's known tactics:
-
CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal): QILIN has historically exploited remote access tools. This vulnerability allows for remote code execution and is likely a primary initial access vector in recent campaigns.
-
CVE-2023-21529 (Microsoft Exchange Server Deserialization): Given QILIN's preference for enterprise environments, this Exchange vulnerability likely enables initial access in organizations with exposed Exchange servers.
-
CVE-2026-20131 (Cisco Secure Firewall Management Center): This recent vulnerability may be used to bypass perimeter security controls, allowing for lateral movement and persistence.
-
CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): These email server vulnerabilities align with QILIN's pattern of exploiting communication infrastructure for initial access and credential harvesting.
Detection Engineering
SIGMA Rules
YAML
---
title: Potential QILIN Ransomware Activity - ConnectWise ScreenConnect Exploitation
id: 9e3d6c4a-f8b2-45a6-8c5e-1d2f3e4b5c6d
status: stable
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect, commonly used by QILIN for initial access
author: Security Arsenal Threat Intel
date: 2026/05/15
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
- https://connectwise.com/trust-center/security-advisories
tags:
- attack.initial_access
- attack.t1190
- cve.2024.1708
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140 or 5145
ShareName|contains: 'ScreenConnect'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Legitimate ScreenConnect administrative access
level: high
---
title: Potential QILIN Lateral Movement - PsExec and WMI Execution
id: a2b3c4d5-e6f7-8a9b-c0d1-e2f3a4b5c6d7
status: stable
description: Detects patterns of lateral movement commonly used by QILIN affiliates using PsExec and WMI
author: Security Arsenal Threat Intel
date: 2026/05/15
references:
- https://attack.mitre.org/techniques/T1021/002/
- https://attack.mitre.org/techniques/T1047/
tags:
- attack.lateral_movement
- attack.t1021
- attack.t1047
logsource:
product: windows
service: security
detection:
selection_psexec:
EventID: 5145
ShareName: 'ADMIN$'
RelativeTargetName|contains: 'PSEXESVC'
selection_wmi:
EventID: 4688
NewProcessName|endswith: '\\wmiprvse.exe'
CommandLine|contains: 'invoke-command'
condition: 1 of selection*
falsepositives:
- Legitimate system administration activities
level: high
---
title: Potential QILIN Data Exfil Patterns - Large File Transfers
id: c3d4e5f6-a7b8-c9d0-e1f2-a3b4c5d6e7f8
status: stable
description: Detects patterns of data exfiltration commonly associated with QILIN's double extortion tactics
author: Security Arsenal Threat Intel
date: 2026/05/15
references:
- https://attack.mitre.org/techniques/T1041/
tags:
- attack.exfiltration
- attack.t1041
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
ShareName|contains:
- 'C$'
- 'ADMIN$'
filter_large:
AccessMask|contains: '0x1' # FILE_READ_DATA
timeframe: 5m
condition: selection | count() > 10 and filter_large
falsepositives:
- Legitimate backup operations
- System administration tasks
level: medium
KQL Hunt Query (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for potential QILIN ransomware precursors
// Look for lateral movement, data staging, and credential theft
let TimeFrame = 7d;
let LateralMovement =
SecurityEvent
| where TimeGenerated >= ago(TimeFrame)
| where EventID in (5140, 5145, 4624, 4625, 4688)
| where Computer in~ (
// Potential jump hosts
"DC*",
"FILE*",
"SQL*"
)
| project TimeGenerated, Computer, EventID, Account, SubjectUserName, NewProcessName, CommandLine, ShareName, RelativeTargetName
| extend Severity = case(
EventID == 4625, "High", // Failed login
EventID == 5145 and ShareName == "ADMIN$", "High", // Admin share access
EventID == 4688 and CommandLine has "powershell" and (CommandLine has "encodedcommand" or CommandLine has "downloadstring"), "Critical", // Suspicious PowerShell
"Medium"
);
let DataStaging =
DeviceFileEvents
| where TimeGenerated >= ago(TimeFrame)
| where ActionType == "FileCreated"
| where FileName has_any (@".7z", ".rar", ".zip", ".tar") and InitiatingProcessAccountName != "SYSTEM"
| project TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath
| extend Severity = "High";
let SuspiciousScheduledTasks =
DeviceProcessEvents
| where TimeGenerated >= ago(TimeFrame)
| where FileName has "schtasks.exe"
| where ProcessCommandLine has_any (@"/create", "/run") and ProcessCommandLine has_any (@"/sc minute", "/sc hourly")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| extend Severity = "Critical";
union LateralMovement, DataStaging, SuspiciousScheduledTasks
| order by TimeGenerated desc
PowerShell Rapid-Response Hardening/Detection Script
PowerShell
<#
.SYNOPSIS
QILIN Ransomware Detection and Hardening Script
.DESCRIPTION
Performs detection checks for QILIN ransomware indicators and implements immediate hardening measures
.NOTES
Author: Security Arsenal Threat Intel
Date: 2026-05-15
#>
param(
[switch]$AuditOnly,
[string]$OutputPath = "C:\Windows\Temp\QilinDetection_$(Get-Date -Format 'yyyyMMdd').log"
)
function Write-Log {
param([string]$Message, [string]$Level="INFO")
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"[$timestamp] [$Level] $Message" | Out-File -FilePath $OutputPath -Append
switch ($Level) {
"CRITICAL" { Write-Host $Message -ForegroundColor Red }
"WARNING" { Write-Host $Message -ForegroundColor Yellow }
"INFO" { Write-Host $Message -ForegroundColor Green }
default { Write-Host $Message }
}
}
# Check for recent suspicious scheduled tasks
Write-Log "Checking for suspicious scheduled tasks created in the last 7 days..."
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddDays(-7) -and
$_.TaskName -notmatch "Microsoft|Windows|Adobe|Google|Update"
}
if ($suspiciousTasks.Count -gt 0) {
Write-Log "Found $($suspiciousTasks.Count) potentially suspicious scheduled tasks:" "CRITICAL"
$suspiciousTasks | ForEach-Object {
Write-Log "Task: $($_.TaskName), Created: $($_.Date), Author: $($_.Author)" "WARNING"
if (!$AuditOnly) {
try {
Disable-ScheduledTask -TaskName $_.TaskName -ErrorAction Stop
Write-Log "Disabled task: $($_.TaskName)" "INFO"
} catch {
Write-Log "Failed to disable task: $($_.TaskName) - $($_.Exception.Message)" "WARNING"
}
}
}
} else {
Write-Log "No suspicious scheduled tasks found in the last 7 days." "INFO"
}
# Check for unusual RDP connections
Write-Log "Checking for RDP connections in the last 24 hours..."
$rdpEvents = Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID=21
StartTime=(Get-Date).AddHours(-24)
} -ErrorAction SilentlyContinue
if ($rdpEvents) {
Write-Log "Found $($rdpEvents.Count) RDP connections in the last 24 hours:" "INFO"
$rdpEvents | ForEach-Object {
$eventXml = [xml]$_.ToXml()
$user = $eventXml.Event.EventData.Data[0].'#text'
$sourceIP = $eventXml.Event.EventData.Data[2].'#text'
Write-Log "User: $user, Source IP: $sourceIP" "INFO"
}
} else {
Write-Log "No RDP connections found in the last 24 hours." "INFO"
}
# Check for modified Volume Shadow Copies
Write-Log "Checking for modified Volume Shadow Copies in the last 7 days..."
$vssChanges = vssadmin list shadows /for=c: 2>$null | Select-String "Shadow Copy Volume"
if ($vssChanges) {
Write-Log "Volume Shadow Copies found:" "INFO"
$vssChanges | ForEach-Object { Write-Log $_.Line.ToString() "INFO" }
} else {
Write-Log "No Volume Shadow Copies found or accessible." "WARNING"
}
# Check for signs of data exfiltration (large compressed files)
Write-Log "Scanning for recently created compressed files..."
$compressedFiles = Get-ChildItem -Path "C:\" -Recurse -Include @("*.zip", "*.rar", "*.7z", "*.tar") -ErrorAction SilentlyContinue |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-3) -and $_.Length -gt 100MB }
if ($compressedFiles.Count -gt 0) {
Write-Log "Found $($compressedFiles.Count) recently created large compressed files:" "CRITICAL"
$compressedFiles | ForEach-Object {
Write-Log "File: $($_.FullName), Size: $([math]::Round($_.Length / 1MB, 2)) MB, Created: $($_.CreationTime)" "WARNING"
}
} else {
Write-Log "No suspicious compressed files found." "INFO"
}
# Immediate hardening checks
if (!$AuditOnly) {
Write-Log "Applying immediate hardening measures..." "INFO"
# Disable RDP if not required
$rdpStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server").fDenyTSConnections
if ($rdpStatus -ne 1) {
Write-Log "Disabling RDP..." "WARNING"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
Write-Log "RDP has been disabled." "INFO"
}
# Check for SMBv1
$smbv1 = Get-WindowsFeature -Name FS-SMB1
if ($smbv1.Installed) {
Write-Log "Disabling SMBv1..." "WARNING"
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Write-Log "SMBv1 has been disabled." "INFO"
}
Write-Log "Hardening measures applied. System reboot may be required for some changes." "INFO"
}
Write-Log "QILIN detection and hardening check complete." "INFO"
Incident Response Priorities
T-minus Detection Checklist:
- Remote Access Anomalies: Review logs for unusual ConnectWise ScreenConnect, RDP, and VPN sessions, especially with multiple failed authentication attempts
- Vulnerability Scanning: Immediately scan for CVE-2024-1708 (ConnectWise), CVE-2023-21529 (Exchange), and CVE-2026-20131 (Cisco FMC)
- Scheduled Task Creations: Investigate any scheduled tasks created in the last 7 days with unusual execution times (minute/hourly frequency)
- Unusual Data Transfer Patterns: Monitor for large outbound data transfers or creation of compressed files in unusual locations
- Account Privilege Escalation: Review Event ID 4672 for accounts assigned new privileged rights in the past week
Critical Assets Historically Prioritized for Exfiltration:
- Customer databases and CRM systems
- Financial records and payment information
- Intellectual property and proprietary designs
- Employee personal information (HR records)
- Legal and compliance documents
- Executive email archives
- Business partner and supplier lists
Containment Actions (Ordered by Urgency):
- IMMEDIATE: Isolate systems with evidence of compromise from the network
- URGENT: Rotate credentials for all privileged accounts, especially service accounts with administrative rights
- HIGH PRIORITY: Disable external remote access (VPN, RDP) until vulnerabilities are patched
- HIGH PRIORITY: Suspend or closely monitor accounts with recent unusual access patterns
- MEDIUM PRIORITY: Implement network segmentation to limit lateral movement
- MEDIUM PRIORITY: Temporarily disable non-essential scheduled tasks
- ONGOING: Preserve volatile memory and forensic images of affected systems
Hardening Recommendations
Immediate (24h):
-
Patch Critical Vulnerabilities:
- Apply ConnectWise ScreenConnect security update for CVE-2024-1708
- Patch Exchange servers for CVE-2023-21529
- Update Cisco Secure Firewall Management Center for CVE-2026-20131
- Address SmarterTools SmarterMail vulnerabilities (CVE-2025-52691 and CVE-2026-23760)
-
Restrict Remote Access:
- Enforce MFA on all VPN, RDP, and remote desktop services
- Implement allow-lists for remote access IPs
- Remove unnecessary local administrator rights from service accounts
-
Implement Network Controls:
- Block SMB traffic to/from the internet at perimeter firewalls
- Disable PowerShell remoting on systems where not required
- Restrict outbound traffic to known destinations using next-gen firewall rules
-
Increase Visibility:
- Deploy enhanced logging on critical systems (PowerShell, Process Creation, Network Connections)
- Implement EDR on all endpoints if not already in place
- Set up alerts for unusual account activity (multiple failed logins, login from unusual locations)
Short-term (2 weeks):
-
Architecture Improvements:
- Implement zero-trust network access principles
- Create privileged access workstations (PAWs) for administrative tasks
- Establish a secure remote access jump host with enhanced monitoring
-
Identity and Access Management:
- Conduct a comprehensive review of privileged account access
- Implement just-in-time (JIT) privileged access
- Enforce regular password rotation for service accounts
-
Detection Enhancements:
- Deploy deception technology (honeypots, canary tokens)
- Implement user and entity behavior analytics (UEBA)
- Create detection rules specifically for QILIN's observed TTPs
-
Backup and Recovery:
- Validate immutability of critical backups
- Test restoration procedures for business-critical systems
- Implement offline or air-gapped backup copies for most sensitive data
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinqilin-ransomwaremanufacturingbusiness-servicescve-exploitationinitial-access
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.