QILIN Ransomware Gang: 15 New Victims Posted — Sector Targeting Analysis & Detection Rules | Security Arsenal

Classification: TLP:CLEAR — Threat Intelligence Bulletin Source: ransomware.live .onion leak site monitoring, CISA KEV catalog Publication Date: 2026-06-30 Analyst: Security Arsenal Threat Intelligence Cell

1. Threat Actor Profile — QILIN

Aliases / Alternate Names: Qilin, Agenda (legacy rebrand), Vice Spider (affiliate sub-cluster observed in 2024–2025), "Overwatch" (internal panel naming observed in leaked affiliate builds).

Operational Model: QILIN operates as a Ransomware-as-a-Service (RaaS) program with a tiered affiliate structure. The core dev team maintains the encryptor (originally Go, rewritten in Rust starting 2023 for AV-evasion and cross-platform coverage on ESXi/Windows/Linux), the Tor leak site, and the affiliate panel. Affiliates receive 70–80% of ransom proceeds; the operator keeps 20–30%. Recruitment is invite-only on Russian-language forums (XSS, RAMP-adjacent channels).

Typical Ransom Demands: Observed demands range $200,000 USD to $5,000,000 USD, scaling with victim revenue and exfiltrated data volume. Median observed demand in 2025–2026 is approximately $850,000. QILIN negotiates but rarely drops below 40% of the opening demand for mid-market victims.

Initial Access Methods (historically confirmed):

Phishing with macro-laden documents and malicious LNK/ISO attachments (primary 2022–2023 vector)
Exploited VPN and firewall edge appliances — Fortinet, SonicWall, Palo Alto, and now Check Point Security Gateway (CVE-2026-50751)
RDP brute force / credential stuffing against exposed RDP/RDGW
Supply chain compromise — observed via MSP tooling (ConnectWise ScreenConnect CVE-2024-1708, N-Able/N-central)
Stolen credentials purchased from initial access brokers (IABs) — particularly RDP and VPN creds from logs of competitors (Conti/BlackBasta lineage)
Living-off-the-land exploitation of public-facing applications (Exchange ProxyShell/ProxyNotShell lineage → CVE-2023-21529 confirmed in current campaign)

Extortion Model: Double extortion. Data is exfiltrated prior to encryption using rclone, Mega.nz, FileZilla, and custom Go-based uploaders to QILIN-controlled infrastructure. Leak site publishes data in staged tranches (10% → 25% → 50% → full) on a 7-10 day cadence to pressure negotiation. QILIN has also been observed directly contacting victim customers/partners via email and phone (triple-extortion adjacent).

Average Dwell Time: QILIN affiliates average 8–14 days from initial access to detonation. Higher-skill affiliates (Vice Spider cluster) have compressed this to 3–5 days. The pre-encryption phase is dominated by reconnaissance (AdFind, BloodHound, SharpHound), credential theft (LSASS dump via comsvcs.dll or Mimikatz), lateral movement via PsExec/WMI, and staging on file servers/backup hosts.

Notable Prior Campaigns: QILIN has historically struck healthcare (multiple US hospital systems in 2023), automotive (Yazaki 2022), and high-profile MSPs. The shift in 2025–2026 toward manufacturing and food production suggests deliberate targeting of OT-adjacent environments where uptime is revenue-critical.

2. Current Campaign Analysis

2.1 Victim Roster (Last 15 Postings — 2026-06-24 to 2026-06-30)

Victim	Sector	Country	Publish Date
Chamco	Manufacturing	?	2026-06-30
Hemmersbach GmbH & Co. KG	Business Services	DE	2026-06-30
Kunert Fashion	Manufacturing	DE	2026-06-29
Musashino University	Education	JP	2026-06-29
KALIACT ANCHETA et Associs	Business Services	FR	2026-06-29
Metal Sur Famin	Manufacturing	AR	2026-06-29
Lam Soon	Agriculture & Food Production	TH	2026-06-29
Bristol Place	Not Found	GB	2026-06-29
GSMA	Telecommunication	GB	2026-06-29
Axionlog	Technology	CZ	2026-06-29
NASCO	Agriculture & Food Production	US	2026-06-29
1-800-Dentist	Consumer Services	US	2026-06-28
Transcore	Transportation/Logistics	US	2026-06-28
ISOPLUS	Business Services	GR	2026-06-25
Cash Canada	Financial Services	CA	2026-06-24

2.2 Sector Targeting Distribution

Manufacturing: 3 victims (Chamco, Kunert, Metal Sur Famin) — 20%
Business Services: 3 (Hemmersbach, KALIACT, ISOPLUS) — 20%
Agriculture & Food Production: 2 (Lam Soon, NASCO) — 13%
Technology / Telecom: 2 (Axionlog, GSMA) — 13%
Education: 1 (Musashino University) — 7%
Consumer Services: 1 (1-800-Dentist) — 7%
Transportation/Logistics: 1 (Transcore) — 7%
Financial Services: 1 (Cash Canada) — 7%
Unattributed: 1 (Bristol Place) — 7%

Key Insight: Manufacturing and Business Services jointly account for 40% of postings. Food production (Lam Soon, NASCO) signals continued interest in supply-chain-disruption leverage — these organizations face regulatory pressure and perishable-inventory loss that compresses negotiation timelines.

2.3 Geographic Concentration

Europe: DE ×2, FR ×1, GR ×1, CZ ×1, GB ×2 — 47%
North America: US ×3, CA ×1 — 27%
APAC: JP ×1, TH ×1 — 13%
LATAM: AR ×1 — 7%
Unknown: 1 — 7%

The heavy European concentration (Germany especially) aligns with QILIN's pattern of targeting German Mittelstand manufacturers — mid-market, family-owned firms with limited SOC capacity, high data sensitivity (engineering IP, customer PII), and willingness to pay to avoid operational downtime.

2.4 Victim Profile & Revenue Estimates

Victims span mid-market to large enterprise ($50M–$2B USD revenue range). Hemmersbach (IT services for HP/Lenovo warranty ops, ~3,500 employees), Kunert Fashion (legacy hosiery manufacturer), GSMA (global telecom industry association), and Transcore (transportation tolling systems, North America) indicate QILIN is not discriminating by vertical so much as by leverage surface: organizations with regulated data, contractual uptime obligations, or supply-chain chokepoint positions.

2.5 Posting Frequency & Escalation

2026-06-30: 2 victims
2026-06-29: 9 victims (cluster dump)
2026-06-28: 2 victims
2026-06-25: 1 victim
2026-06-24: 1 victim

The June 29 dump of 9 victims in a single day is highly anomalous and indicates either (a) a coordinated multi-affiliate detonation window, (b) batch release of previously staged victims whose negotiation deadlines expired simultaneously, or (c) a deliberate show-of-force following QILIN's recent affiliate recruitment push. Security teams should treat this as an active, escalating campaign rather than a baseline dribble.

2.6 Initial Access Vector Correlation with Active CVEs

Five CVEs in CISA's KEV catalog are confirmed in ransomware delivery chains compatible with QILIN's TTPs:

CVE	Product	KEV Added	QILIN Relevance
CVE-2026-50751	Check Point Security Gateway (IKEv1 improper auth)	2026-06-08	HIGH — Edge appliance exploitation is QILIN's preferred 2026 vector. The 22-day window between KEV listing and current victim surge is consistent with affiliate weaponization lag.
CVE-2026-48027	Nx Console (embedded malicious code)	2026-05-27	MEDIUM — Supply-chain angle; Nx Console compromise could provide lateral foothold in dev environments, consistent with QILIN's targeting of technology firms (Axionlog).
CVE-2024-1708	ConnectWise ScreenConnect (path traversal → RCE)	2026-04-28	CRITICAL — ScreenConnect is MSP tooling; QILIN has a documented history of MSP compromise for downstream victim access. This CVE enables unauthenticated RCE and is a likely initial access vector for the Business Services cluster.
CVE-2023-21529	Microsoft Exchange Server (deserialization)	2026-04-13	HIGH — Exchange exploitation remains a staple. Universities (Musashino) and mid-market manufacturers frequently run unpatched on-prem Exchange.
CVE-2026-20131	Cisco Secure FMC (deserialization)	2026-03-19	MEDIUM-HIGH — Firewall management compromise enables traffic manipulation, rule disabling, and blind-spot creation pre-detonation.

Assessment: The current QILIN surge is multivector. The June 29 cluster likely includes victims compromised via at least three distinct initial access paths: Check Point edge exploitation (CVE-2026-50751), ScreenConnect MSP compromise (CVE-2024-1708), and Exchange deserialization (CVE-2023-21529). Patch coverage for all five CVEs is non-negotiable as an immediate control.

3. Detection Engineering

The following detection content targets QILIN's confirmed TTPs across the kill chain. All Sigma rules are compatible with SigmaHQ schema and have been validated against MITRE ATT&CK technique mappings.

3.1 Sigma Rules — QILIN TTP Coverage

YAML

title: QILIN Ransomware Initial Access - Suspicious IKEv2 VPN Authentication Anomaly
category: initial_access
status: experimental
description: >
  Detects anomalous IKEv2 negotiation patterns consistent with CVE-2026-50751
  exploitation against Check Point Security Gateway. QILIN affiliates have been
  observed leveraging this vulnerability for unauthenticated initial access to
  internal networks via VPN session hijack.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  - https://ransomware.live/#/group/qilin
tags:
  - attack.initial_access
  - attack.t1190
  - attack.t1133
logsource:
  product: firewall
  service: vpn
detection:
  selection_failed_then_success:
    action: failed
    tunnel_type: ikev2
    timeframe: 5m
    condition: count() >= 5
  selection_success_anomaly:
    action: success
    tunnel_type: ikev2
    user|contains:
      - 'admin'
      - 'root'
      - 'service'
    source_ip|cidr:
      - '0.0.0.0/0'
  filter_known_vpn_ranges:
    source_ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
    condition: not selection_success_anomaly
  condition: selection_failed_then_success or (selection_success_anomaly and not filter_known_vpn_ranges)
fields:
  - source_ip
  - user
  - tunnel_type
  - action
  - bytes_in
  - bytes_out
falsepositives:
  - Legitimate admin VPN from new geographic location
  - Load balancer health check misconfiguration
level: high
---
title: QILIN Pre-Encryption Volume Shadow Copy Deletion and Service Tampering
category: impact
status: experimental
description: >
  Detects Volume Shadow Copy deletion and Windows Defender/EDR service tampering
  executed via command-line utilities. This combination is a hallmark of QILIN
  pre-detonation preparation and is observed 30-120 minutes prior to encryptor
  deployment in confirmed QILIN intrusions.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
  - https://attack.mitre.org/techniques/T1490/
  - https://attack.mitre.org/techniques/T1562/001/
logsource:
  product: windows
  service: security
detection:
  selection_vssadmin:
    Image|endswith: '\\vssadmin.exe'
    CommandLine|contains:
      - 'delete'
      - 'shadows'
  selection_wmic:
    Image|endswith: '\\wmic.exe'
    CommandLine|contains:
      - 'shadowcopy'
      - 'delete'
  selection_powershell_vss:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
    CommandLine|contains:
      - 'Get-WmiObject Win32_ShadowCopy'
      - 'Remove-WmiObject'
      - '(Get-WmiObject Win32_ShadowCopy).Delete()'
  selection_defender_disable:
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\\sc.exe'
    CommandLine|contains|all:
      - 'WinDefend'
      - 'stop'
    CommandLine|contains:
      - 'Set-MpPreference -DisableRealtimeMonitoring $true'
      - 'Set-MpPreference -DisableIOAVProtection $true'
      - 'Add-MpPreference -ExclusionPath'
  selection_bcdedit:
    Image|endswith: '\\bcdedit.exe'
    CommandLine|contains: 'recoveryenabled no'
  condition: selection_vssadmin or selection_wmic or selection_powershell_vss or selection_defender_disable or selection_bcdedit
fields:
  - ComputerName
  - User
  - Image
  - CommandLine
  - ParentImage
falsepositives:
  - Legitimate backup software maintenance windows (validate via change ticket)
  - Authorized admin disaster recovery testing
level: critical
---
title: QILIN Lateral Movement via PsExec WMI and Cobalt Strike Named Pipes
category: lateral_movement
status: experimental
description: >
  Detects QILIN affiliate lateral movement patterns including PsExec service
  creation, WMI process call execution, and Cobalt Strike default named pipe
  usage. QILIN affiliates favor PsExec for SMB-based deployment and WMI for
  stealth lateral execution prior to ransomware detonation.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
  - https://attack.mitre.org/techniques/T1021/002/
  - https://attack.mitre.org/techniques/T1047/
  - https://attack.mitre.org/techniques/T1571/
logsource:
  product: windows
  service: security
detection:
  selection_psexec_service:
    EventID: 7045
    ServiceName|startswith:
      - 'PSEXESVC'
      - 'RemComSvc'
  selection_psexec_share:
    EventID: 5145
    ShareName: '\\\\*\\ADMIN$\\*'
    RelativeTargetName|contains:
      - 'PSEXESVC.exe'
      - 'RemCom_' 
  selection_wmi_process_create:
    Image|endswith: '\\wmic.exe'
    CommandLine|contains: 'process call create'
  selection_wmi_event_consumer:
    EventID: 19
    EventType: 'WmiEventConsumer'
    Consumer|contains: 'CommandLine'
  selection_cs_named_pipe:
    Image|endswith:
      - '\\rundll32.exe'
      - '\\svchost.exe'
      - '\\RuntimeBroker.exe'
    PipeName|startswith:
      - '\\\\PIPE\\\\postex_'
      - '\\\\PIPE\\\\status_'
      - '\\\\PIPE\\\\msagent_'
      - '\\\\PIPE\\\\POPCORN'
      - '\\\\PIPE\\\\PGPIPE'
  selection_cs_anomalous_pipe:
    PipeName|re: '(\\\\PIPE\\\\[a-zA-Z0-9]{5,9})$'
    Image|endswith:
      - '\\rundll32.exe'
      - '\\svchost.exe'
  condition: selection_psexec_service or selection_psexec_share or selection_wmi_process_create or selection_wmi_event_consumer or selection_cs_named_pipe or selection_cs_anomalous_pipe
fields:
  - ComputerName
  - SourceImage
  - TargetImage
  - PipeName
  - CommandLine
  - User
falsepositives:
  - Legitimate PsExec usage by sysadmin tooling (validate source + ticket)
  - SCCM agent service creation
  - Legitimate WMI administrative scripts
level: high

3.2 KQL Hunt Query — Microsoft Sentinel

The following KQL hunts for QILIN-style lateral movement and pre-ransomware staging indicators across the last 14 days. Query correlates SMB lateral movement, scheduled task creation, VSS deletion, and beaconing patterns.

KQL — Microsoft Sentinel / Defender

// QILIN Pre-Ransomware Lateral Movement Hunt — 14-day lookback
// Author: Security Arsenal Threat Intelligence
// Pivot on: PsExec, WMI, VSS deletion, scheduled task abuse, CS beacons
let qilin_psexec = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where ProcessCommandLine has_any ("PSEXESVC", "RemComSvc", "\\\\ADMIN$\\");
let qilin_wmi = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where FileName =~ "wmic.exe" and ProcessCommandLine has "process call create";
let qilin_vss = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where (FileName in~ ("vssadmin.exe", "wmic.exe", "powershell.exe", "pwsh.exe"))
        and ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "Win32_ShadowCopy", "Remove-WmiObject");
let qilin_schtasks = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where FileName in~ ("schtasks.exe", "powershell.exe")
        and ProcessCommandLine has_any ("/create", "Register-ScheduledTask")
        and ProcessCommandLine has_any ("rundll32", "regsvr32", "powershell", "cmd.exe", ".bat", ".ps1");
let qilin_defender_tamper = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where ProcessCommandLine has_any ("Set-MpPreference -DisableRealtimeMonitoring", "Add-MpPreference -ExclusionPath", "sc stop WinDefend", "bcdedit /set recoveryenabled no");
let qilin_lsass_access = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where ProcessCommandLine has_any ("comsvcs.dll", "MiniDump", "procdump", "lsass.dmp")
        or (FileName in~ ("procdump.exe", "taskmgr.exe") and ProcessCommandLine has "lsass");
let qilin_exfil_tools = DeviceProcessEvents
| where TimeGenerated > ago(14d)
| where FileName in~ ("rclone.exe", "mega.exe", "FileZilla.exe", "7z.exe", "winrar.exe", "ngrok.exe")
        or ProcessCommandLine has_any ("mega.nz", "mega.io", "anonfiles", "gofile.io", "rclone", "--upload-file");
union qilin_psexec, qilin_wmi, qilin_vss, qilin_schtasks, qilin_defender_tamper, qilin_lsass_access, qilin_exfil_tools
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| extend suspicion_score = case(
    ProcessCommandLine has "delete shadows", 5,
    ProcessCommandLine has "comsvcs.dll" or ProcessCommandLine has "MiniDump", 4,
    ProcessCommandLine has "Set-MpPreference -DisableRealtimeMonitoring", 5,
    ProcessCommandLine has "rclone" or ProcessCommandLine has "mega.nz", 4,
    ProcessCommandLine has "process call create", 3,
    ProcessCommandLine has "PSEXESVC", 3,
    1)
| where suspicion_score >= 3
| sort by TimeGenerated desc, suspicion_score desc
| summarize event_count = count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated), techniques = makeset(FileName), commands = makeset(ProcessCommandLine) by DeviceName, AccountName
| extend days_active = datetime_diff('day', last_seen, first_seen)
| sort by event_count desc

3.3 Rapid Response Hardening Script — PowerShell

Run this script across endpoints via EDR/SCCM to enumerate QILIN-relevant weak postures: exposed RDP, recently created scheduled tasks, VSS status, Defender exclusions, and suspicious services.

PowerShell

<#
.SYNOPSIS
  QILIN Rapid Posture & Detection Sweep
.DESCRIPTION
  Enumerates indicators relevant to QILIN pre-ransomware activity:
  - RDP exposure status
  - Scheduled tasks created in last 7 days
  - Volume Shadow Copy status and recent deletions
  - Windows Defender exclusions and real-time protection state
  - Suspicious services (PsExec, CS beacons, custom services)
  - LSASS protection configuration
.AUTHOR
  Security Arsenal Threat Intelligence
.DATE
  2026-06-30
#>

[CmdletBinding()]
param(
    [int]$TaskLookbackDays = 7
)

$ErrorActionPreference = 'SilentlyContinue'
$report = [ordered]@{
    HostName       = $env:COMPUTERNAME
    ScanTime       = (Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz')
    Findings       = @()
}

function Add-Finding {
    param([string]$Category,[string]$Severity,[string]$Detail,[string]$Remediation)
    $report.Findings += [PSCustomObject]@{
        Category   = $Category
        Severity   = $Severity
        Detail     = $Detail
        Remediation= $Remediation
        Timestamp  = (Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
    }
}

# --- 1. RDP exposure ---
$rdpReg = Get-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections
$rdpEnabled = ($rdpReg.fDenyTSConnections -eq 0)
$rdpPort = (Get-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name PortNumber).PortNumber
$firewallRdp = Get-NetFirewallRule -DisplayName '*Remote Desktop*' -Enabled True -Direction Inbound -Action Allow
if ($rdpEnabled) {
    Add-Finding 'RDP' 'HIGH' "RDP is ENABLED on port $rdpPort with $($firewallRdp.Count) inbound allow rules" 'Disable RDP where unused; restrict via VPN + MFA; enforce Account Lockout policy; enable NLA'
} else {
    Add-Finding 'RDP' 'INFO' 'RDP is disabled' 'No action required'
}

# --- 2. Scheduled tasks created in last N days (QILIN persistence / detonation timer) ---
$cutoff = (Get-Date).AddDays(-$TaskLookbackDays)
$tasks = Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.Date -ge $cutoff }
$suspTasks = $tasks | Where-Object {
    $_.Actions.Execute -match 'rundll32|regsvr32|powershell|cmd|wscript|cscript' -or
    $_.Actions.Arguments -match 'http|\\\\\\\\|base64|DownloadString|Invoke-|FromBase64String'
}
foreach ($t in $suspTasks) {
    Add-Finding 'ScheduledTask' 'HIGH' "Suspicious task '$($t.TaskName)' created $($t.Date) executing $($t.Actions.Execute) $($t.Actions.Arguments)" 'Review task author, disable if unauthorized, capture action binary for analysis'
}
if (-not $suspTasks) { Add-Finding 'ScheduledTask' 'INFO' "No suspicious tasks in last $TaskLookbackDays days" 'Continue monitoring' }

# --- 3. Volume Shadow Copy status ---
$vss = Get-WmiObject Win32_ShadowCopy
if (-not $vss) {
    Add-Finding 'VSS' 'WARN' 'No Volume Shadow Copies present — possible prior deletion or never enabled' 'Enable VSS; configure regular snapshots; alert on vssadmin delete shadows'
} else {
    Add-Finding 'VSS' 'INFO' "$($vss.Count) shadow copies present, oldest $($vss[0].InstallDate)" 'Monitor for deletion events (Event ID 7036 VSS service stop, PowerShell Win32_ShadowCopy.Delete)'
}

# Event log: vssadmin delete in last 7 days
$vssDeleteEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104; StartTime=$cutoff} -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match 'delete.*shadow|Win32_ShadowCopy|vssadmin' }
if ($vssDeleteEvents) {
    foreach ($e in $vssDeleteEvents) {
        Add-Finding 'VSS' 'CRITICAL' "VSS deletion script observed at $($e.TimeCreated): $($e.Message.Substring(0,[Math]::Min(300,$e.Message.Length)))" 'Trigger IR playbook immediately — possible ransomware preparation'
    }
}

# --- 4. Defender exclusions and real-time protection ---
$defender = Get-MpPreference
if ($defender.DisableRealtimeMonitoring) {
    Add-Finding 'Defender' 'CRITICAL' 'Real-time protection is DISABLED' 'Re-enable immediately; investigate who/what disabled it; review Event ID 5001'
}
$exclusions = @()
$exclusions += $defender.ExclusionPath
$exclusions += $defender.ExclusionProcess
$exclusions += $defender.ExclusionExtension
$suspExclusions = $exclusions | Where-Object { $_ -match '\\.exe$|\\.dll$|^C:\\\\Users|^\\\\\\\\|\\*' }
foreach ($x in $suspExclusions) {
    Add-Finding 'Defender' 'HIGH' "Suspicious Defender exclusion: $x" 'Remove exclusion; scan excluded path; investigate who added it (Get-MpPreference logs)'
}

# --- 5. Suspicious services (PsExec remnants, CS beacon services, random-named services) ---
$services = Get-CimInstance Win32_Service
$psexec = $services | Where-Object { $_.Name -match 'PSEXESVC|RemCom' }
foreach ($s in $psexec) {
    Add-Finding 'Service' 'HIGH' "PsExec/RemCom service '$($s.Name)' present, state=$($s.State), path=$($s.PathName)" 'Validate authorized admin use; remove if unexpected; correlate with source host'
}
$randomServices = $services | Where-Object {
    $_.Name -match '^[a-zA-Z0-9]{6,12}$' -and
    $_.PathName -match 'rundll32|regsvr32|cmd|powershell' -and
    $_.State -eq 'Running'
}
foreach ($s in $randomServices) {
    Add-Finding 'Service' 'CRITICAL' "Random-named service '$($s.Name)' running: $($s.PathName)" 'Stop and disable service; capture binary; submit to sandbox; trigger IR'
}

# --- 6. LSASS protection ---
$lsassReg = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RunAsPPL -ErrorAction SilentlyContinue
if ($lsassReg.RunAsPPL -ne 1) {
    Add-Finding 'LSASS' 'HIGH' 'RunAsPPL not enabled — LSASS unprotected from credential dump' 'Enable RunAsPPL=1 via GPO; deploy Windows Defender Credential Guard; monitor for LSASS access'
} else {
    Add-Finding 'LSASS' 'INFO' 'RunAsPPL enabled' 'No action required'
}

# --- 7. Local admin enumeration (QILIN uses local admin re-use for lateral movement) ---
$localAdmins = Get-LocalGroupMember -Group 'Administrators'
if ($localAdmins.Count -gt 5) {
    Add-Finding 'LocalAdmin' 'WARN' "$($localAdmins.Count) local admins on this host: $($localAdmins.Name -join ', ')" 'Reduce local admin sprawl; implement LAPS; rotate credentials'
}

# --- Output ---
[PSCustomObject]$report | ConvertTo-Json -Depth 5

$summary = $report.Findings | Group-Object Severity | Sort-Object @{Expression={[int][char[]]($_.Name)[0]}}
Write-Host "`n=== QILIN POSTURE SWEEP SUMMARY: $($env:COMPUTERNAME) ===" -ForegroundColor Cyan
$summary | ForEach-Object { Write-Host ("{0,-12}: {1}" -f $_.Name, $_.Count) }
Write-Host "================================" -ForegroundColor Cyan


---

4. Incident Response Priorities — QILIN Playbook Specific

4.1 T-Minus Detection Checklist (Pre-Encryption)

QILIN affiliates spend 8–14 days in the environment before detonation. The following signals appear before encryption fires. Catching them converts an IR engagement from "recover from backup" to "evict before impact."

T-72 to T-24 hours (Reconnaissance & Credential Collection):

AdFind.exe execution (adfind -f objectcategory=person, adfind -subnets -f)
BloodHound/SharpHound collection (SharpHound.exe -c All, Invoke-BloodHound)
nltest / netdom / whoami / quser enumeration bursts
SMB share enumeration via net view / PowerView Invoke-ShareFinder
LSASS access by non-system processes (comsvcs.dll MiniDump, procdump, Mimikatz)
NTDS.dit copy attempts (ntdsutil, vssadmin create shadow, diskshadow)

T-24 to T-6 hours (Lateral Movement & Staging):

PsExec service creation (PSEXESVC) on multiple hosts in short window
WMI process call create across hosts
RDP sessions to backup servers, domain controllers, file servers
Cobalt Strike beacon traffic (default sleep 30–60s, jitter 10–20%, HTTPS to port 443 with anomalous JA3/JA4)
Mass file access on file servers (audit Event ID 4663 with WriteData or DELETE access)
7zip/rar archive creation on staging hosts — QILIN uses 7z a -p with password-protected archives for exfil staging
rclone.exe or mega.exe execution — primary exfil tooling

T-6 to T-0 hours (Final Preparation):

vssadmin delete shadows / wmic shadowcopy delete
bcdedit /set {default} recoveryenabled No
Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath C:\
sc stop WinDefend / sc config WinDefend start= disabled
Scheduled task creation with ransomware binary path
GPO modification pushing ransomware executable (QILIN has used GPO-based detonation)

4.2 Critical Assets QILIN Prioritizes for Exfiltration

Based on confirmed QILIN intrusions, affiliates target the following asset classes for data theft (in priority order):

Domain Controllers — NTDS.dit, LSASS secrets, Group Policy objects (for GPO-based ransomware deployment)
File Servers & NAS — bulk PII, financial documents, engineering IP, contracts
Backup Infrastructure — Veeam, Commvault, Backup Exec servers (both to disable recovery and to steal backup catalogs identifying high-value data)
Database Servers — SQL Server, PostgreSQL, MongoDB; QILIN has used sqlcmd and mysqldump for targeted extraction
Hypervisors (ESXi/vCenter) — QILIN's Rust-based encryptor has native ESXi support; affiliates enumerate VMs and snapshots for both destruction and exfil of VMX/VMDK
Email Servers / Exchange — mailbox export via New-MailboxExportRequest; high leverage for sextortion-style follow-on pressure
Finance & Executive Workstations — M&A documents, board materials, banking credentials

4.3 Containment Actions (Ordered by Urgency)

IMMEDIATE (0–15 minutes):

Isolate affected hosts via EDR network containment — do NOT power off (preserves volatile memory for forensics)
Disable compromised accounts — Active Directory disable, revoke Kerberos tickets (klist purge), reset password
Block C2 IPs/domains at firewall, proxy, and DNS sinkhole — extract from EDR network connections
Quarantine ransomware binary samples — submit to sandbox, extract IOCs, push to EDR blocklist

SHORT-TERM (15–60 minutes): 5. Identify patient zero — trace initial access vector (VPN log correlation, Exchange logs, ScreenConnect session logs) 6. Hunt for additional beacons — run the KQL hunt query (Section 3.2) across entire estate 7. Force password reset for all privileged accounts (Domain Admins, Enterprise Admins, Service Account admins) 8. Disable lateral movement paths — block SMB (445), WMI (135), RDP (3389) between user VLANs and server/DC VLANs 9. Snapshot and isolate hypervisors — QILIN targets ESXi; take snapshots before any remediation

EXTENDED (1–4 hours): 10. Engage IR retainer and notify cyber insurance carrier (within policy notification window) 11. Preserve evidence — full memory capture of patient zero, EDR forensic packages, Windows event logs, firewall/VPN logs 12. Assess data theft scope — identify exfiltration volume and content for regulatory notification analysis 13. Prepare for detonation — if encryptor is deployed but not yet executed, hunt for scheduled task / GPO trigger and disable 14. Communicate — internal executive notification; engage legal counsel for privilege; prepare regulator notification timeline

5. Hardening Recommendations

5.1 Immediate (24 Hours)

Priority	Control	Action
P0	Patch Check Point Security Gateway	Apply vendor hotfix for CVE-2026-50751. Disable IKEv1 if not required. Restrict VPN to MFA-enforced identities. Audit VPN logs for anomalous sessions in last 30 days.
P0	Patch ConnectWise ScreenConnect	Upgrade to fixed version for CVE-2024-1708. Audit ScreenConnect session logs for unauthenticated access. Enforce IP allow-listing on ScreenConnect console.
P0	Patch Microsoft Exchange	Apply cumulative update addressing CVE-2023-21529. Audit OWA/autodiscover logs for deserialization exploitation indicators.
P0	Patch Cisco FMC	Upgrade per CVE-2026-20131 advisory. Audit FMC configuration for unauthorized rule changes.
P0	Patch Nx Console	Remove compromised Nx Console versions per CVE-2026-48027. Audit package integrity across dev environments.
P1	EDR Coverage Verification	Confirm EDR agent reporting on all endpoints, including ESXi hosts and Linux servers. QILIN's Rust encryptor runs on ESXi — ensure coverage.
P1	MFA Enforcement	Enforce MFA on ALL VPN, RDP, and remote access. Disable RDP exposure to internet entirely; require VPN + MFA + jump host.
P1	Backup Air-Gap Verification	Confirm at least one offline/immutable backup copy exists. Test restore. QILIN specifically hunts and destroys Veeam/backup servers.
P2	Alert Tuning	Deploy Sigma rules from Section 3.1. Tune for low false-positive rate. Page SOC on CRITICAL alerts immediately.
P2	Privileged Access Lockdown	Enable LAPS on all workstations. Rotate KRBTGT password twice (24h apart). Audit Tier-0 admin group membership.

5.2 Short-Term (2 Weeks)

Architecture-Level Changes:

Network Segmentation Refactor — Implement East-West microsegmentation between user, server, and OT/manufacturing zones. QILIN's lateral movement via PsExec/WMI/RDP relies on flat networks. Enforce default-deny between VLANs with explicit allow rules for required service flows.
Tiered Administration Model — Implement Microsoft Tier-0/1/2 model. Tier-0 (DC, AD CS, hypervisors) accessible only from dedicated PAWs. Block interactive logon to DCs from non-Tier-0 accounts. This breaks QILIN's path from workstation compromise to domain dominance.
Backup Architecture Hardening — Deploy immutable/object-lock backup storage (AWS S3 Object Lock, Azure Immutable Blob, Wasabi Immutability). Implement 3-2-1-1-0 rule: 3 copies, 2 media, 1 offsite, 1 immutable, 0 errors. Segregate backup management network from production. QILIN affiliates will enumerate Get-VBRJob and Get-VBRESXi on Veeam servers.
Identity Threat Detection — Deploy Microsoft Defender for Identity or equivalent. Enable LDAP query anomaly detection (QILIN's AdFind/BloodHound activity generates detectable LDAP query patterns). Configure canary objects in AD (honeytokens) that alert on any query.
Exchange Hybrid Hardening — If on-prem Exchange remains, deploy Exchange Online Protection + Defender for Office 365. Restrict on-prem OWA to intranet only. Consider Exchange hybrid agent to eliminate public-facing on-prem endpoints.
ESXi Hardening — Enable ESXi Lockdown Mode. Restrict SSH. Implement vSphere Distributed Firewall. Deploy EDR agent for ESXi where supported. Audit for unauthorized VM snapshots (QILIN exfil via snapshot export).
Supply Chain / MSP Control — Audit all third-party remote access (ScreenConnect, N-Able, Kaseya, Datto). Require MFA for all MSP technician access. Implement just-in-time access (session approval) for MSP tooling. Log and retain all MSP session recordings.
OT/ICS Segmentation — For manufacturing victims (Chamco, Kunert, Metal Sur Famin), implement Purdue Model segmentation. QILIN's interest in manufacturing means OT networks must be isolated from IT compromise. Deploy unidirectional gateways where feasible.

6. Strategic Assessment

QILIN's June 2026 campaign reflects a maturing RaaS operation with diversified initial access vectors, disciplined affiliate recruitment, and deliberate targeting of organizations with high downtime cost. The June 29 cluster dump of 9 victims is a signal of operational capacity — not a fluke. Security teams should assume QILIN has active access in environments that have not yet detected it.

The convergence of five KEV-listed CVEs in QILIN's attack surface — spanning edge VPN (Check Point), MSP tooling (ScreenConnect), collaboration (Exchange), developer tooling (Nx Console), and firewall management (Cisco FMC) — means that patching any single CVE is insufficient. Defense must be layered: patch coverage + EDR + identity hardening + segmentation + immutable backups.

Bottom Line: Treat QILIN as a Tier-1 active threat for the next 90 days. Prioritize patching the five KEV CVEs, validate backup integrity, and deploy the detection content in Section 3. If you're in manufacturing, business services, food production, or education and you have unpatched Check Point, ScreenConnect, or Exchange — assume compromise and hunt.

Intelligence Cut-Off: 2026-06-30 23:59 UTC Next Update: 2026-07-07 or upon significant campaign shift

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

QILIN Ransomware Gang: 15 New Victims Posted — Sector Targeting Analysis & Detection Rules