QILIN Ransomware Gang: 17 New Victims Posted — Critical Exploitation of Exchange & Firewall Flaws

Threat Actor Profile — QILIN

Aliases: Agenda, Qilin.B Model: RaaS (Ransomware-as-a-Service) Typical Ransom Demands: $200,000 – $2,000,000 USD (negotiable)

QILIN (formerly Agenda) is a Rust-based ransomware operation that functions as a RaaS. They are known for aggressive targeting of critical infrastructure and commercial sectors. Initial access is typically gained via compromised credentials, phishing campaigns delivering malicious macros, or exploitation of public-facing vulnerabilities—specifically targeting edge devices like VPNs, Firewalls, and Email servers.

Tactics:

• Double Extortion: QILIN exfiltrates sensitive data prior to encryption and threatens to release it on their leak site.
• Encryption: Custom Rust binary targeting Windows and Linux environments.
• Dwell Time: Average 3–5 days from initial access to detonation.

Current Campaign Analysis

Recent Activity: Between May 4 and May 7, 2026, QILIN posted 17 new victims to their dark web leak site. This represents a significant acceleration in operations, with a spike on May 6 (9 victims posted).

Targeted Sectors: The current campaign shows a distinct diversification but a heavy focus on operational continuity targets:

• Manufacturing (4 victims): Sylvania (DE), Complastex.com (BR), Lexus (UA).
• Construction (2 victims): Asphalt Specialists (US), Seagate Capital Construction (US).
• Public Sector/Healthcare/Education: Norcal Training Center (US), Le Maire de QUIBERON (FR), Laclinic-Montreux (CH).

Geographic Concentration:

• Primary: United States (6 victims), Germany (1), Italy (1).
• Secondary: Brazil, France, Thailand, Switzerland, Paraguay, Spain, Ukraine.

CVE Linkage: The campaign coincides with the active exploitation of critical edge infrastructure vulnerabilities:

• CVE-2023-21529 (Microsoft Exchange): A deserialization vulnerability allowing authenticated attackers to execute code. High relevance given the Business Services and Education targets.
• CVE-2026-20131 (Cisco Secure Firewall): Deserialization vulnerability. Critical for the Transportation and Logistics sectors targeted.
• SmarterMail Vulnerabilities (CVE-2025-52691, CVE-2026-23760): File upload and auth bypass. Likely entry point for the Business Services victims.

Observed Pattern: QILIN is targeting organizations with exposed management interfaces (Email, Firewalls) to gain initial access, followed rapidly by data exfiltration and encryption.

Detection Engineering

Sigma Rules

title: Suspicious PowerShell Encoded Command - Qilin Context
id: 4a2b3c4d-5e6f-7890-1a2b-3c4d5e6f789a
date: 2026/05/07
status: experimental
description: Detects base64 encoded commands in PowerShell, often used by Qilin initial access droppers.
references:
    - https://securityarsenal.com/threat-intel/qilin
author: Security Arsenal Research
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains: '-enc '
    condition: selection
falsepositives:
    - Administrative scripts
level: high
---
title: Lateral Movement via PsExec or WMI - Qilin Context
id: 5b3c4d5e-6f78-901a-2b3c-4d5e6f78901b
date: 2026/05/07
status: experimental
description: Detects the use of PsExec or WMIC for lateral movement, a common Qilin TTP.
references:
    - https://securityarsenal.com/threat-intel/qilin
author: Security Arsenal Research
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\wmic.exe'
    condition: selection
falsepositives:
    - System administration
level: high
---
title: Volume Shadow Copy Deletion via Vssadmin
id: 6c4d5e6f-7890-1a2b-3c4d5e6f78901c
date: 2026/05/07
status: experimental
description: Detects attempts to delete volume shadow copies, a precursor to ransomware encryption used by Qilin.
references:
    - https://securityarsenal.com/threat-intel/qilin
author: Security Arsenal Research
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System backup maintenance
level: critical

KQL (Microsoft Sentinel)

// Hunt for Qilin lateral movement and staging activities
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("powershell.exe", "psexec.exe", "psexec64.exe", "wmic.exe", "cmd.exe", "cscript.exe")
| where ProcessCommandLine has any ("-enc", "-nop", "-w hidden", "create", "call", "process call create")
| where InitiatingProcessFileName != "powershell.exe" or InitiatingProcessFileName != "cmd.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Rapid Response PowerShell Script

# Qilin Ransomware Rapid Response Check
# Usage: Run as Administrator

Write-Host "[+] Checking for recent suspicious Scheduled Tasks..."
$Tasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($Tasks) { $Tasks | Select-Object TaskName, Date, Author, Action } else { Write-Host "No tasks created in last 7 days." }

Write-Host "[+] Checking for Shadow Copy Deletion Attempts in Event Logs..."
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
              Where-Object {$_.Message -like '*vssadmin.exe*' -and $_.Message -like '*delete*'}
if ($VssEvents) { $VssEvents | Select-Object TimeCreated, Message } else { Write-Host "No VSS deletion events found." }

Write-Host "[+] Checking for recent RDP Logins (External IPs)..."
$RDP = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
        Where-Object {$_.Message -like '*Logon Type: 10*' -and $_.Message -notlike '*127.0.0.1*'}
if ($RDP) { $RDP | Select-Object TimeCreated, Message } else { Write-Host "No external RDP logins found." }

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption):

1. PowerShell Logs: Search for Script Block Logs containing Invoke-Expression or encoded payloads.
2. Network Traffic: Look for large outbound transfers to non-standard ports (Data Exfil).
3. User Accounts: Audit for sudden creation of new local admin accounts or modification of existing privileges.

Critical Assets Prioritized for Exfiltration:

• Customer PII databases (HR, CRM).
• Financial records (Accounting, Tax docs).
• Intellectual Property (CAD drawings for Manufacturing targets).

Containment Actions (Ordered by Urgency):

1. Isolate: Disconnect affected subnets from the core network immediately.
2. Disable: Turn off non-essential RDP and VPN access; enforce MFA for all remaining access.
3. Revoke: Reset credentials for service accounts and privileged users identified in the logs.

Hardening Recommendations

Immediate (24 Hours):

• Patch: Apply updates for CVE-2023-21529 (Exchange) and CVE-2026-20131 (Cisco FMC) immediately.
• Audit: Restrict internet access to SmarterMail interfaces (CVE-2025-52691) if patching is delayed.
• MFA: Enforce phishing-resistant MFA on all email and remote access gateways.

Short-term (2 Weeks):

• Network Segmentation: Move critical backup and manufacturing systems to isolated VLANs.
• EDR Deployment: Ensure EDR sensors are active on all edge servers and workstations, specifically monitoring for PowerShell activity.
• Honeypots: Deploy low-interaction honeypots (e.g., fake RDP/SMB shares) to detect active scanning behavior.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub