Back to Intelligence

QILIN Ransomware Gang: 17 New Victims Posted — Exchange & Cloud Firewall Exploitation Surge

SA
Security Arsenal Team
May 14, 2026
6 min read

Aliases: Agenda (formerly), Qilin.B Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates a highly affiliate-driven model, providing a Rust-based encryptor known for its speed and customization capabilities. Ransom Demands: Typically high-value, ranging from $500,000 to multi-million dollar demands, often calculated based on victim revenue and stolen data volume. Initial Access Methods: The gang has pivoted aggressively from traditional phishing to exploiting unpatched public-facing infrastructure. Recent campaigns heavily leverage vulnerabilities in Microsoft Exchange (CVE-2023-21529) and email gateway software (SmarterMail). They also utilize valid credentials obtained via infostealing malware to access VPNs and remote services (RDP). Extortion Strategy: Strict double extortion. Qilin exfiltrates sensitive data prior to encryption and threatens public release on their .onion site. They are known to pressure victims by contacting their clients and partners directly. Dwell Time: Historically short. Once access is established, Qilin affiliates often move laterally within 2-5 days, utilizing tools like Cobalt Strike and custom PowerShell scripts to escalate privileges and deploy the payload.

Current Campaign Analysis

Sector Targeting: The recent posting wave indicates a diversified but opportunistic targeting strategy. While Business Services remain the most frequent target (40% of recent victims), likely due to access via managed service providers (MSPs) or common SaaS platforms, there is a significant spike in Manufacturing, Healthcare, and Technology sectors.

Geographic Concentration: The campaign is heavily US-centric (approx. 50% of listed victims), but shows clear global reach with significant activity in the UK (GB), Canada (CA), and Australia (AU). This suggests a broad-scoped automated exploitation of internet-facing vulnerabilities rather than manual, region-specific targeting.

Victim Profile: Victims range from small-to-mid-sized enterprises (SMEs) to larger entities (e.g., AppDirect, Bluize). The inclusion of legal and architectural firms suggests the group targets sectors that hold high-value intellectual property (IP) and sensitive client PII, maximizing extortion leverage.

Observed Patterns: Posting frequency has accelerated, with 15 of the 17 recent victims posted within a 48-hour window (May 11-13). This "bulk upload" behavior suggests a significant operational success or a coordinated effort by multiple affiliates using a freshly acquired exploit kit.

CVE Correlation: There is a high-confidence correlation between the surge in victims and the recent addition of specific CVEs to the CISA Known Exploited Vulnerabilities (KEV) list:

  • CVE-2023-21529 (Microsoft Exchange): Used for initial access into corporate email servers, likely facilitating credential harvesting and lateral movement.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): Targeted at technology and business service providers, providing an entry point into hosted email environments.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Microsoft Exchange Deserialization Exploitation
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects suspicious deserialization activity or web shell creation related to CVE-2023-21529 on Microsoft Exchange Servers.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/14
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 'Exchange'
        SubjectUserName|contains: 'IIS APPPOOL'
    condition: selection
falsepositives:
    - Legitimate Exchange administrative maintenance
level: high
---
title: SmarterMail Arbitrary File Upload or Auth Bypass
id: 9b2c3d4e-5f6a-7890-1234-56789abcdef0
status: experimental
description: Detects potential exploitation of SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760) via web logs.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/14
logsource:
    product: webserver
detection:
    selection_uri:
        c_uri|contains:
            - '/Migrate/'
            - '/Services/Mail.asmx'
    selection_payload:
        cs_uri_query|contains:
            - '.aspx'
            - 'ViewState'
    condition: all of selection_*
falsepositives:
    - Legitimate API usage by administrators
level: critical
---
title: Suspicious Lateral Movement via PsExec
id: 0c3d4e5f-6a7b-8901-2345-67890abcdef1
status: experimental
description: Detects the use of PsExec, a common tool used by Qilin affiliates for lateral movement and ransomware deployment.
author: Security Arsenal Research
date: 2026/05/14
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains: 'accepteula'
    filter_legit:
        ParentImage|contains: '\System32\'
    condition: selection and not filter_legit
falsepositives:
    - System administrator usage
level: high

KQL Query (Microsoft Sentinel)

Hunts for lateral movement and data staging patterns associated with Qilin operations.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has any("node", "create", "shadowcopy", "delete")
| summarize arg_max(Timestamp, *) by DeviceId, AccountName
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| extend timestamp_format = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')

PowerShell Hardening Script

Rapid response script to identify potential Qilin persistence mechanisms and suspicious VSS activity.

PowerShell
# Check for Scheduled Tasks created in the last 7 days (Common Persistence)
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author

# Check Volume Shadow Copy Service (VSS) manipulation
Write-Host "Checking recent VSS events (Event ID 8229 - Shadow Copy Deletion)..."
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=8229; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

# Enumerate unusual network connections (potential C2)
Write-Host "Checking for established connections to non-standard ports..."
Get-NetTCPConnection -State Established | Where-Object {$_.RemotePort -notin 443,80,22,3389} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

Incident Response Priorities

T-Minus Detection Checklist:

  1. Exchange Server Forensics: Immediately review IIS logs (C:\inetpub\logs\LogFiles) for patterns matching CVE-2023-21529 (e.g., suspicious POST requests to /EWS/Exchange.asmx or /autodiscover with large payloads).
  2. MFA Bypass Audit: Investigate logs for successful authentication events from impossible travel locations or non-corporate devices, specifically targeting IIS APPPOOL accounts or service accounts.
  3. Process Lineage: Hunt for powershell.exe spawning from w3wp.exe (IIS worker process) or svchost.exe—a classic sign of web shell execution.

Critical Assets for Exfiltration: Qilin historically prioritizes:

  • Legal & Financial Documents: Contracts, M&A data, tax returns.
  • Employee PII: HR databases, payroll files.
  • CAD/Engineering Schematics: Intellectual property (highly relevant given Manufacturing victims).
  • Client Databases: CRM exports and customer lists.

Containment Actions:

  1. Isolate Exchange Servers: If compromise is suspected, disconnect the NICs immediately. Do not shut down cleanly if memory forensics are needed for web shell retrieval.
  2. Revoke Privileged Credentials: Force reset of Domain Admin and Service Account credentials known to be used on the affected Exchange/SmarterMail servers.
  3. Block Outbound C2: Implement firewall rules to block access to known Tor nodes and anonymizing proxies used by Qilin affiliates.

Hardening Recommendations

Immediate (24h):

  • Patch Critical CVEs: Immediately apply patches for CVE-2023-21529 (Exchange), CVE-2025-52691, and CVE-2026-23760 (SmarterMail). If patching is delayed, follow vendor guidance for mitigating controls (e.g., disabling vulnerable services).
  • External Access Audit: Ensure OWA/ECP and SmarterMail interfaces are behind a Zero Trust Access solution or strictly enforced VPN with MFA. Block direct internet access where possible.

Short-term (2 weeks):

  • Network Segmentation: Enforce strict segmentation preventing Email servers from communicating with critical backup servers or domain controllers.
  • Enhanced Logging: Deploy EDR agents on all mail gateway servers and enable detailed PowerShell script block logging to catch obfuscated execution chains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecisa-kevexchange-serverlateral-movementsmartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action