Threat Actor Profile — QILIN
Known Aliases: Agenda, Twisted Spider
Operating Model: RaaS (Ransomware-as-a-Service) with affiliate network
Typical Ransom Demands: $300K-$5M based on victim revenue, with an average of $800K
Initial Access Methods:
- Exploitation of VPN vulnerabilities (Fortinet, Pulse Secure, Check Point)
- Phishing campaigns with malicious macros
- RDP brute force using compromised credentials
- Supply chain compromises through trusted vendors
Double Extortion Approach: QILIN consistently exfiltrates sensitive data before encryption, typically 200GB-5TB per victim, with threats to publish if ransom isn't paid
Average Dwell Time: 4-12 days before detonation, using this time for lateral movement and identifying critical data
Current Campaign Analysis
Sector Targeting
QILIN's recent activity shows a clear preference for:
- Business Services (6 victims) - Law firms, consultancies, and professional services
- Consumer Services (3 victims) - Retail and jewelry businesses
- Technology (1 victim) - IT services
- Healthcare (1 victim) - Medical services
- Manufacturing (1 victim) - Industrial equipment
- Not Found (3 victims) - Sector classification unclear
Geographic Concentration
- United States: 9 victims (50% of total)
- Germany: 2 victims
- Spain, Mexico, South Korea, Moldova: 1 victim each
Victim Profile
Based on identified sectors, QILIN appears to be targeting:
- Small to mid-sized businesses ($10M-$100M revenue)
- Organizations with high-value intellectual property or sensitive client data
- Businesses with likely limited security resources
Posting Frequency
A significant spike in activity occurred on 2026-06-10 with 13 victims posted, followed by 2 on 2026-06-11 and 1 on 2026-06-12. This pattern suggests either a coordinated multi-affiliate operation or a specific attack tool campaign executed by a single sophisticated affiliate.
CVE Connections
The recent CVEs listed in the CISA KEV catalog likely correlate with QILIN's initial access vectors:
- CVE-2026-50751 (Check Point Security Gateway): Recently added vulnerability that could provide perimeter bypass
- CVE-2024-1708 (ConnectWise ScreenConnect): Known remote access vulnerability frequently exploited by QILIN affiliates
- CVE-2023-21529 (Microsoft Exchange Server): Email system compromise remains a primary vector for initial access
Detection Engineering
SIGMA Rules
YAML
---
title: Potential QILIN Ransomware Initial Access via VPN Exploitation
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential QILIN ransomware initial access attempts through VPN exploitation patterns observed in recent campaigns
status: experimental
date: 2026/06/14
author: Security Arsenal Threat Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.initial_access
- attack.t1190
- attack.t1133
- qilin
logsource:
category: firewall
detection:
selection:
dst_port:
- 443
- 500
- 4500
protocol:
- udp
- tcp
filter_likely_legit:
src_ip:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_likely_legit
falsepositives:
- Legitimate remote access from unknown IPs
level: medium
---
title: Potential QILIN Lateral Movement via PsExec and WMI
id: b2c3d4e5-6789-01ab-cdef-234567890abc
description: Detects potential QILIN ransomware lateral movement patterns using PsExec and WMI, commonly used in their campaigns
status: experimental
date: 2026/06/14
author: Security Arsenal Threat Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1047
- qilin
logsource:
product: windows
service: security
detection:
selection_psexec:
EventID: 5145
ShareName: 'ADMIN$'
RelativeTargetName|endswith: 'psexesvc.exe'
selection_wmi:
EventID: 4688
NewProcessName|contains:
- 'wmiprvse.exe'
- 'svchost.exe'
CommandLine|contains:
- 'wmic'
- 'Invoke-WmiMethod'
- 'Get-WmiObject'
filter_legit_admin:
SubjectUserName|contains:
- 'admin'
- 'service'
- 'system'
condition: 1 of selection_* and not filter_legit_admin
falsepositives:
- Legitimate administrative activities
- IT management tools
level: high
---
title: Potential QILIN Data Staging Before Encryption
id: c3d4e5f6-7890-12ab-def0-345678901234
description: Detects potential QILIN data staging patterns observed in recent campaigns prior to encryption
status: experimental
date: 2026/06/14
author: Security Arsenal Threat Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.exfiltration
- attack.t1074.001
- attack.t1048.003
- qilin
logsource:
product: windows
service: sysmon
detection:
selection_archive:
EventID: 1
Image|endswith:
- '\winrar.exe'
- '\7z.exe'
- '\powershell.exe'
CommandLine|contains:
- '-a'
- 'Compress-Archive'
- 'New-Item -ItemType File'
selection_rclone:
EventID: 1
Image|endswith:
- '\rclone.exe'
CommandLine|contains:
- 'copy'
- 'sync'
- 'config'
selection_file_count:
EventID: 1
Image|endswith:
- '\robocopy.exe'
CommandLine|contains:
- '/E'
- '/COPYALL'
- '/ZB'
filter_legit:
User|contains:
- 'admin'
- 'backup'
- 'system'
condition: 1 of selection_* and not filter_legit
falsepositives:
- Legitimate backup operations
- File archiving activities
level: high
KQL Query for Microsoft Sentinel
KQL — Microsoft Sentinel / Defender
// Hunt for QILIN lateral movement and staging indicators
let TimeFrame = ago(7d);
let SuspiciousProcesses = datatable(ProcessName:string, CommandLinePattern:string)[
'psexec.exe', '-accepteula',
'wmiprvse.exe', 'wmic process call',
'rclone.exe', 'config',
'7z.exe', '-tzip',
'powershell.exe', 'Compress-Archive',
'robocopy.exe', '/COPYALL'
];
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where ProcessName in (SuspiciousProcesses)
| extend Matches = pack_all()
| where CommandLine has CommandLinePattern
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc
PowerShell Response Script
PowerShell
# QILIN Ransomware Rapid Response Hardening Script
# Run with elevated privileges
# Function to check for exposed RDP
function Test-RDPExposure {
Write-Host "Checking for RDP exposure..." -ForegroundColor Yellow
$rdpStatus = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server').fDenyTSConnections
$rdpNLA = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication
if ($rdpStatus -eq 0) {
Write-Host "[CRITICAL] RDP is enabled on this system!" -ForegroundColor Red
} else {
Write-Host "[INFO] RDP is disabled on this system." -ForegroundColor Green
}
if ($rdpNLA -eq 0) {
Write-Host "[CRITICAL] Network Level Authentication is not configured for RDP!" -ForegroundColor Red
} else {
Write-Host "[INFO] Network Level Authentication is configured for RDP." -ForegroundColor Green
}
}
# Function to enumerate recently scheduled tasks
function Get-RecentScheduledTasks {
Write-Host "Checking for scheduled tasks created in the last 7 days..." -ForegroundColor Yellow
$dateThreshold = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {
$_.Date -gt $dateThreshold -and $_.Author -notmatch "Microsoft|System"
} | ForEach-Object {
Write-Host "[SUSPICIOUS] Task found: $($_.TaskName), Author: $($_.Author), Created: $($_.Date)" -ForegroundColor Red
Get-ScheduledTaskInfo -TaskName $_.TaskName | Format-List
}
}
# Function to check for recently modified Volume Shadow Copies
function Test-RecentShadowCopies {
Write-Host "Checking for recently modified Volume Shadow Copies..." -ForegroundColor Yellow
$dateThreshold = (Get-Date).AddHours(-24)
Get-CimInstance Win32_ShadowCopy | Where-Object {
$_.InstallDate -gt $dateThreshold
} | ForEach-Object {
Write-Host "[SUSPICIOUS] Recent shadow copy found: $($_.ID), Created: $($_.InstallDate), Volume: $($_.VolumeName)" -ForegroundColor Red
}
}
# Function to check for evidence of data exfiltration tools
function Test-ExfiltrationTools {
Write-Host "Checking for common data exfiltration tools..." -ForegroundColor Yellow
$exfilTools = @('rclone.exe', 'winscp.exe', 'filezilla.exe', 'curl.exe')
foreach ($tool in $exfilTools) {
$paths = @(
"C:\Windows\System32\$tool",
"C:\Windows\SysWOW64\$tool",
"C:\Program Files\$tool",
"C:\Program Files (x86)\$tool",
"$env:USERPROFILE\Downloads\$tool",
"$env:TEMP\$tool"
)
foreach ($path in $paths) {
if (Test-Path $path) {
$fileInfo = Get-Item $path
Write-Host "[SUSPICIOUS] Exfiltration tool found: $path, LastModified: $($fileInfo.LastWriteTime)" -ForegroundColor Red
}
}
}
}
# Main execution
Write-Host "QILIN Ransomware Rapid Response Hardening Script" -ForegroundColor Cyan
Write-Host "=============================================" -ForegroundColor Cyan
Write-Host ""
Test-RDPExposure
Write-Host ""
Get-RecentScheduledTasks
Write-Host ""
Test-RecentShadowCopies
Write-Host ""
Test-ExfiltrationTools
Write-Host ""
Write-Host "Script execution completed." -ForegroundColor Cyan
Incident Response Priorities
T-minus Detection Checklist
- Network Layer: Look for unusual outbound VPN traffic, especially to known QILIN infrastructure IPs
- Authentication: Monitor for multiple failed VPN login attempts followed by success
- File System: Alert on sudden creation of archives (ZIP, RAR) in unusual directories
- Process Activity: Flag suspicious processes like PsExec, WMI execution from non-admin accounts
- Volume Shadow Copies: Monitor for rapid deletion or modification of VSS copies
Critical Assets QILIN Prioritizes for Exfiltration
- Customer databases with PII/PCI data
- Intellectual property and trade secrets
- Financial records and accounting data
- HR files with employee information
- Legal documents and client communications
Containment Actions (by urgency)
- IMMEDIATE: Isolate affected systems from network but maintain power for forensic preservation
- URGENT: Disable VPN access and enforce MFA for all remote access
- URGENT: Change all privileged credentials, especially for domain and service accounts
- HIGH: Block outbound traffic to known QILIN infrastructure and file storage services
- HIGH: Temporarily suspend non-essential remote access protocols
Hardening Recommendations
Immediate (24h)
- Patch all VPN/concentrator devices, especially for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ConnectWise)
- Enforce MFA for all remote access, with FIDO2 preferred
- Disable RDP where possible or restrict to specific IPs with NLA enforced
- Implement network segmentation to limit lateral movement
- Deploy EDR rules to detect QILIN TTPs on endpoints
Short-term (2 weeks)
- Implement zero-trust network access architecture
- Deploy application-level segmentation for critical systems
- Enhance monitoring for data exfiltration attempts
- Conduct security awareness training focused on identifying sophisticated phishing
- Implement backup verification and testing procedures
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinransomwarebusiness-servicesvpn-exploitationlateral-movementdata-exfiltration
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.