Date: 2026-05-23
Analyst: Principal Security Engineer, Security Arsenal
Source: Ransomware.live (Live Dark Web Telemetry)
Threat Actor Profile — QILIN
Aliases: Agenda, Qilin.Burn (notable rebrand).
Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates on an affiliate-based model, distributing customizable encryptors to partners who handle initial access and negotiations. The core team maintains the leak site and encryption algorithms.
Ransom Demands: Highly variable, typically ranging from $300,000 to $5 million USD, depending on the victim's revenue and the sensitivity of exfiltrated data. Recent activity suggests a willingness to negotiate, but extortion pressure is aggressive.
Initial Access Vectors:
Qilin affiliates are opportunistic but favor high-impact exploits. Currently, they are heavily leveraging:
- Vulnerability Exploitation: Specifically targeting internet-facing services (VPN, RDP, Firewalls).
- Phishing: Malicious documents with macros or LNK droppers remain a staple for lower-value targets.
- Supply Chain: Compromising managed service providers (MSPs) to pivot downstream.
Extortion Strategy: Double extortion. The group steals sensitive data prior to encryption and threatens to publish it on their Tor leak site if the ransom is not paid.
Average Dwell Time: 3 to 10 days. Qilin actors are known for establishing persistence, performing extensive reconnaissance, and exfiltrating large volumes of data before triggering the encryptor.
Current Campaign Analysis
Based on the last 100 postings observed on the Qilin leak site, the following trends have emerged:
Sectors Under Attack
Qilin is displaying a distinct pivot towards the Technology and Construction sectors, alongside a persistent focus on Manufacturing.
- Technology: High-value targets like Semgrep (US) suggest a hunt for intellectual property and source code.
- Construction: Significant activity in the US (CJ Architects), Austria (ROTO Immobilien), and Australia (RCR Industrial Flooring).
- Manufacturing: Continued targeting of production facilities (Snyder Packaging, Buckeye Paper), likely due to low tolerance for downtime.
Geographic Concentration
The campaign is heavily concentrated in North America (US, CA) and Europe (GB, AT, CZ, ES), but shows global reach with hits in Argentina (AR) and Australia (AU). The US remains the primary target.
Victim Profile
Recent victims range from mid-sized businesses to large enterprises. The inclusion of entities like Vernon & Ginsburg and Hamer Childs suggests a "spray and pray" approach alongside targeted hunting for specific high-yield sectors like Tech and Construction.
Posting Frequency & Escalation
Qilin is averaging 1-2 new victim postings per day. The release date is often 3-7 days after the initial breach, aligning with the typical ransom negotiation deadline.
CVE Connection: The Initial Access Gateway
This campaign is being fueled by the exploitation of recently added CISA Known Exploited Vulnerabilities (KEVs). Qilin affiliates are actively scanning for and exploiting:
- CVE-2024-1708 (ConnectWise ScreenConnect): A critical path traversal flaw used for remote code execution. This is a primary vector for initial access.
- CVE-2023-21529 (Microsoft Exchange Server): A deserialization flaw allowing authenticated attackers to achieve remote code execution, likely used for lateral movement within compromised environments.
- CVE-2026-20131 (Cisco Secure Firewall Management Center): A deserialization vulnerability that could provide a foothold into network infrastructure.
- CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Used in tandem, these vulnerabilities (unrestricted file upload and authentication bypass) provide a direct path to compromise mail servers.
Detection Engineering
SIGMA Rules
These rules target the specific Tactics, Techniques, and Procedures (TTPs) observed in recent Qilin intrusions, focusing on the exploitation of CVE-2024-1708 and lateral movement activity.
title: Potential Exploitation of ConnectWise ScreenConnect CVE-2024-1708
description: Detects potential exploitation of the path traversal vulnerability in ConnectWise ScreenConnect (CVE-2024-1708) by identifying suspicious web requests to the Login.aspx page.
status: experimental
author: Security Arsenal
references:
- https://nvd.nist.gov/vuln/detail/CVE-2024-1708
date: 2026/05/23
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..\\'
- '..%2f'
- '..%5c'
cs-uri-stem|endswith: '/Login.aspx'
condition: selection
fields:
- cs-uri-query
- c-ip
- cs-user-agent
falsepositives:
- Potential false positives from legitimate but misconfigured scanners.
level: high
---
title: Qilin Lateral Movement via PsExec and WMI
description: Detects potential Qilin ransomware lateral movement activity by identifying the creation of new services using PsExec or the execution of commands via WMI, common techniques for spreading across a network.
status: experimental
author: Security Arsenal
references:
- attack.lateral_movement
date: 2026/05/23
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1047
logsource:
category: process_creation
detection:
selection_psexec:
Image|endswith:
- '\\psexec.exe'
- '\\psexec64.exe'
CommandLine|contains:
- 'accepteula'
- '-d'
selection_wmi:
Image|endswith:
- '\\wmic.exe'
- '\\powershell.exe'
CommandLine|contains:
- 'process call create'
- 'Invoke-WmiMethod'
condition: 1 of selection*
fields:
- Image
- CommandLine
- ParentImage
falsepositives:
- Legitimate administrative activity.
level: medium
---
title: Ransomware Data Staging Activity via Rclone
description: Detects the use of Rclone, a command-line program often used by threat actors for data exfiltration. This rule looks for the execution of rclone.exe with flags typical for transferring data to remote storage.
status: experimental
author: Security Arsenal
references:
- attack.exfiltration
- cve-2024-1708
date: 2026/05/23
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\\rclone.exe'
CommandLine|contains:
- 'copy'
- 'sync'
- 'config'
- 'swift:'
- 's3:'
- 'gdrive:'
- 'onedrive:'
condition: selection
fields:
- Image
- CommandLine
- User
- ParentImage
falsepositives:
- Legitimate use of rclone by system administrators.
level: high
KQL for Microsoft Sentinel
This hunt query is designed to find signs of pre-ransomware staging, specifically looking for unusual file access patterns and high-volume data transfer that could indicate exfiltration.
// Hunt for potential Qilin pre-ransomware staging and exfiltration activity
// Looks for high-volume file access and unusual process execution on endpoints
let TimeFrame = 1d;
let HighVolumeAccess =
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Detect file archiving tools often used in staging
| where ProcessName in~ ("winrar.exe", "7z.exe", "winzip.exe", "tar.exe")
| project Timestamp, DeviceName, AccountName, ProcessName, FolderPath, ProcessCommandLine, InitiatingProcessFileName;
let ExfilTools =
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Detect common exfiltration tools like rclone, winscp, or file transfer protocols
| where ProcessName in~ ("rclone.exe", "winscp.exe", "pscp.exe", "scp.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName;
union HighVolumeAccess, ExfilTools
| summarize Count = count(), Processes = make_set(ProcessName), CommandLines = make_set(ProcessCommandLine) by DeviceName, bin(Timestamp, 1h)
| where Count > 5 // Threshold for suspicious activity
| order by Count desc
| extend Recommendation = "Investigate device for signs of ransomware staging and exfiltration."
PowerShell Response Script
This script is for rapid response on a potentially compromised endpoint. It checks for signs of Qilin activity, including new scheduled tasks, recent Volume Shadow Copy deletions, and the presence of known staging tools.
# Qilin Ransomware Rapid Response Check
# Run on a potentially compromised endpoint
Write-Host "Starting Qilin Ransomware Rapid Response Checks..." -ForegroundColor Yellow
# Check 1: Enumerate scheduled tasks created in the last 7 days
Write-Host "\n[+] Checking for recently created Scheduled Tasks..." -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
$NewTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff }
if ($NewTasks) {
Write-Host "ALERT: Found $($NewTasks.Count) new scheduled task(s) created since $DateCutoff:" -ForegroundColor Red
$NewTasks | ForEach-Object { Write-Host " - Task Name: $($_.TaskName), Author: $($_.Author), Created: $($_.Date)" }
} else {
Write-Host "No new scheduled tasks found." -ForegroundColor Green
}
# Check 2: Find recently modified/deleted Volume Shadow Copies
Write-Host "\n[+] Checking for VSS (Volume Shadow Copy) manipulation..." -ForegroundColor Cyan
try {
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036,7040,7041} -MaxEvents 100 -ErrorAction SilentlyContinue |
Where-Object { $_.TimeCreated -gt $DateCutoff -and $_.Message -like '*VSS*' }
if ($VssEvents) {
Write-Host "ALERT: Found potential VSS manipulation events:" -ForegroundColor Red
$VssEvents | ForEach-Object { Write-Host " - Time: $($_.TimeCreated), EventID: $($_.Id), Message: $($_.Message)" }
} else {
Write-Host "No suspicious VSS events found." -ForegroundColor Green
}
} catch {
Write-Host "Could not query VSS events." -ForegroundColor Gray
}
# Check 3: Scan for known staging and exfiltration tools
Write-Host "\n[+] Scanning for known staging and exfiltration tools in common paths..." -ForegroundColor Cyan
$PathsToScan = @("$env:SystemRoot\System32", "$env:ProgramFiles", "$env:ProgramFiles(x86)", $env:USERPROFILE)
$ToolNames = @("rclone.exe", "winscp.exe", "pscp.exe", "7z.exe", "winrar.exe")
$FoundTools = @()
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
foreach ($Tool in $ToolNames) {
$ToolPath = Get-ChildItem -Path $Path -Filter $Tool -Recurse -ErrorAction SilentlyContinue
if ($ToolPath) {
$FoundTools += $ToolPath.FullName
}
}
}
}
if ($FoundTools) {
Write-Host "ALERT: Found known staging/exfil tools:" -ForegroundColor Red
$FoundTools | ForEach-Object { Write-Host " - $($_)" }
} else {
Write-Host "No known tools found in default paths." -ForegroundColor Green
}
# Check 4: Look for new and unusual user accounts
Write-Host "\n[+] Checking for recently created local user accounts..." -ForegroundColor Cyan
$NewUsers = Get-LocalUser | Where-Object { $_.PrincipalSource -eq "Local" -and $_.LastLogon -gt $DateCutoff }
if ($NewUsers) {
Write-Host "ALERT: Found newly created local user accounts:" -ForegroundColor Red
$NewUsers | ForEach-Object { Write-Host " - Username: $($_.Name), Description: $($_.Description), LastLogon: $($_.LastLogon)" }
} else {
Write-Host "No new local user accounts found." -ForegroundColor Green
}
Write-Host "\nRapid Response Checks Complete." -ForegroundColor Yellow
Write-Host "Review any ALERTS above for potential indicators of Qilin activity." -ForegroundColor Yellow
---
Incident Response Priorities
Based on Qilin's known playbook, IR teams should prioritize the following actions in the event of a suspected compromise:
T-minus Detection Checklist
- Inspect EDR Alerts: Prioritize alerts related to unusual PowerShell execution, credential dumping (e.g.,
mimikatz), and remote administration tools (PsExec,WMI). - Network Traffic Analysis: Hunt for large, anomalous outbound data transfers, especially to unknown cloud storage providers or via non-standard ports.
- Account Audit: Immediately review Active Directory for new, privileged, or disabled account reactivation.
- File System Monitoring: Monitor for massive file renames or the creation of encrypted files (
.qilin,.agenda, or random extensions).
Critical Assets for Exfiltration
Qilin historically targets:
- Customer Databases & PII: High leverage for extortion.
- Financial Records: To assess the victim's ability to pay.
- Intellectual Property: Source code, blueprints, and proprietary formulas are prime targets, especially in the Tech and Manufacturing sectors.
Containment Actions
- ISOLATE INFECTED SYSTEMS: Immediately disconnect compromised hosts from the network to prevent lateral movement.
- DISABLE VPN/RDP: If the suspected vector is a VPN or RDP vulnerability, revoke all access and force a password reset for all users.
- RESET CREDENTIALS: Force a password reset for all privileged accounts (Domain Admins, Service Accounts) and any other accounts known to be compromised.
- SHUTDOWN NON-ESSENTIAL SYSTEMS: As a precautionary measure, power down non-critical servers and workstations to halt encryption spread.
Hardening Recommendations
Immediate (24h)
- Patch Critical CVEs: Immediately patch CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-21529 (Microsoft Exchange Server) if they are present in your environment. Disable ScreenConnect if patching is not possible.
- Disable Unused VPN Accounts: Conduct a thorough audit of all VPN and remote access accounts. Disable any that are not actively in use.
- Block Network RDP: Disable RDP access from the internet. Enforce MFA for all remote access solutions.
Short-term (2 weeks)
- Implement MFA Everywhere: Enforce multi-factor authentication for all users, especially for administrative accounts and remote access.
- Network Segmentation: Strictly segment critical servers (databases, domain controllers) from user workstations and guest networks.
- EDR/XDR Deployment: Ensure a modern Endpoint Detection and Response (EDR) solution is deployed on all endpoints and servers, with alerts tuned to detect ransomware behaviors.
- Least Privilege Model: Enforce the principle of least privilege. Regularly review and audit user permissions to prevent attackers from gaining widespread access if a single account is compromised.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.