Threat Actor Profile — QILIN
Aliases: Qilin, Agenda. Model: Ransomware-as-a-Service (RaaS). Qilin operates as a highly adaptable RaaS, allowing affiliates to customize the locker in Rust for cross-platform efficacy. Typical Ransom Demands: Variable, generally ranging from $500k to multi-million dollars depending on victim revenue, frequently negotiated via Tox chat. Initial Access: Known for exploiting vulnerabilities in remote access tools (notably ScreenConnect) and VPN appliances. Also utilizes phishing with macros and valid credentials obtained via initial access brokers. Double Extortion: Strict adherence to double extortion. Data is exfiltrated prior to encryption. If victims do not pay, sensitive data is published on their Tor leak site. Average Dwell Time: 3 to 5 days. Qilin affiliates are known for "hands-on-keyboard" speed, often moving laterally quickly after obtaining initial access to evade detection.
Current Campaign Analysis
Sectors Targeted: The latest batch of 19 victims indicates a distinct pivot towards Business Services (approx. 40-50% of recent postings) and Consumer Services. Victims include legal firms (Miller & Zois, Bekman Marder Hopper), jewelry retail (Maui Divers), and diversified tech (Bitek System).
Geographic Concentration: While global, the campaign heavily targets the United States (US), followed by Germany (DE), Spain (ES), Mexico (MX), South Korea (KR), and Moldova (MD).
Victim Profile: Based on the recent victim list (e.g., Maui Divers Jewelry, Distinet Murcia), Qilin affiliates are targeting mid-to-large market enterprises. Legal and professional services firms are prime targets due to the high sensitivity of client data (PII) and a willingness to pay to avoid reputation damage.
Posting Frequency & Escalation: A spike in activity was observed on 2026-06-10, with 6 victims posted in a single day. The cadence suggests a coordinated affiliate effort or the deployment of an automated toolchain for victim processing.
CVE Connections: Recent victimology correlates strongly with the exploitation of critical perimeter vulnerabilities. The inclusion of the following CISA KEV vulnerabilities is highly relevant to this campaign's access vectors:
- CVE-2026-50751 (Check Point Security Gateway): Critical for initial access into corporate perimeters.
- CVE-2024-1708 (ConnectWise ScreenConnect): A historical favorite for ransomware groups, allowing remote code execution (RCE).
- CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaw allowing bypass of central management controls.
- CVE-2023-21529 (Microsoft Exchange): Persistent exploitation for internal network persistence.
Detection Engineering
SIGMA Rules
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 0a3b2c1d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential exploitation of the ScreenConnect path traversal vulnerability (CVE-2024-1708) used for initial access by Qilin affiliates.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/12
logsource:
category: web
product: screenconnect
detection:
selection:
c-uri|contains:
- '/Bin/*'
- 'App_Web/'
- '.aspx?path='
filter:
sc-status: 200
condition: selection and filter
falsepositives:
- Legitimate administrative access (investigate user agent)
level: critical
tags:
- attack.initial_access
- cve.2024.1708
- ransomware.qilin
---
title: Suspicious PsExec Usage for Lateral Movement
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the use of PsExec or similar tools for lateral movement, a common tactic in Qilin hands-on-keyboard attacks.
author: Security Arsenal Research
date: 2026/06/12
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\psexec.exe'
- '\\psexec64.exe'
CommandLine|contains:
- '\\\\*\\'
- '-accepteula'
condition: selection
falsepositives:
- System administration
level: high
tags:
- attack.lateral_movement
- attack.t1021.002
- ransomware.qilin
---
title: Qilin Ransomware File Extension Patterns
id: c2d3e4f5-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects file renaming patterns associated with Qilin ransomware. Qilin often appends random or specific extensions.
author: Security Arsenal Research
date: 2026/06/12
logsource:
category: file_rename
product: windows
detection:
selection:
TargetFilename|contains:
- '.Qilin'
- '.Agenda'
- '.encrypted'
condition: selection
falsepositives:
- Low
level: critical
tags:
- attack.impact
- ransomware.qilin
Microsoft Sentinel KQL (Hunt Query)
// Hunt for Qilin Pre-Encryption Staging and Lateral Movement
// Focuses on PowerShell execution and massive file modifications
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ((ProcessCommandLine contains "powershell" and (ProcessCommandLine contains "IEX" or ProcessCommandLine contains "DownloadString")) or
(FileName =~ "cmd.exe" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "robocopy"))
| extend Account = tostring(SignInId), Host = tostring(DeviceName)
| project Timestamp, Host, Account, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated" or ActionType == "FileModified"
| summarize Count=count() by DeviceName, Timestamp, bin(Timestamp, 1m)
| where Count > 50 // Threshold for mass staging
) on $left.Host == $right.DeviceName and $left.Timestamp == $right.Timestamp
| project Timestamp, Host, Account, ProcessCommandLine, Count
PowerShell: Rapid Response Script
<#
.SYNOPSIS
Qilin Ransomware Rapid Response Hardening & Detection Script
.DESCRIPTION
Checks for common Qilin TTPs: Open RDP, Suspicious Scheduled Tasks, Recent VSC changes.
#>
Write-Host "Starting Qilin Response Check..." -ForegroundColor Cyan
# 1. Check for Open RDP Sessions (Potential Persistence)
Write-Host "`n[+] Checking for Active RDP Sessions..." -ForegroundColor Yellow
$queryRDP = query user
if ($queryRDP) { $queryRDP } else { Write-Host "No active RDP sessions found." -ForegroundColor Green }
# 2. Enumerate Scheduled Tasks created in last 7 days (Persistence)
Write-Host "`n[+] Checking for Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
$dateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff } | Select-Object TaskName, TaskPath, Date, Author
# 3. Check Volume Shadow Copy Service (VSS) Manipulation (Pre-Encryption)
Write-Host "`n[+] Checking for recent VSS related events (Event ID 8229 - Shadow Copy Deleted)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; Id=8229; StartTime=$dateCutoff} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List
# 4. Check for common Qilin Ransomware Note drops
Write-Host "`n[+] Scanning C:\ for common ransom note names..." -ForegroundColor Yellow
$paths = @("C:\", "C:\Users\Public", "C:\Temp")
$notes = @("README.txt", "RECOVER_FILES.txt", "QILIN-README.txt")
foreach ($p in $paths) {
if (Test-Path $p) {
Get-ChildItem -Path $p -Filter "*.txt" -Recurse -ErrorAction SilentlyContinue | Where-Object { $notes -contains $_.Name } | Select-Object FullName, LastWriteTime
}
}
Write-Host "`nCheck Complete. If any anomalies found, initiate Incident Response Protocol immediately." -ForegroundColor Cyan
Incident Response Priorities
T-minus Detection Checklist:
- Perimeter Logs: Review VPN and Firewall logs immediately for indicators of exploitation for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC). Look for authentication failures followed by successful IKEv1 or administrative logins.
- ScreenConnect Audit: If ConnectWise ScreenConnect is in the environment, audit web server logs for the path traversal pattern
/Bin/*associated with CVE-2024-1708. - Lateral Movement: Hunt for unusual PsExec or WMI execution patterns originating from non-admin workstations.
Critical Assets for Exfiltration:
- Legal Contracts and Client Files (Business Services sector target).
- Customer PII and Financial Data (Consumer Services target).
- Intellectual Property (Technology/Manufacturing).
Containment Actions (Ordered by Urgency):
- Isolate: Immediately disconnect infected hosts from the network (pull ethernet/disable wifi) to stop spread.
- Revoke Credentials: Reset credentials for service accounts (especially Domain Admin) and VPN users identified in the logs.
- Block IOCs: Block identified malicious IPs and domains associated with the C2 infrastructure on firewalls and proxies.
- Suspend VPN: If VPN exploitation is suspected, suspend the VPN service or enforce MFA with strict conditional access policies immediately.
Hardening Recommendations
Immediate (24 Hours):
- Patch Critical Perimeter: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. These are the likely entry points for the current wave of US and EU victims.
- Disable ScreenConnect: If not strictly business-critical, disable the ConnectWise ScreenConnect web interface until CVE-2024-1708 is verified patched. If required, enforce MFA and restrict access via allow-lists.
- Account Hygiene: Ensure all privileged accounts have MFA enforced and cannot be accessed from untrusted geographic locations (Geo-blocking).
Short-term (2 Weeks):
- Network Segmentation: Implement strict isolation between user workstations and critical server segments. Qilin thrives on flat networks.
- EDR/XDR Deployment: Ensure comprehensive coverage across all endpoints, specifically focusing on PowerShell script block logging.
- RDP Hardening: Disable RDP on internet-facing systems. Enforce Network Level Authentication (NLA) and limit RDP usage to a jump host solution.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.