Threat Actor Profile — QILIN
Known Aliases: Agenda, Qilin
Operational Model: Qilin operates as a sophisticated Ransomware-as-a-Service (RaaS) operation with a highly modular attack framework. The group primarily targets Windows environments and has recently shifted focus to mid-sized enterprises in construction, manufacturing, and business services sectors.
Ransom Demands: Historical data indicates demands ranging from $300,000 to multi-million dollars, typically calculated at 2-5% of victim annual revenue. Recent postings suggest increased targeting of companies with $10-50M in annual revenue.
Initial Access Methods:
- Exploitation of remote access services (VPN, RDP)
- Phishing campaigns with weaponized attachments
- Software supply chain compromises
- Exploitation of public-facing applications (notably ConnectWise ScreenConnect)
Double Extortion Approach: Qilin consistently employs double extortion tactics, exfiltrating sensitive data before encryption and threatening public release if ransom demands aren't met. Data is typically staged for 2-7 days before encryption begins.
Average Dwell Time: 5-12 days between initial compromise and encryption detonation, with most data exfiltration occurring between days 3-7.
Current Campaign Analysis
Targeted Sectors
Based on the 23 recent victims posted to Qilin's leak site:
- Construction: 33% (7 victims) - Primary focus area
- Business Services: 17% (4 victims)
- Manufacturing: 13% (3 victims)
- Consumer Services: 13% (3 victims)
- Agriculture and Food Production: 9% (2 victims)
- Healthcare/Hospitality: 4% (1 victim each)
- Other: 9% (4 victims)
Geographic Concentration
- United States: 30% (7 victims)
- Austria: 13% (3 victims)
- United Kingdom: 13% (3 victims)
- Canada, Spain, Argentina, Australia, Czech Republic: 9-4% (1-2 victims each)
Victim Profile
Recent victims predominantly represent mid-sized enterprises with the following characteristics:
- Revenue range: $10M-$50M annually
- Employee count: 50-300
- Limited dedicated security resources
- Heavy reliance on remote access solutions
Observed Posting Frequency
Qilin has demonstrated consistent posting patterns with 3-5 victims published daily between May 17-21, 2026, suggesting a well-established pipeline of compromised organizations.
CVE Connections as Initial Access Vectors
Recent Qilin activity shows strong correlation with exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): 67% of victims likely using remote management tools
- CVE-2023-21529 (Microsoft Exchange): 33% of business service victims may have been compromised via email infrastructure
- CVE-2026-20131 (Cisco Secure Firewall): Network perimeter compromises evident in manufacturing and construction victims
- CVE-2025-52691 & CVE-2026-23760 (SmarterMail): Email server exploitation for initial access in multiple cases
Detection Engineering
SIGMA Rules
YAML
---
title: Potential Qilin Ransomware Lateral Movement via PsExec
id: 764e075d-5e1f-4d9b-8f7f-1a2b3c4d5e6f
description: Detects potential Qilin ransomware lateral movement using PsExec with suspicious parameters
status: experimental
date: 2026/05/21
author: Security Arsenal Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.execution
- attack.lateral_movement
- attack.t1021.002
- qilin
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\psexec.exe'
CommandLine|contains:
- ' -accepteula '
- ' -u '
- ' -p '
filter_legit:
ParentImage|endswith:
- '\mmc.exe'
- '\services.msc'
- '\taskmgr.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative activity
level: high
---
title: Qilin Ransomware Data Staging via Rclone
id: 785e085d-5e1f-4d9b-8f7f-1a2b3c4d5e6f
description: Detects potential Qilin ransomware data exfiltration using Rclone tool
status: experimental
date: 2026/05/21
author: Security Arsenal Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.exfiltration
- attack.t1048
- qilin
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rclone.exe'
CommandLine|contains:
- 'copy '
- 'sync '
- 'config '
condition: selection
falsepositives:
- Legitimate use of Rclone for backup purposes
level: high
---
title: Qilin Ransomware Preparation - Volume Shadow Copy Deletion
id: 796e095d-5e1f-4d9b-8f7f-1a2b3c4d5e6f
description: Detects potential Qilin ransomware preparation by deleting Volume Shadow Copies
status: experimental
date: 2026/05/21
author: Security Arsenal Research Team
references:
- https://securityarsenal.com/darkside
tags:
- attack.impact
- attack.t1490
- qilin
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'delete shadows'
- 'resize shadowstorage'
condition: selection
falsepositives:
- System administration tasks
level: high
KQL Hunt Query for Lateral Movement
KQL — Microsoft Sentinel / Defender
// Hunt for potential Qilin ransomware lateral movement indicators
let timeframe = 7d;
DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where InitiatingProcessFileName in ("psexec.exe", "wmic.exe", "wmiexec.ps1", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has any(
"-accepteula", "process call create", "Invoke-WmiMethod", "New-PSSession",
"Enter-PSSession", "Invoke-Command", "sc.exe", "net use", "net.exe"
)
| where ProcessCommandLine has any(
"\\\\", "C$\", "ADMIN$\", "/user:", "/password:", ":5985", ":5986"
)
| extend MachineName = DeviceName, Account = InitiatingProcessAccountName,
Process = FileName, CommandLine = ProcessCommandLine
| project Timestamp, MachineName, Account, Process, CommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
Rapid-Response Hardening Script
PowerShell
# Qilin Ransomware Hardening Script
# Checks for common indicators and applies immediate protective measures
# Function to check for recent scheduled tasks (potential Qilin persistence)
function Check-ScheduledTasks {
Write-Host "Checking for recently created scheduled tasks..." -ForegroundColor Yellow
$tasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($tasks) {
Write-Host "Found recent scheduled tasks:" -ForegroundColor Red
$tasks | Format-Table TaskName, Date, Author, State
} else {
Write-Host "No suspicious recent scheduled tasks found." -ForegroundColor Green
}
}
# Function to check for modified Volume Shadow Copies
function Check-ShadowCopies {
Write-Host "Checking Volume Shadow Copy status..." -ForegroundColor Yellow
try {
$vss = vssadmin list shadows
if ($vss -match "No shadow copies") {
Write-Host "WARNING: No Volume Shadow Copies found - potential deletion." -ForegroundColor Red
} else {
$shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
Write-Host "Found $shadowCount Volume Shadow Copies." -ForegroundColor Green
}
} catch {
Write-Host "Could not check Volume Shadow Copies: $_" -ForegroundColor Red
}
}
# Function to enumerate RDP connections
function Check-RDPConnections {
Write-Host "Checking recent RDP connections..." -ForegroundColor Yellow
$rdpEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type: 10'} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}
if ($rdpEvents) {
Write-Host "Recent RDP connections found:" -ForegroundColor Yellow
$rdpEvents | Format-Table -AutoSize
} else {
Write-Host "No recent RDP connections found." -ForegroundColor Green
}
}
# Function to check for exposed RDP
function Check-ExposedRDP {
Write-Host "Checking if RDP is exposed..." -ForegroundColor Yellow
$rdpStatus = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpStatus.fDenyTSConnections -eq 0) {
Write-Host "WARNING: RDP is enabled. Consider disabling or securing with MFA." -ForegroundColor Red
# Check firewall rules
$firewallRules = Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq 'True'}
if ($firewallRules) {
Write-Host "RDP is allowed through firewall. Check scope restrictions." -ForegroundColor Red
}
} else {
Write-Host "RDP is disabled." -ForegroundColor Green
}
}
# Execute all checks
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "QILIN RANSOMWARE SECURITY CHECK" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
Check-ScheduledTasks
Write-Host ""
Check-ShadowCopies
Write-Host ""
Check-RDPConnections
Write-Host ""
Check-ExposedRDP
Write-Host ""
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "CHECK COMPLETE" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Incident Response Priorities
T-minus Detection Checklist
- Monitor for unusual RDP and VPN access patterns from new geographic locations
- Check for new scheduled tasks created with SYSTEM privileges
- Identify suspicious PowerShell execution with encoded commands
- Monitor for large file transfers to unknown destinations (exfiltration >100MB)
- Watch for unexpected service restarts and new services
- Look for VSSAdmin commands to delete shadow copies
- Monitor for process execution patterns consistent with Qilin (e.g., 7z, WinRAR, Rclone)
Critical Assets This Gang Historically Prioritizes for Exfiltration
- Customer databases and PII
- Financial records and accounting data
- Architectural designs and blueprints (construction sector)
- Manufacturing processes and proprietary formulas
- Executive email archives
- Employee data (HR records)
- Contracts and M&A documentation
Containment Actions Ordered by Urgency
- IMMEDIATE: Isolate systems showing signs of compromise from the network
- URGENT: Disable or restrict all VPN accounts with recent suspicious activity
- HIGH PRIORITY: Block known Qilin C2 domains and IP addresses
- HIGH PRIORITY: Reset credentials for all accounts with elevated privileges
- MEDIUM PRIORITY: Disable unnecessary remote access protocols (RDP, WinRM)
- MEDIUM PRIORITY: Implement temporary network segmentation
Hardening Recommendations
Immediate (24h)
- Patch CVE-2024-1708 (ConnectWise ScreenConnect) immediately
- Apply security updates for Microsoft Exchange (CVE-2023-21529)
- Patch Cisco Secure Firewall Management Center (CVE-2026-20131)
- Update SmarterMail installations (CVE-2025-52691, CVE-2026-23760)
- Enforce MFA on all VPN and RDP access points
- Implement strict allow-listing for RDP and VPN access
- Review and restrict privileged access to minimum necessary
- Temporarily block execution of common Qilin tools (Rclone, WinRAR, 7z) on critical systems
Short-term (2 weeks)
- Deploy comprehensive EDR solutions across all endpoints
- Implement application allow-listing policies
- Conduct security awareness training focused on phishing
- Implement robust backup and recovery procedures with offline copies
- Segment network to limit lateral movement opportunities
- Deploy deception technology (honeypots) to detect early reconnaissance
- Conduct a thorough external attack surface assessment
- Review and enhance incident response playbooks specific to ransomware
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinransomwareconstructionmanufacturingdata-exfiltrationremote-access
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.