Aliases: Agenda (formerly).
Operational Model: RaaS (Ransomware-as-a-Service). The Qilin group operates a highly affiliate-driven model, providing a Rust-based encryptor customizable for each operation.
Ransom Demands: Variable, typically ranging from $500,000 to multi-million dollar demands, heavily influenced by the victim's annual revenue and the sensitivity of exfiltrated data.
Initial Access Vectors: Historically reliant on phishing, compromised VPN credentials, and exploiting exposed RDP services. However, recent intelligence indicates a pivot toward exploiting specific unpatched edge services, notably Microsoft Exchange and Cisco firewall management interfaces.
Extortion Strategy: Aggressive double extortion. The gang exfiltrates sensitive data (often using tools like Rclone or WinSCP) prior to encryption and threatens public release on their .onion site if negotiations fail.
Dwell Time: Short and aggressive. Average dwell time observed in recent campaigns is 3–7 days from initial access to detonation.
Current Campaign Analysis
Sectors Targeted: Qilin's recent postings (Victim Count: 32) indicate a diversified but focused attack surface:
- Manufacturing: Heavily targeted (e.g., Denso - JP, Flipo Group - IN, Kolin Turkey - TR, Industrial Carrocera Arbuciense - ES). This sector is being hit for operational disruption leverage.
- Business Services: Frequent target for IP theft and data exfiltration (e.g., Point Four EPoS, Clearview Intelligence).
- Financial Services: High-value targeting (e.g., Manulife Wealth - CA).
- Public Sector & Critical Infrastructure: City of Napoleon (US) and Progressive Propane (US).
Geographic Concentration: Global reach with significant clustering in US, GB, and DE, but notable expansion into the APAC (JP, IN) and LATAM (MX) regions. The targeting of Denso (JP) and Manulife (CA) suggests a shift toward large multinational entities.
Victim Profile: Qilin is not discriminating by size, attacking both massive conglomerates (Denso, ~$40B revenue) and mid-sized municipal entities (City of Napoleon). This suggests a "spray and pray" approach to initial vulnerability scanning followed by manual ransomware deployment.
CVE Connection & Initial Access: There is a high confidence correlation between the recent victims and the exploitation of the following CISA KEVs:
- CVE-2023-21529 (Microsoft Exchange): Likely the primary vector for Business Services and Financial victims. The deserialization flaw allows authenticated code execution, a perfect pivot for ransomware groups.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation of perimeter management centers provides deep network access, likely used against the Manufacturing and Energy sectors to bypass traditional firewall rules.
- CVE-2026-23760 / CVE-2025-52691 (SmarterMail): These authentication bypass and upload flaws are likely being used to compromise email gateways for initial access in logistics and agri-business sectors.
Detection Engineering
SIGMA Rules
---
title: Potential Exploitation CVE-2023-21529 Microsoft Exchange Deserialization
id: 3e8a5f1c-9d2b-4b5c-8e1d-2f3a4b5c6d7e
description: Detects suspicious deserialization activity indicative of CVE-2023-21529 exploitation on Microsoft Exchange.
status: experimental
author: Security Arsenal
date: 2026/04/25
tags:
- attack.initial_access
- cve.2023.21529
- detection.emerging_threats
logsource:
product: windows
service: msexchange-management
detection:
selection:
EventID: 4 # Management Log event
Level: 'Error'
Message|contains:
- 'System.Runtime.Serialization'
- 'ObjectStateFormatter'
- 'LosFormatter'
condition: selection
falsepositives:
- Rare legitimate deserialization errors in legacy integrations
level: high
---
title: SmarterMail Authentication Bypass and File Upload Exploitation
id: 7f9e0d1a-2c3b-4d5e-8f9a-0b1c2d3e4f5g
description: Detects exploitation attempts for CVE-2026-23760 and CVE-2025-52691 against SmarterMail instances.
status: experimental
author: Security Arsenal
date: 2026/04/25
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: webserver
service: iis
detection:
selection_uri:
cs-uri-query|contains:
- '/Services/MailBoxService.asmx'
- '/Runtime/ExecuteScript.aspx'
selection_method:
cs-method: 'POST'
selection_status:
sc-status: 200
condition: all of selection_
falsepositives:
- Unknown
level: critical
---
title: Qilin Ransomware Process Execution Characteristics
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects process execution patterns consistent with Qilin Rust-based encryptor and typical lateral movement tools.
status: experimental
author: Security Arsenal
date: 2026/04/25
tags:
- attack.execution
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_ransom:
Image|endswith: '.exe'
Company|contains: 'Unknown'
CommandLine|contains:
- '--procmem'
- '--force'
selection_lateral:
- Image|endswith:
- '\psexec.exe'
- '\wmic.exe'
CommandLine|contains: 'node_and_share'
condition: 1 of selection_*
falsepositives:
- Legitimate admin use of PsExec/WMIC
level: high
**KQL Hunt (Microsoft Sentinel)**
kql
// Hunt for lateral movement and staging indicators associated with Qilin
let TimeFrame = 2d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for PowerShell download cradles often used in staging
| where ProcessCommandLine has "powershell" and (
ProcessCommandLine has "DownloadString" or
ProcessCommandLine has "IEX" or
ProcessCommandLine has "Invoke-WebRequest"
)
// Filter for suspicious parent processes or lack thereof
| where InitiatingProcessFileName !in ("explorer.exe", "cmd.exe", "powershell.exe")
| join kind=inner (
DeviceNetworkEvents
| where Timestamp >= ago(TimeFrame)
// Hunt for large data egress (Exfil)
| where SentBytes > 10000000
| summarize TotalSentBytes=sum(SentBytes) by DeviceId, RemoteUrl
) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, RemoteUrl, TotalSentBytes
| order by Timestamp desc
**PowerShell Response Script**
powershell
# Qilin Rapid Response: Persistence and Exposure Check
Write-Host "[+] Initiating Qilin Response Hardening Checks..." -ForegroundColor Cyan
# 1. Check RDP Exposure (Common Initial Access)
$RDPProperty = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($RDPProperty.fDenyTSConnections -eq 0) {
Write-Host "[ALERT] RDP is ENABLED. Qilin frequently brute-forces RDP." -ForegroundColor Red
# Disable RDP (Remediation)
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
} else {
Write-Host "[PASS] RDP is Disabled." -ForegroundColor Green
}
# 2. Check for Suspicious Scheduled Tasks (Persistence)
$Tasks = Get-ScheduledTask | Where-Object { $_.State -eq "Ready" -and $_.Author -notlike "*Microsoft*" -and $_.Author -notlike "*System*" }
Write-Host "[+] Checking for non-standard scheduled tasks..." -ForegroundColor Cyan
foreach ($Task in $Tasks) {
$Action = $Task.Actions.Execute
if ($Action -like "*powershell*" -or $Action -like "*cmd*" -or $Action -like "*.exe") {
Write-Host "[SUSPICIOUS] Task: $($Task.TaskName) | Author: $($Task.Author) | Action: $Action" -ForegroundColor Yellow
}
}
# 3. Check Volume Shadow Copy Status (Pre-Encryption)
$VSSAdmin = vssadmin list shadows 2>&1
if ($VSSAdmin -like "*No shadow copies found*" -or $VSSAdmin -eq $null) {
Write-Host "[WARNING] No Shadow Copies found. Ensure they haven't been deleted." -ForegroundColor DarkYellow
} else {
Write-Host "[PASS] Shadow Copies exist." -ForegroundColor Green
}
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption):
- Exchange Logs: Search for
Cmdletlogs withSerializedDatastrings orGet-Requestanomalies matching CVE-2023-21529. - Firewall Logs: Check Cisco FMC logs for unexpected management interface access or deserialization errors (CVE-2026-20131).
- Identity: Look for suspicious service account creation or modifications to the
Domain Adminsgroup in the last 48 hours.
Critical Assets for Exfiltration: Qilin aggressively targets:
- Active Directory Database (NTDS.dit): For complete credential dumping.
- Exchange Mailboxes (.EDB/.PST): High-value data for business espionage.
- Financial Systems: ERPs and payroll databases.
Containment Actions (Ordered by Urgency):
- Isolate: Immediately disconnect identified Exchange Servers and Cisco FMC appliances from the network if compromise is suspected.
- Disable Accounts: Suspend service accounts associated with the exploited Exchange/FMC instances.
- Block Egress: Firewall rules to block outbound traffic to known anonymizing nodes (TOR, VPNs) and large data transfers to non-business IP ranges.
Hardening Recommendations
Immediate (24 Hours):
- Patch: Apply patches for CVE-2023-21529 (Exchange) and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active exploitation vectors.
- External Attack Surface: Conduct a scan for exposed RDP (3389) and SMB (445) ports and close them at the perimeter firewall.
Short-term (2 Weeks):
- Network Segmentation: Ensure management planes (like Cisco FMC and Exchange OWA) are in a dedicated VLAN with strict ingress/egress rules.
- MFA Enforcement: Implement FIDO2 or phishing-resistant MFA for all webmail and VPN access points.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.