Back to Intelligence

QILIN Ransomware Gang: High-Volume Global Campaign Targeting Finance & Manufacturing — CVE Analysis & Detection

SA
Security Arsenal Team
May 11, 2026
7 min read

Aliases: Agenda (formerly), Qilin.

Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate model where developers maintain the encryption payload and affiliates manage initial access and execution. They are known for customizing payloads per victim.

Ransom Demands: Typically high, ranging from $500,000 to several million USD, often calculated based on victim revenue and sensitivity of stolen data.

Initial Access Methods:

  • Phishing: Spear-phishing campaigns delivering malicious macros or HTML smuggling.
  • External Remote Services: Heavy exploitation of exposed VPNs (Cisco vulnerabilities) and RDP.
  • Valid Credentials: Usage of credentials obtained via initial access brokers (IABs) or infostealers like RedLine.

Tactics: Qilin utilizes double extortion. They exfiltrate large volumes of data to their own leak site before encrypting systems. They are known to use PowerShell and Go-based binaries for execution.

Dwell Time: Short to moderate. Recent intelligence suggests an average dwell time of 3–5 days between initial access and encryption detonation.

Current Campaign Analysis

Sectors Under Fire: Qilin's recent postings (May 6–9, 2026) show a diversified but aggressive targeting strategy:

  • Financial Services: High priority (Lindabury, Fogel Capital Management).
  • Manufacturing: Strategic targeting (Exco Technologies, Sylvania).
  • Construction: Unusual spike in victims (CCD Interiors, DL Cohen Construction, Ruiz Barbarin Arquitectos Slp).
  • Professional Services & Logistics: Secondary targets.

Geographic Concentration: The campaign is heavily focused on North America (US, CA, MX) and Europe (GB, ES, DE). Argentina (AR) and Chile (CL) represent expanding operations into LATAM.

Victim Profile: The victims range from mid-market businesses to large enterprises. The inclusion of firms like Exco Technologies (CAD/CAM solutions) and Sylvania suggests a focus on organizations with high intellectual property value or complex supply chains.

Posting Frequency & Escalation: The group posted 14 victims within 72 hours (May 6–9), indicating a highly automated affiliate pipeline or a coordinated "weekend dump" strategy to pressure victims into paying.

CVE & Initial Access Correlation: Based on the provided CISA KEV data, Qilin affiliates are likely actively exploiting:

  1. CVE-2026-20131 (Cisco Secure Firewall FMC): A critical deserialization flaw added to KEV in March 2026. Given the high volume of corporate targets, exploiting perimeter firewalls is a probable entry vector.
  2. CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): File upload and auth bypass vulnerabilities. These are prime vectors for the Business Services and Technology victims (e.g., CAD-IT UK) who likely run email collaboration servers.
  3. CVE-2023-21529 (Microsoft Exchange): A lingering but still effective deserialization flaw for legacy on-prem environments.

Detection Engineering

The following detection logic targets Qilin's typical TTPs: PowerShell usage for payload delivery, lateral movement via WMI/WinRM, and data staging prior to exfiltration.

SIGMA Rules

YAML
---
title: Potential Qilin Ransomware PowerShell Execution
description: Detects suspicious PowerShell execution patterns often used by Qilin affiliates for payload staging and execution, including encoded commands and hidden windows.
status: stable
date: 2026/05/11
author: Security Arsenal Research
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      '-EncodedCommand'
      '-w hidden'
      'DownloadString'
      'IEX'
  filter_legit:
    User|contains: 'SYSTEM' # System often runs legit scripts, but userland is riskier for ransomware init
  condition: selection and not filter_legit
falsepositives:
  - Administrative scripts
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - qilin
---
title: SmarterMail Vulnerability Exploitation Attempt (Qilin Vector)
description: Detects potential exploitation of SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760) often used for initial access in recent campaigns.
status: stable
date: 2026/05/11
author: Security Arsenal Research
logsource:
  product: web
  category: application
detection:
  selection_uri:
    cs-uri-query|contains:
      - '/SmarterMail/MRSProxy'
      - '/Services/ScriptService.asmx'
  selection_method:
    cs-method: 'POST'
  selection_status:
    sc-status: 200
  condition: all of selection_*
falsepositives:
  - Legitimate administrative access
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2025-52691
---
title: Large Volume Data Staging via Rclone
description: Qilin affiliates often use Rclone for data exfiltration prior to encryption. This rule detects Rclone processes connecting to non-standard cloud storage endpoints.
status: stable
date: 2026/05/11
author: Security Arsenal Research
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\rclone.exe'
  filter:
    CommandLine|contains: 
      - 'config show'
  condition: selection and not filter
falsepositives:
  - Legitimate backup operations using Rclone
level: high
tags:
  - attack.exfiltration
  - attack.t1048
  - qilin

Microsoft Sentinel (KQL)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging indicators associated with Qilin
// Looks for WMI usage and large file transfers
let TimeRange = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
| where (FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\powershell.exe") 
and ProcessCommandLine has "process call create" 
// Hunting for remote process creation via WMI
| summarize RemoteProcessCount = count() by DeviceName, AccountName, InitiatingProcessFileName
| join (
    DeviceNetworkEvents 
    | where Timestamp > ago(TimeRange) 
    | where ActionType in ("ConnectionAccepted", "ConnectionSuccess") 
    | where RemotePort in (445, 139, 5985, 5986) // SMB, WinRM
    | summarize NetworkActivityCount = count(), SentBytes = sum(SentBytes) by DeviceName
) on DeviceName
| where RemoteProcessCount > 5 or SentBytes > 50000000 // > 50MB data transfer
| project DeviceName, AccountName, InitiatingProcessFileName, RemoteProcessCount, SentBytes

Rapid Response Script

PowerShell
# Qilin Incident Response Script
# Checks for suspicious scheduled tasks, recent shadow copy deletions, and unusual PowerShell processes.

Write-Host "[+] Starting Qilin TTP Hunt..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days
Write-Host "[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff } | ForEach-Object {
    Write-Host "ALERT: Task Created: $($_.TaskName) - Action: $($_.Actions.Execute)" -ForegroundColor Red
}

# 2. Check for Shadow Copy Deletion events (Event ID 253) in System Logs
Write-Host "[*] Checking System Logs for Shadow Copy Deletion..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; ID=253; StartTime=$DateCutoff} -ErrorAction SilentlyContinue
if ($Events) {
    Write-Host "ALERT: Found $($Events.Count) instances of VSS Shadow Copy Deletion!" -ForegroundColor Red
} else {
    Write-Host "No Shadow Copy deletions found in recent logs." -ForegroundColor Green
}

# 3. Enumerate recent PowerShell child processes of Word/Excel or Archive tools
Write-Host "[*] Checking for suspicious PowerShell child processes..." -ForegroundColor Yellow
$SuspiciousParents = @("winword.exe", "excel.exe", "powerpnt.exe", "winrar.exe", "7zfm.exe")
Get-WmiObject Win32_Process | Where-Object { 
    $_.Name -eq "powershell.exe" -and 
    $SuspiciousParents -contains $_.ParentProcessName 
} | ForEach-Object {
    Write-Host "ALERT: PowerShell spawned by $($_.ParentProcessName) - PID: $($_.ProcessId) - CMD: $($_.CommandLine)" -ForegroundColor Red
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


---

# Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  • Network Egress: Monitor for large outbound data transfers to non-whitelisted IPs, specifically on ports 443/80 using tools like Rclone or WinSCP.
  • VSS Activity: Immediate alert on Event ID 253 (Shadow Copy Delete) or execution of vssadmin.exe with "Delete Shadows" arguments.
  • Service Stops: Look for mass stopping of services related to databases, backups, or security agents (net stop, Stop-Service).

Critical Assets Targeted for Exfiltration

Qilin prioritizes data with high business leverage:

  • Financial: Client financial records, transaction logs, investor data.
  • Manufacturing: CAD files, proprietary schematics, supply chain databases.
  • Legal/Construction: Contract drafts, blueprints, client personal data (PII).

Containment Actions (Ordered by Urgency)

  1. Isolate affected segments immediately; disconnect VLANs if lateral movement is suspected.
  2. Revoke all domain credentials for accounts found in the logs during the dwell time period (last 5 days).
  3. Power down non-critical systems if encryption is actively propagating via SMB (WannaCry-style spread is less common now but Qilin uses PsExec/WMI).

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Immediately apply patches for CVE-2026-20131 (Cisco FMC) and SmarterMail (CVE-2025-52691). If patching is impossible, disable internet-facing access to these management interfaces via firewall ACLs.
  • Disable RDP/VPN: Ensure external RDP is blocked. Enforce MFA on all VPN connections and review recent logs for failed authentication attempts.
  • Audit Email Gateways: Scan for indicators of compromise related to HTML smuggling or malicious attachments.

Short-term (2 Weeks)

  • Network Segmentation: Segment critical file servers from user workstations to prevent lateral movement via SMB/WMI.
  • EDR Deployment: Ensure EDR coverage on all servers, specifically monitoring for PowerShell obfuscation and unauthorized software installations (e.g., Rclone, AnyDesk).
  • Application Control: Implement allow-listing policies to prevent the execution of unsigned binaries in temporary directories (C:\Windows\Temp, AppData\Local\Temp).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarefinancial-servicesmanufacturingcve-2026-20131initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action