Intelligence Briefing Date: 2026-05-23
Source: Ransomware.live Dark Web Leak Site Monitoring
Threat Level: HIGH
Threat Actor Profile — QILIN
Aliases: Agenda, Titan (historical overlap)
Operational Model: RaaS (Ransomware-as-a-Service). Qilin operates as an affiliate-driven model, providing a Rust/Go-based encryptor to partners who handle initial access and negotiation.
Ransom Demands: Variable, typically ranging from $500,000 to $5 million, often calibrated based on victim revenue and exfiltrated data volume.
Initial Access Vectors:
- Exploitation of Public-Facing Applications: Heavy reliance on unpatched VPNs and remote management tools.
- Phishing: Targeted spear-phishing delivering macro-laced documents or ISO files.
- Valid Credentials: Brute-forcing RDP and VPN gateways exposed to the internet.
TTP Overview:
Qilin affiliates are known for rapid lateral movement using Cobalt Strike beacons and custom PowerShell scripts. They employ a double-extortion model, exfiltrating sensitive data (CAD files, source code, customer DBs) via tools like Rclone or Mega prior to encryption. Dwell time is typically short (3–7 days) between initial access and detonation, prioritizing speed over stealth in recent campaigns.
Current Campaign Analysis
Based on the 16 victims posted between 2026-05-17 and 2026-05-22, Qilin has shifted focus significantly toward professional services and infrastructure.
Sector Targeting
- Construction (31%): Significant clustering (ROTO Immobilien, CJ Architects, RCR Industrial Flooring, Air Conditioning Florida & partners). Affiliates likely target this sector for time-sensitive project data and high willingness to pay to avoid delays.
- Technology & Manufacturing: High-value victims like Semgrep (US) indicate a continued interest in intellectual property theft.
- Business Services: Continued targeting of support firms (Porter W Yett, WNS Lowery) for supply chain leverage.
Geographic Concentration
- North America (US/CA): 53% of recent victims. The US remains the primary hunting ground.
- Europe (AT/GB/CZ/ES): 40% of victims. Notable activity in Austria (ROTO) and the UK.
CVE & Exploitation Correlation
The surge in postings correlates directly with the weaponization of recently added CISA KEV vulnerabilities:
- CVE-2024-1708 (ConnectWise ScreenConnect): Added to KEV 2026-04-28. The high velocity of the current campaign (post-early May) strongly suggests affiliates are mass-scanning for unpatched ScreenConnect instances to gain initial access.
- CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass and file upload flaws. Likely used against Business Services and Tech victims running email suites.
Detection Engineering
SIGMA Rules
---
title: Potential ScreenConnect Auth Bypass - CVE-2024-1708
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass vulnerability targeting /WebRoot/ path traversal.
id: 8a3b2c1d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
author: Security Arsenal Intel
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/05/23
tags:
- attack.initial_access
- cve.2024.1708
- detection.emerging_threats
logsource:
category: web
product: apache
definition: 'Requirements: IIS/Apache access logs'
detection:
selection:
cs-uri-query|contains:
- '/WebRoot/..'
- '../'
cs-uri-stem|contains: 'ScreenConnect'
condition: selection
falsepositives:
- Potential false positives depending on specific legacy URL structures, verify user-agent strings.
level: critical
---
title: SmarterMail Arbitrary File Upload - CVE-2025-52691
description: Detects suspicious file upload patterns to SmarterMail endpoints indicative of CVE-2025-52691 exploitation.
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
author: Security Arsenal Intel
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/05/23
tags:
- attack.initial_access
- cve.2025.52691
- web.attack
logsource:
category: web
product: iis
detection:
selection:
cs-uri-stem|contains:
- '/MRS/'
- '/Services/'
cs-method|contains: 'POST'
cs-uri-query|contains:
- '.aspx'
- '.ashx'
filter:
cs-uri-query|contains: '正常的业务请求' # Adjust based on legitimate traffic baselines
condition: selection and not filter
level: high
---
title: Rclone Data Exfiltration Tool Usage
description: Detects the use of Rclone, a tool frequently used by Qilin affiliates for large-scale data exfiltration prior to encryption.
id: 9f8e7d6c-5b4a-3e2d-1c0b-9a8f7e6d5c4b
status: experimental
author: Security Arsenal Intel
date: 2026/05/23
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\rclone.exe'
CommandLine|contains:
- 'copy'
- 'sync'
- 'mega:'
- 's3:'
condition: selection
falsepositives:
- Legitimate admin use of rclone for backup (rare in enterprise endpoints).
level: high
KQL (Microsoft Sentinel)
kqln
// Hunt for Qilin-related lateral movement and credential dumping
// Focuses on typical TTPs: WMI/PsExec usage and unusual access patterns
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where (ProcessVersionInfoOriginalFileName in ('powershell.exe', 'cmd.exe') or
FileName in ('powershell.exe', 'cmd.exe', 'wmic.exe', 'psexec.exe', 'psexec64.exe'))
| where ProcessCommandLine has 'Invoke-' or
ProcessCommandLine has 'DownloadString' or
ProcessCommandLine has 'FromBase64String' or
ProcessCommandLine contains '-enc ' or
ProcessCommandLine has 'reg save' or
ProcessCommandLine has 'sam save'
// Correlate with network connection to common C2 ports or large outbound data transfers
| join kind=leftouter (
DeviceNetworkEvents
| where Timestamp >= TimeFrame
| where RemotePort in (443, 80, 445, 3389) and Initiative == 'LocalUser'
| summarize TotalBytesSent = sum(SentBytes), MaxLatency = max(LatencyInMillis) by DeviceId, Timestamp
) on DeviceId, Timestamp
| project Timestamp, DeviceName, FileName, ProcessCommandLine, TotalBytesSent, RemoteIP, RemoteUrl
| order by Timestamp desc
PowerShell (Rapid Response)
# Qilin Ransomware - T-Minus Hardening & Hunt Script
# Checks for scheduled task persistence (Qilin favorite) and Shadow Copy status
Write-Host "[+] Starting Qilin T-Minus Diagnostic..." -ForegroundColor Cyan
# 1. Check for Shadow Copy Deletion Attempts (Vssadmin)
Write-Host "\n[*] Checking for recent vssadmin execution (Shadow Copy manipulation)..." -ForegroundColor Yellow
$Events = Get-WinEvent -LogName 'Security' -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']='C:\\Windows\\System32\\vssadmin.exe']]" -ErrorAction SilentlyContinue
if ($Events) { $Events | Select-Object TimeCreated, Message | Format-List }
else { Write-Host "No direct vssadmin execution logs found in Security Event Log." }
# 2. Hunt for Suspicious Scheduled Tasks created in last 24 hours
Write-Host "\n[*] Hunting for Scheduled Tasks created/modified in last 24h..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object {
$_.Date -gt $DateCutoff -or
(Get-ScheduledTaskInfo $_).LastRunTime -gt $DateCutoff
} | ForEach-Object {
$TaskInfo = Get-ScheduledTaskInfo $_
[PSCustomObject]@{
TaskName = $_.TaskName
TaskPath = $_.TaskPath
LastRunTime = $TaskInfo.LastRunTime
NextRunTime = $TaskInfo.NextRunTime
Author = $_.Author
Actions = $_.Actions.Execute
}
} | Format-Table -AutoSize
# 3. Audit RDP Sessions
Write-Host "\n[*] Enumerating active RDP sessions..." -ForegroundColor Yellow
query user
Write-Host "\n[+] Diagnostic Complete. Review output for anomalies." -ForegroundColor Green
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption)
- Log Scanning: Immediate grep of IIS/W3SVC logs for
CVE-2024-1708patterns (/WebRoot/...) against ScreenConnect paths. - Mail Server Audit: Check SmarterMail logs for
\Services\or\MRS\POST anomalies associated withCVE-2025-52691. - Process Anomalies: Hunt for
rclone.exe,mega.exe, orwinscp.exespawning fromsvchost.exeorpowershell.exe.
Critical Assets for Exfiltration
Based on the victim profile (Construction, Tech):
- CAD/Blueprint Repositories: High leverage in Construction (e.g.,
.dwg,.rvtfiles). - Source Code Repositories: Critical for Tech victims (Semgrep).
- Email Archives:
.pstand.ostfiles for Business Services victims.
Containment Actions
- Isolate: Disconnect compromised VPN concentrators and jump servers.
- Revoke Credentials: Force reset for all admin and service accounts used on exposed ConnectWise/Exchange servers.
- Block Outbound: Firewall rules to block known cloud storage endpoints utilized by Rclone (e.g., specific S3 IPs or Mega endpoints) if encryption has not yet started.
Hardening Recommendations
Immediate (24 Hours)
- Patch Management: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2023-21529 (Exchange), and CVE-2025-52691 (SmarterMail) immediately. These are confirmed active vectors.
- Access Control: Enforce MFA on all remote access solutions (VPN, RDP, ScreenConnect). If hardware tokens are unavailable, use number-matching authenticator apps.
- Network Segmentation: Ensure management interfaces (ScreenConnect/Exchange) are not accessible from the open internet; place behind Zero Trust Network Access (ZTNA) or VPN.
Short-term (2 Weeks)
- EDR Deployment: Extend EDR coverage to file servers and backup repositories to detect
rcloneandpowershellobfuscation. - Identity Hygiene: Audit and reduce the number of Global Admins; implement Just-In-Time (JIT) access for privileged roles.
- Backup Immutability: Enable immutable backups (WORM storage) for CAD repositories and source code to neutralize double-extortion leverage.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.