Aliases: Agenda (historical association), Twisted Spider Operational Model: Ransomware-as-a-Service (RaaS) with an aggressive affiliate network. Ransom Demands: Variable, typically ranging from $500,000 to multi-million dollar demands depending on victim revenue and data sensitivity. Initial Access Vectors: Historically relies on exploiting exposed remote management tools (ConnectWise ScreenConnect, RDP) and valid credentials obtained via phishing. Recently observed leveraging vulnerabilities in email and network perimeter appliances. Double Extortion: Strictly adheres to the model; exfiltrates sensitive data (PII, PHI, IP) prior to encryption and pressures victims via leak site postings. Average Dwell Time: 3–7 days. Qilin affiliates are known for rapid lateral movement once a foothold is established, often minimizing the window for detection before detonation.
Current Campaign Analysis
Targeted Sectors: The recent victim list (2026-05-27 to 2026-05-28) indicates a diverse yet focused targeting strategy:
- Manufacturing: 20% of recent victims (Sinomax USA, Carton Craft Supply, LA Woodworks).
- Healthcare: 20% of recent victims (Mindpath College Health, Providence Medical Group, Dillon Family Medicine).
- Business Services: 26% of recent victims (Gallun Snow Associates, Kennedy, McLaughlin & Associates, Mainstreet Organization of REALTORS).
- Other: Education, Technology, Agriculture, and Consumer Services.
Geographic Concentration: Heavily US-centric (approx. 70% of recent victims), but with significant global reach including Australia (AU), Denmark (DK), Saudi Arabia (SA), Hungary (HU), and Latvia (LA). This suggests a broad, opportunistic scanning posture rather than geo-political targeting.
Victim Profile: The victims range from mid-market entities (e.g., local woodworks, family medicine clinics) to larger organizations (school districts). Revenue estimates suggest a focus on organizations with $10M – $200M annual revenue—entities likely to have cyber insurance but potentially immature security postures regarding legacy RMM tools.
Escalation Patterns: Posting frequency spiked on 2026-05-28 with 10 victims published simultaneously. This "batching" suggests either an automated publication script triggered by a timer or a mass-exploitation event occurring days prior.
CVE Connection: The campaign correlates strongly with the active exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): A staple for Qilin affiliates, allowing remote code execution on managed service endpoints.
- CVE-2025-52691 (SmarterTools SmarterMail): Likely used for initial access in Technology and Business Services sectors to gain a foothold via email servers.
- CVE-2023-21529 (Microsoft Exchange): Used for credential harvesting and persistence within Healthcare and Education sectors.
Detection Engineering
Sigma Rules
---
title: Potential ScreenConnect Path Traversal Exploitation CVE-2024-1708
id: 4e2f3f8c-7a12-45b6-8f1a-2d3c4e5f6a7b
status: experimental
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability via suspicious URI patterns.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/01
tags:
- attack.initial_access
- attack.t1190
- cve.2024.1708
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/Bin/ScreenConnect.ashx'
selection_suspicious:
c-uri|contains:
- '..'
- '%2e%2e'
- 'Windows'
- 'System32'
condition: selection and selection_suspicious
falsepositives:
- Legitimate administrative access (rare with these patterns)
level: critical
---
title: SmarterMail Arbitrary File Upload Exploitation CVE-2025-52691
id: 5a3g4h9i-0j1k-2l3m-4n5o-6p7q8r9s0t1u
status: experimental
description: Detects potential exploitation of SmarterMail file upload vulnerability via suspicious User-Agents and URI paths.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/01
tags:
- attack.initial_access
- attack.webshell
- cve.2025.52691
logsource:
category: webserver
detection:
selection_uri:
c-uri|contains: '/Services/MailService.asmx'
selection_method:
c-method: 'POST'
selection_suspicious_content:
cs-content-type|contains: 'multipart/form-data'
filter_legit:
sc-status: 200
condition: selection_uri and selection_method and selection_suspicious_content and filter_legit
falsepositives:
- Legitimate email client attachments (inspect user-agent)
level: high
---
title: Suspicious Lateral Movement via PsExec or WMI
id: 6b4c5d0e-1f2a-3b4c-5d6e-7f8g9h0i1j2k
status: experimental
description: Detects usage of PsExec or WMI for lateral movement, common in Qilin playbook.
author: Security Arsenal Research
date: 2026/06/01
tags:
- attack.lateral_movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
Image|endswith: '\psexec.exe'
CommandLine|contains:
- '-accepteula'
- '-u '
- '-p '
selection_wmi:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'process call create'
condition: 1 of selection_*
falsepositives:
- System administration
level: high
KQL (Microsoft Sentinel)
// Hunt for Qilin Staging and Lateral Movement Indicators
// Focuses on PowerShell, SMB, and Common Admin Tools
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessAccountName != "SYSTEM" // Focus on user-driven
| where
// Common Qilin tools
FileName in~ ("powershell.exe", "cmd.exe", "psexec.exe", "wmic.exe", "procdump.exe", "rar.exe", "7z.exe") or
// Base64 encoded commands (often used for obfuscation)
CommandLine contains "-enc " or
CommandLine contains "FromBase64String" or
CommandLine contains "DownloadString"
| extend HostName = DeviceName
| summarize count(), make_set(CommandLine) by FileName, HostName, InitiatingProcessAccountName
| where count_ > 5 // Threshold for suspicious activity
PowerShell Response Script
<#
.SYNOPSIS
Qilin Ransomware Rapid Response Check
.DESCRIPTION
Checks for signs of Qilin activity: Shadow Copy deletion, unusual scheduled tasks,
and suspicious processes (PsExec, Rclone).
#>
Write-Host "[+] Starting Qilin Response Check..." -ForegroundColor Cyan
# 1. Check for Shadow Copy Deletion Attempts (vssadmin)
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'vssadmin.*delete.*shadows' -or $_.Message -match 'wmic.*shadowcopy.*delete' }
if ($VssEvents) {
Write-Host "[!!!] CRITICAL: Shadow copy deletion commands detected in Security Logs!" -ForegroundColor Red
$VssEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[OK] No immediate shadow copy deletion commands found in recent logs." -ForegroundColor Green
}
# 2. Check for Suspicious Scheduled Tasks (Last 7 Days)
$StartDate = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt $StartDate -and
($_.TaskName -match 'Update' -or $_.TaskName -match 'Driver' -or $_.TaskName -match 'System') -and
$_.Author -notmatch 'Microsoft' -and $_.Author -notmatch 'Author'
}
if ($SuspiciousTasks) {
Write-Host "[!!!] WARNING: Recently created scheduled tasks with suspicious naming/author found." -ForegroundColor Yellow
$SuspiciousTasks | Select-Object TaskName, Date, Author, Action | Format-List
} else {
Write-Host "[OK] No suspicious recently created tasks." -ForegroundColor Green
}
# 3. Check for Qilin Associated Processes
$SuspiciousProcs = @("psexec", "procdump", "rclone", "mimikatz", "anydesk", "supremo")
$RunningProcs = Get-Process | Where-Object { $SuspiciousProcs -contains $_.ProcessName }
if ($RunningProcs) {
Write-Host "[!!!] ALERT: Suspicious process running!" -ForegroundColor Red
$RunningProcs | Select-Object ProcessName, Id, Path
} else {
Write-Host "[OK] No known Qilin/Lateral Movement tools currently running." -ForegroundColor Green
}
Write-Host "[+] Check Complete. If alerts are triggered, isolate host immediately." -ForegroundColor Cyan
# Incident Response Priorities
**T-Minus Detection Checklist:**
1. **User Account Audit:** Check for newly created local admins (often named `support`, `helpdesk`, or `backup`) in the last 48 hours.
2. **RMM Logs:** Correlate ConnectWise ScreenConnect logs with the `CVE-2024-1708` signature. Look for logins from unusual ASN/IPs.
3. **Volume Shadow Copies:** Query `vssadmin list shadows` to ensure they exist. A sudden drop to zero is a pre-encryption TTP.
**Critical Assets Prioritized for Exfiltration:**
* **Healthcare:** Patient PHI (SSNs, medical records), insurance payer data.
* **Manufacturing:** CAD drawings, proprietary formulas, supply chain vendor lists.
* **Business Services:** Client financial databases, tax documents, legal contracts.
**Containment Actions:**
1. **Isolate:** Disconnect infected VLANs immediately; Qilin spreads via SMB.
2. **Revoke Credentials:** Force-reset all domain admin and service account credentials; assume MFA bypass if session hijacking occurred.
3. **Block Outbound:** Block traffic to known Tor exit nodes and file-sharing sites (Mega, WeTransfer) at the perimeter.
# Hardening Recommendations
**Immediate (24h):**
* **Patch CVE-2024-1708:** Update ConnectWise ScreenConnect to the latest patched version immediately. If patching is not possible, disable external access to the Web Client interface.
* **Disable RDP:** Ensure RDP is not exposed to the internet. Enforce Network Level Authentication (NLA) if internal use is required.
* **MFA Enforcement:** Enable FIDO2 or phishing-resistant MFA for all VPN, OWA (Exchange), and RMM portal access.
**Short-term (2 weeks):**
* **Network Segmentation:** Segment critical backup servers and domain controllers from user workstations.
* **RMM Hygiene:** Conduct a audit of all remote management tools. Implement "Just-in-Time" access policies rather than standing administrative access.
* **Immutable Backups:** Ensure offline or immutable backups are tested and reachable.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.