Date: 2026-06-19
Source: Security Arsenal Dark Web Intelligence / Ransomware.live
Threat Actor Profile — QILIN
- Aliases: Agenda. Previously known as Agenda before rebranding to Qilin.
- Operational Model: Ransomware-as-a-Service (RaaS). The group operates an affiliate model, recruiting attackers who gain access and receive a cut of the ransom payments.
- Ransom Demands: Typically ranges from $500,000 to $10 million USD, depending on victim revenue and sensitivity of exfiltrated data.
- Initial Access Vectors: Qilin affiliates are opportunistic but technically proficient. Current primary vectors include exploitation of internet-facing vulnerabilities (VPN appliances, remote management tools like ConnectWise ScreenConnect), and valid credentials obtained via phishing or initial access brokers (IABs).
- Extortion Strategy: Aggressive double extortion. Exfiltrated data is published on their .onion leak site if negotiations fail or deadlines are missed. They specifically target ESXi environments for encryption to maximize operational impact.
- Dwell Time: Short. Average dwell time observed in recent campaigns is 3–5 days between initial access and encryption detonation.
Current Campaign Analysis
Based on the last 100 postings and the live data from 2026-06-19, Qilin is executing a highly aggressive, geographically disperse campaign.
Sector Targeting
Qilin is casting a wide net, but recent data shows a distinct concentration in Construction and Healthcare, alongside high-value Manufacturing targets.
- Construction: 20% of recent victims (e.g., PJ Daly Contracting, Homes By J Anthony, Makel Companies Group).
- Healthcare: 20% of recent victims (e.g., Golfview Developmental Center, Misericórdia de Santo Tirso, Can Healthcare Group). This suggests a willingness to target critical infrastructure despite higher scrutiny.
- Manufacturing/Logistics: Heavy hitters like Roth Industries (DE) and Skupina Don Don - GRUPO BIMBO (SI) indicate a focus on supply chain disruption.
Geographic Concentration
The campaign is truly global, with no single region dominating.
- North America: High activity in the US (Sparkle Pools, Homes By J Anthony) and Mexico (Grupo Indi).
- Europe: Significant presence in Germany, Ireland, France, Portugal, and Slovenia.
- Asia/South America: Targets in Malaysia, Chile, Turkey, and Vietnam confirm the affiliate model is global.
Victim Profile
- Size: Mixed. The portfolio ranges from SMB construction firms to massive multinational corporations (Grupo Bimbo).
- Revenue: Estimated revenue range is $10M - $5B+.
CVE Correlation & Exploitation
The timing of these postings correlates strongly with recent additions to the CISA Known Exploited Vulnerabilities (KEV) catalog. Intelligence suggests Qilin affiliates are actively weaponizing:
- CVE-2024-1708 (ConnectWise ScreenConnect): Likely used for initial access in Business Services and MSP-related victims (e.g., ATCOM Outsourcing).
- CVE-2026-50751 (Check Point Security Gateway): A probable vector for the Telecommunication (Q Link Wireless) and large enterprise sectors requiring robust VPN perimeter security.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation of management interfaces allows for deep network pivoting, consistent with the rapid lateral movement seen in these victims.
Detection Engineering
The following detection logic is tailored to the TTPs observed in the Qilin campaign, specifically targeting the exploitation of remote access tools and the Cobalt Strike beacons often used for lateral movement.
SIGMA Rules
YAML
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 6a89e384-8855-4b3e-9e01-000000000001
description: Detects potential exploitation of CVE-2024-1708 involving suspicious paths or parameters in ScreenConnect web requests.
status: experimental
date: 2026/06/19
author: Security Arsenal Research
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
- attack.initial_access
- cve.2024.1708
- detection.emerging_threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'App_Extensions'
- 'Shell'
- 'Handler'
cs-uri-query|contains|all:
- '.aspx'
- '..'
condition: selection
falsepositives:
- Legitimate administrative debugging (rare)
level: critical
---
title: Cobalt Strike Beacon Process Injection Pattern
id: 7b91f495-9966-4c2a-8f12-000000000002
description: Detects typical process injection patterns used by Cobalt Strike beacons often employed by Qilin affiliates.
status: experimental
date: 2026/06/19
author: Security Arsenal Research
tags:
- attack.privilege_escalation
- attack.t1055
logsource:
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
- '\
undll32.exe'
Image|endswith:
- '\
undll32.exe'
- '\
egsvr32.exe'
CommandLine|contains:
- 'javascript:'
- 'mshtml,RunHTMLApplication'
condition: selection
falsepositives:
- Unknown
level: high
---
title: Qilin Ransomware Pre-Encryption Shadow Copy Deletion
id: 8c02g606-0077-5d3b-9g23-000000000003
description: Detects commands used to delete Volume Shadow Copies to prevent recovery, common in Qilin playbook.
status: experimental
date: 2026/06/19
author: Security Arsenal Research
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
detection:
selection_img:
Image|endswith:
- '\\vssadmin.exe'
- '\\wmic.exe'
- '\\powershell.exe'
selection_cli:
CommandLine|contains:
- 'delete shadows'
- 'shadowcopy delete'
- 'Remove-Item'
condition: all of selection_*
falsepositives:
- System administration tasks (verify user)
level: critical
Microsoft Sentinel (KQL)
KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and suspicious service installs associated with Qilin (PsExec/WMI)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName in~ (\"psexec.exe\", \"psexec64.exe\", \"psexecsvc.exe\") or
(ProcessCommandLine contains \"Create\" and ProcessCommandLine contains \"remote\" and FileName =~ \"sc.exe\"))
| where InitiatingProcessAccountName != \"SYSTEM\"
| summarize count(), make_set(ProcessCommandLine), make_set(InitiatingProcessFileName) by DeviceName, Timestamp
| extend AlertDetails = strcat(\"Potential Lateral Movement detected on \", DeviceName)
PowerShell Response Script
PowerShell
<#
.SYNOPSIS
Rapid Response Audit for Qilin Indicators of Compromise.
.DESCRIPTION
Checks for recent scheduled tasks (persistence) and Volume Shadow Copy manipulation.
#>
function Invoke-QilinAudit {
Write-Host \"[*] Checking for Scheduled Tasks created/modified in the last 7 days...\" -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {
$_.Date -ge $DateCutoff -or $_.LastRunTime -ge $DateCutoff
} | Select-Object TaskName, TaskPath, Date, LastRunTime, Author | Format-Table -AutoSize
Write-Host \"[*] Checking Volume Shadow Copy Storage status...\" -ForegroundColor Cyan
try {
vssadmin list shadows | Select-String \"Shadow Copy Volume\"
}
catch {
Write-Host \"[!] Error querying VSS. Check permissions.\" -ForegroundColor Red
}
Write-Host \"[*] Checking for suspicious RDP logins (Event ID 4624) in last 24h...\" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'Logon Type:\\s*10' -and $_.Message -notmatch 'Source Network Address:\\s*-' } |
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Format-Table -AutoSize
}
Invoke-QilinAudit
---
Incident Response Priorities
Based on Qilin's rapid operational tempo, containment must be immediate upon detection.
T-Minus Detection Checklist
- Network: Identify lateral movement via SMB (TCP 445) and RDP (TCP 3389) to non-standard hosts.
- Process: Hunt for
powershell.exespawning fromsvchost.exeor unexpected parent processes. - Auth: Review VPN logs (Check Point/Cisco) for successful authentications followed immediately by mass SMB enumeration.
Critical Assets at Risk
Qilin historically exfiltrates:
- Financial Data: Accounting ledgers, tax returns, and banking details.
- PII/PHI: Employee records and patient data (especially given the Healthcare targets).
- Intellectual Property: CAD drawings and proprietary formulas (Manufacturing sector targets).
Containment Actions
- Isolate: Disconnect infected segments from the core network immediately; do not shutdown systems yet if memory capture is needed for analysis.
- Disable: Suspend domain accounts used in the suspected lateral movement path immediately.
- Reset: Force password resets for all privileged accounts (Domain Admins) and force MFA re-enrollment.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical CVEs: Emergency patching of Check Point Security Gateway (CVE-2026-50751) and Cisco FMC (CVE-2026-20131) is mandatory. If patching is impossible, disable VPN access or enforce strict allow-listing for source IPs.
- ScreenConnect Hygiene: If ConnectWise ScreenConnect is in use, ensure it is updated to the latest build and block internet access to the management interface from untrusted IPs.
- MFA Enforcement: Ensure phishing-resistant MFA (FIDO2) is enforced on all VPN and remote access gateways.
Short-Term (2 Weeks)
- Network Segmentation: Enforce strict segmentation between ICS/SCADA/OT environments (Manufacturing targets) and IT networks.
- Backup Immutability: Verify that backups are offline or immutable. Qilin actively targets backup agents to prevent recovery.
- EDR Coverage: Roll out EDR coverage to all servers, specifically prioritizing ESXi hypervisors and backup servers.
Related Resources
Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub
darkwebransomware-gangqilinransomwaremanufacturinghealthcarecve-2024-1708check-point
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.