Back to Intelligence

QILIN Ransomware: Global Surge Exploiting Exchange & Cisco Firewall Flaws — 16 New Victims

SA
Security Arsenal Team
May 7, 2026
7 min read

QILIN (aka Agenda) has accelerated its RaaS operations, posting 16 new victims between May 4–6, 2026. The group is actively leveraging critical vulnerabilities in Microsoft Exchange (CVE-2023-21529) and Cisco Secure Firewall Management Center (CVE-2026-20131) for initial access. The victimology shows a distinct pivot toward Professional Services (Law Firms), Manufacturing, and critical infrastructure (Healthcare/Finance) across the US, EU, and South America. Intelligence suggests affiliates are prioritizing double extortion, with a dwell time of less than 48 hours from access to encryption in recent cases.

Threat Actor Profile — QILIN

  • Aliases: Agenda (former branding), Qilin.Breach.
  • Operational Model: Ransomware-as-a-Service (RaaS). High-aggressiveness affiliate model with revenue-sharing incentives.
  • Ransom Demands: Variable, typically ranging from $300k to $5M USD depending on victim revenue.
  • Initial Access: Primarily external-facing remote services. Recent campaigns heavily feature exploitation of unpatched Exchange servers and Firewall management consoles (Cisco FMC). Historical access also includes compromised VPN credentials and phishing.
  • TTPs: Double extortion is standard. Qilin utilizes Rust-based payloads for cross-platform encryption (Windows/Linux). Known to use Cobalt Strike and Sliver for C2 prior to payload deployment.
  • Dwell Time: decreasing. Recent observations indicate a "smash-and-grab" approach of 1–3 days once foothold is established via CVE exploitation.

Current Campaign Analysis

Targeted Sectors Qilin is displaying indiscriminate but opportunistic targeting:

  1. Business Services: Heavy focus on legal firms (e.g., Law Office of Steven R Smith, Rizzuto Law Firm) holding sensitive client data.
  2. Manufacturing & Construction: Targeting supply chain entities (e.g., Complastex, Asphalt Specialists).
  3. Critical Infrastructure: Healthcare (Laclinic-Montreux) and Public Sector (Le Maire de QUIBERON) remain high-value targets.

Geographic Spread The campaign is globally dispersed but concentrated in Western ally nations:

  • Americas: US, Brazil (BR), Paraguay (PY).
  • Europe: Italy (IT), France (FR), Spain (ES).
  • Asia-Pacific: Thailand (TH).

CVE Utilization & Attack Vector There is a direct correlation between the listed CISA Known Exploited Vulnerabilities (KEV) and Qilin's access:

  • CVE-2023-21529 (Exchange): Primary vector for Business Services victims. Unauthenticated deserialization leads to web shell deployment.
  • CVE-2026-20131 (Cisco FMC): Used to breach network perimeters, allowing affiliates to bypass firewall rules and pivot internally.
  • SmarterMail Vulnerabilities (CVE-2025-52691 / CVE-2026-23760): Specific targeting of hosting/email providers to gain tenant-wide access.

Detection Engineering

SIGMA Rules

YAML
title: Potential Exchange Server Deserialization Exploit CVE-2023-21529
description: Detects potential exploitation of Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability via w3wp.exe suspicious process creation.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\whoami.exe'
    condition: selection
falsepositives:
    - Legitimate Exchange management scripts
level: high

tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.21529
---
title: SmarterMail Web Shell or Suspicious Activity
description: Detects suspicious process execution patterns associated with SmarterMail exploitation or web shell activity.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        ParentImage|contains: 'MailService'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\net.exe'
    selection_cmd:
        CommandLine|contains:
            - 'whoami'
            - 'net user'
            - 'net localgroup administrators'
    condition: 1 of selection*
falsepositives:
    - Administrative troubleshooting
level: critical

tags:
    - attack.web_shell
    - attack.t1505.003
    - cve.2025.52691
---
title: Ransomware Qilin Typical Lateral Movement Pattern
description: Detects patterns often used by Qilin affiliates for lateral movement and data staging prior to encryption.
author: Security Arsenal Research
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: '-accepteula'
    selection_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'process call create'
    selection_rclone:
        Image|endswith: '\rclone.exe'
    condition: 1 of selection_
falsepositives:
    - Administrative remote management
level: high

tags:
    - attack.lateral_movement
    - attack.t1021.002
    - attack.exfiltration

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin Affiliate Activity: Web Shell + Lateral Movement + Data Staging
let Processes = materialize (
    DeviceProcessEvents 
    | where Timestamp > ago(7d)
);
// 1. Identify Potential Web Shell Access (Exchange/SmarterMail)
let WebShellActivity = Processes
| where InitiatingProcessFileName in ("w3wp.exe", "MailService.exe", "WebConfig.exe")
| where ProcessFileName in ("powershell.exe", "cmd.exe", "csc.exe")
| project DeviceId, Timestamp, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessFileName;
// 2. Identify Lateral Movement (PsExec/WMI/SMB)
let LateralMovement = Processes
| where ProcessFileName in ("psexec.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has "invoke-command" or ProcessCommandLine has "new-psession" or ProcessCommandLine contains "\\\"
| project DeviceId, Timestamp, AccountName, ProcessCommandLine, ProcessFileName;
// 3. Identify Data Staging/Exfil Tools (Rclone, WinRAR)
let ExfilTools = Processes
| where ProcessFileName in ("rclone.exe", "winrar.exe", "7z.exe")
| project DeviceId, Timestamp, AccountName, ProcessCommandLine, ProcessFileName;
// Correlate activities
union WebShellActivity, LateralMovement, ExfilTools
| summarize ActivityCount=count(), make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
| where ActivityCount > 2
| order by ActivityCount desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Triage Script
.DESCRIPTION
    Checks for indicators of compromise (IOCs) associated with Qilin operations: 
    Scheduled Tasks, Shadow Copy manipulation, and recent process execution.
#>

Write-Host "[+] Starting Qilin Ransomware Triage Check..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (Common persistence)
Write-Host "\n[!] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
    $schTasks | Format-List TaskName, Author, Date, Action, State
} else {
    Write-Host "No suspicious recent tasks found." -ForegroundColor Green
}

# 2. Check Volume Shadow Copies (Qilin deletes these)
Write-Host "\n[!] Checking Volume Shadow Copy Status..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadow copies") {
        Write-Host "WARNING: No Shadow Copies found. Potential deletion event." -ForegroundColor Red
    } else {
        Write-Host "Shadow Copies exist." -ForegroundColor Green
    }
} catch {
    Write-Host "Error checking VSS: $_" -ForegroundColor DarkGray
}

# 3. Check for Rclone or uncommon archiving processes in last 24h
Write-Host "\n[!] Checking for Data Exfil Tools (Rclone/WinRAR) in Event Logs..." -ForegroundColor Yellow
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
$suspiciousProcs = @("rclone", "winrar", "7z", "procdump")
foreach ($proc in $suspiciousProcs) {
    $found = $events | Where-Object { $_.Message -like "*$proc*" }
    if ($found) {
        Write-Host "ALERT: Found $proc execution:" -ForegroundColor Red
        $found | Select-Object TimeCreated, Message | Format-List
    }
}

Write-Host "\n[+] Triage Complete." -ForegroundColor Cyan


# Incident Response Priorities

1.  **T-Minus Detection Checklist:**
    *   **IIS/Exchange Logs:** Scan `C:\inetpub\logs\LogFiles\` for POST requests containing anomalous serialization data or long base64 strings (indicators of CVE-2023-21529).
    *   **Web Shells:** Hunt for `.aspx`, `.jsp`, or `.php` files in web roots with recent modification timestamps.
    *   **Firewall Telemetry:** Immediately review Cisco FMC logs for administrative logins or configuration changes originating from unexpected IPs (CVE-2026-20131).

2.  **Critical Assets at Risk:**
    *   **Active Directory:** Domain Controllers are primary targets for credential dumping (DCSync).
    *   **Backups:** Qilin aggressively deletes Volume Shadow Copies (`vssadmin delete shadows`). Disconnect backup appliances immediately.
    *   **File Servers:** High-value data repositories for legal and manufacturing clients.

3.  **Containment Actions:**
    *   Isolate affected Exchange servers and Cisco FMC appliances from the network.
    *   Revoke all privileged session tokens (Kerberos) for admins logged into exposed systems.
    *   Enforce MFA reset for all accounts that accessed the exploited VPN/Firewall interfaces.

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch Management:** Apply patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and SmarterMail CVEs immediately. If patching is impossible, disable external access to these management interfaces via firewall ACLs.
*   **Account Security:** Force password resets for all service accounts associated with Exchange and Firewall management.
*   **Ingress Filtering:** Block internet access to TCP/443 and TCP/80 for management interfaces (FMC/SmarterMail) from untrusted IP ranges.

**Short-Term (2 Weeks):**
*   **Network Segmentation:** Move management planes (Firewall managers, Exchange Admin Centers) to a dedicated, strictly controlled Admin VLAN with no direct internet access.
*   **EDR Deployment:** Ensure EDR sensors are installed and reporting on Edge/Email servers, a common blind spot.
*   **Phishing Resilience:** Implement strict DMARC/SPF/DKIM policies to prevent email-based initial access vectors which remain a secondary path for this group.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomware-as-a-servicecve-2023-21529financial-servicesinitial-accesshealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action