Back to Intelligence

QILIN Ransomware: Global Surge Exploiting Exchange & SmarterMail Vulnerabilities

SA
Security Arsenal Team
April 26, 2026
6 min read

Threat Actor Profile — QILIN

Aliases: Agenda, Agenda Ransomware

Model: Ransomware-as-a-Service (RaaS). Qilin operates as an affiliate-heavy operation, offering a custom Rust-based encryptor to partners. They are distinct for their aggressive "double extortion" tactics, often threatening to leak data within 24-48 hours if contact is not established.

Typical Ransom Demands: Highly variable, generally ranging from $500,000 to multi-million dollars depending on victim revenue.

Initial Access Vectors: Historically reliant on valid credentials obtained via phishing or initial access brokers (IABs). However, recent intelligence indicates a shift toward exploiting critical internet-facing infrastructure, specifically vulnerabilities in Email servers (Microsoft Exchange, SmarterMail) and Firewall management consoles.

Dwell Time: Qilin affiliates typically maintain access for 3 to 10 days before detonating encryption, using this time for extensive data staging and lateral movement.

Current Campaign Analysis

Sector Targeting: Data from the last 100 postings indicates a broad scope, but the most recent wave (April 24-25, 2026) shows a distinct pivot toward Manufacturing (Buckley Powder, Leistritz, Denso) and Financial Services (KEMBA Indianapolis FCU, First County FCU). Agriculture (SanCor, Cahbo) and Healthcare remain secondary targets.

Geographic Concentration: The campaign is globally dispersed, with significant hits in North America (US, CA) and Europe (DE, GB, SE). The targeting of Denso (JP) and victims in Argentina/Philippines suggests an opportunistic but technically sophisticated affiliate network scanning for specific vulnerable assets worldwide rather than geo-political targeting.

Victim Profile:

  • Manufacturing: High-value targets (e.g., Denso) with complex OT/IT environments and low tolerance for downtime.
  • Financial: Regional Credit Unions, which often operate on thinner margins and may rely on legacy on-premise mail solutions like Exchange or SmarterMail.

Observed Frequency: High-volume posting. The group published 15 victims across 48 hours (April 24-25), indicating a successful automated exploitation tool or a highly active affiliate group.

CVE Connection: The recent victims strongly correlate with the actively exploited CVEs listed in CISA KEV:

  • CVE-2023-21529 (Microsoft Exchange): Likely the vector for the Financial and Business Services victims.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Critical vector for smaller enterprises and MSPs hosting mail.
  • CVE-2026-20131 (Cisco FMC): A potential vector for lateral movement or perimeter bypass in larger manufacturing environments.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Microsoft Exchange Deserialization Exploitation CVE-2023-21529
id: 4c2f3b1d-8a9e-4b2c-9f1d-3a4b5c6d7e8f
description: Detects suspicious command line arguments or process execution patterns associated with deserialization attacks on Microsoft Exchange Server.
status: experimental
date: 2026/04/27
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: \\w3wp.exe
        CommandLine|contains:
            - 'Microsoft.Exchange.Management'
            - 'System.Management.Automation.Serialization'
            - 'BinaryFormatter'
    condition: selection
falsepositives:
    - Legitimate Exchange management scripts
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2023-21529
---
title: SmarterMail Unrestricted File Upload or Auth Bypass Attempt
id: 5d3e4c2a-9b0f-5c3d-0e2f-4b5c6d7e8f9a
description: Detects suspicious file creation or web access patterns indicative of SmarterMail exploitation (CVE-2025-52691, CVE-2026-23760).
status: experimental
date: 2026/04/27
author: Security Arsenal Research
logsource:
    product: web
    service: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'fileupload'
            - 'saveattachment'
            - 'resetpassword'
    selection_method:
        cs-method: 'POST'
    selection_status:
        sc-status: 200
    filter:
        cs-uri-stem|contains: '/MailService/'
    condition: all of selection_* and filter
falsepositives:
    - Legitimate administrative file uploads
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2025-52691
---
title: Ransomware Lateral Movement via PsExec and WMI
id: 6e4f5d3b-0c1g-6d4e-1f3g-5c6d7e8f9a0b
description: Detects the use of PsExec or WMI for lateral movement, commonly used by Qilin affiliates to spread across a network before encryption.
status: experimental
date: 2026/04/27
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection_psexec:
        EventID: 4688
        NewProcessName|contains: '\\PsExec.exe'
        CommandLine|contains: '\\'
    selection_wmi:
        EventID: 4688
        NewProcessName|endswith: \\wmiprvse.exe
        ParentProcessName|endswith: \\svchost.exe
    condition: 1 of selection*
falsepositives:
    - System administration tasks
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious lateral movement and data staging prior to encryption
let TimeFrame = 1d;
let ProcessList = dynamic(["psexec.exe", "wmic.exe", "powershell.exe", "cmd.exe", "csc.exe", "rundll32.exe"]);
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
| where FileName in~ ProcessList
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX"
| summarize count(), arg_min(Timestamp, *) by DeviceId, AccountName, FileName, ProcessCommandLine
| project Timestamp, DeviceId, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

PowerShell Response Script

PowerShell
# Qilin Ransomware Triage Script
# Checks for recent suspicious scheduled tasks and Shadow Copy manipulation

Write-Host "[+] Checking for Shadow Copy deletion events (Event ID 403)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='System'; ID=403; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List

Write-Host "[+] Enumerating Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
$schTasks = Get-ScheduledTask
foreach ($task in $schTasks) {
    $taskInfo = $task | Get-ScheduledTaskInfo
    if ($taskInfo.LastRunTime -gt (Get-Date).AddDays(-7)) {
        $action = $task.Actions.Execute
        Write-Host "Task: $($task.TaskName) | Action: $action | Last Run: $($taskInfo.LastRunTime)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Checking for recently modified System32/Drivers binaries..." -ForegroundColor Cyan
Get-ChildItem "C:\Windows\System32\drivers" -Filter "*.sys" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} | Select-Object Name, LastWriteTime


---

Incident Response Priorities

  1. T-minus Detection Checklist:

    • Mail Server Logs: Immediate grep of IIS/SMTP logs for POST requests to /MailService/ containing saveattachment or similar parameters (SmarterMail).
    • Exchange Backend: Review MSExchange Management logs for unexpected deserialization errors or webshell creation in /aspnet_client/.
    • Firewall Logs: Check outbound traffic on non-standard ports (often used for exfiltration) and connections to known IP addresses associated with Qilin C2.

  2. Critical Assets Prioritized for Exfiltration:

    • Financial: Customer PII, loan databases, ACH/wire transfer logs.
    • Manufacturing: Proprietary CAD drawings, IP, ERP databases (SAP/Oracle).
    • Healthcare: Patient PHI (HIPAA data).

  3. Containment Actions:

    • Immediate: Isolate identified mail servers (Exchange/SmarterMail) from the network. Do not power off; snapshot memory for forensic analysis.
    • Urgent: Revoke credentials for service accounts found in recent logs (specifically those used for Exchange/SQL services).
    • Network: Segment VLANs to prevent lateral movement from the IT network into OT (Manufacturing) environments.

Hardening Recommendations

Immediate (24h):

  • Patch Management: Apply patches for CVE-2023-21529 (Exchange), CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active exploitation vectors.
  • Access Control: Disable internet-facing management interfaces for Cisco Firewalls and restrict Exchange ECP/OWA access to internal VPN only or strict IP whitelists.
  • MFA Enforcement: Ensure all mail admin and VPN accounts have FIDO2/Phishing-resistant MFA enabled.

Short-term (2 weeks):

  • Architecture: Implement a Secure Web Gateway (SWG) to inspect outbound traffic and block command-and-control (C2) callbacks.
  • Segregation: Move critical backup repositories to an immutable storage tier (object lock) that is logically air-gapped from the production network.
  • Monitoring: Deploy a deception campaign (canary tokens/honeypots) around file shares and mail servers to detect lateral movement attempts early.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturingfinancial-servicescve-2023-21529smartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action