Aliases: Agenda (often referred to as such prior to rebranding) Model: Ransomware-as-a-Service (RaaS) with an aggressive affiliate network. Ransom Demands: Variable, typically ranging from $300k to several million USD, often demanding double payment for data deletion and decryption key. Initial Access: Heavily reliant on exploiting exposed remote management tools (ConnectWise ScreenConnect) and valid credentials obtained via initial access brokers (IABs). Phishing remains a secondary vector for lower-value targets. Double Extortion: Strictly adheres to the double extortion model; exfiltration of sensitive data precedes encryption in 100% of observed cases. Victims are pressured via leak site postings. Dwell Time: Short-to-medium dwell time (3–10 days). affiliates move rapidly to lateral movement and credential dumping immediately after gaining a foothold.
Current Campaign Analysis
Sectors Targeted: Recent intelligence (2026-06-02 to 2026-06-05) indicates a diversified but focused targeting strategy. The Healthcare sector is the primary victim (20% of recent victims), including specific targets like Central Florida Cosmetic & Family Dentistry and Nova Medical Products. Energy and Business Services follow closely, suggesting a pivot toward critical infrastructure and professional services holding high-value PII or IP.
Geographic Concentration: The campaign is globally dispersed but heavily concentrated in North America (US: 4, CA: 2) and Europe (DE: 1, AT: 1, SI: 1, PT: 1). Notable outliers include SKUPINA Don Don (SI), JNP ENG (KR), and Clinica Maitenes (CL), indicating a globally distributed affiliate network.
Victim Profile: Targets range from small-to-medium enterprises (SMEs) like Swim-Mor Pools to larger entities in the Energy sector (Trican). This suggests Qilin affiliates are opportunistic regarding size but specific regarding industry data value.
Escalation & CVE Correlation: The posting frequency (15 victims in ~5 days) indicates high-velocity automation. This correlates strongly with the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and the emerging CVE-2026-48027 (Nx Console). These vulnerabilities allow for immediate RCE, bypassing the need for complex phishing campaigns, explaining the rapid escalation.
Detection Engineering
SIGMA Rules
The following rules target the specific TTPs observed in this Qilin campaign, specifically the exploitation of ConnectWise and lateral movement via SMB/beacons.
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving abnormal authentication paths or path traversal in ConnectWise ScreenConnect logs.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/07
tags:
- attack.initial_access
- cve.2024.1708
- detection.emerging_threats
logsource:
category: web
product: connectwise_screenconnect
detection:
selection:
cs-uri-query|contains:
- 'Authorization='
- '../'
- '%2e%2e'
condition: selection
falsepositives:
- Misconfigured legacy integrations
level: critical
---
title: Ransomware Data Staging via Large File Copy
description: Detects rapid copying of large volumes of data to a single destination, indicative of data staging prior to exfiltration by Qilin affiliates.
author: Security Arsenal Research
date: 2026/06/07
tags:
- attack.collection
- attack.exfiltration
logsource:
category: file_access
product: windows
detection:
selection:
EventID: 4663
ObjectType: 'File'
filter:
AccessMask|contains: 'SYNCHRONIZE'
timeframe: 5m
condition: selection | count() > 50
falsepositives:
- Legitimate backup operations
level: high
---
title: Suspicious PowerShell Base64 Encoded Command
description: Detects PowerShell execution with encoded commands, often used by Qilin for running malicious payloads in memory.
author: Security Arsenal Research
date: 2026/06/07
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -e '
CommandLine|contains: ' -EncodedCommand '
condition: selection
falsepositives:
- System administration scripts
level: medium
KQL (Microsoft Sentinel)
Use this query to hunt for lateral movement indicators associated with Qilin's use of Cobalt Strike and PsExec.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe')
or (ProcessName =~ 'powershell.exe' and CommandLine contains 'New-Object')
or (ProcessName =~ 'cmd.exe' and CommandLine contains '\\192.168.' and CommandLine contains 'IPC$')
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc
Rapid Response Script
This PowerShell script checks for suspicious scheduled tasks (persistence) and recent modifications to Shadow Copies (common precursor to encryption).
# Check for Scheduled Tasks created in the last 48 hours
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-2)} | Select-Object TaskName, Date, Author, Actions
# Check for recent VSSAdmin interactions (Shadow Copy deletion)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -like '*vssadmin*' -or $_.Message -like '*delete*'} |
Select-Object TimeCreated, Id, Message
# Incident Response Priorities
1. **T-minus Detection Checklist:**
* **Logs:** Immediately review ConnectWise ScreenConnect logs for `Authorization` bypass attempts or abnormal path traversal strings around 2026-06-01 to present.
* **Processes:** Hunt for `powershell.exe` spawning from `cmd.exe` with encoded arguments.
* **Network:** Identify outbound SMB connections (ports 445, 139) to non-corporate IP addresses.
2. **Critical Assets (Exfiltration Targets):**
* **Healthcare:** Patient PHI, insurance billing data (Ransom demands are inflated based on HIPAA compliance costs).
* **Energy:** Operational schematics, SCADA interface data, personnel PII.
* **Business Services:** Client financial records, legal contracts, proprietary databases.
3. **Containment Actions (Order of Urgency):**
* **Isolate:** Disconnect infected hosts from the network immediately; do not shut down (preserve memory).
* **Disable:** Revoke all VPN credentials and RDP sessions for affected users.
* **Patch:** Apply the patch for CVE-2024-1708 and CVE-2026-48027 across the enterprise immediately.
# Hardening Recommendations
**Immediate (24h):**
* **Patch Management:** Emergency patch cycle for ConnectWise ScreenConnect (CVE-2024-1708) and Nx Console (CVE-2026-48027).
* **Access Control:** Enforce MFA on all remote access gateways. If MFA is not available, implement IP allow-listing.
* **Network Segmentation:** Ensure management planes (like RMM tools) are on isolated VLANs, not reachable from the open internet.
**Short-term (2 weeks):**
* **EDR Deployment:** Ensure coverage on 100% of endpoints, specifically focusing on servers hosting ConnectWise or similar RMM tools.
* **Account Hygiene:** Audit and rotate service account credentials used by IT management tools.
* **Reduced Privilege:** Remove local administrator rights from standard user accounts to impede lateral movement.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.