Aliases: Agenda (historical), Qilin. Ransomware-as-a-Service (RaaS) Model: Qilin operates an aggressive RaaS model, recruiting affiliates with advanced networking skills to conduct initial access and lateral movement, while the core team develops the sophisticated Go-based encryption payload. Typical Ransom Demands: $300,000 – $5,000,000 USD, calibrated based on victim revenue and exfiltrated data volume. Initial Access Methods: Heavily reliant on external remote services. Recent intelligence confirms the exploitation of ConnectWise ScreenConnect (CVE-2024-1708) and Microsoft Exchange (CVE-2023-21529). Phishing with malicious macros remains a secondary vector. Double Extortion: Strictly adheres to the double-extortion playbook. Exfiltration occurs 1–48 hours prior to encryption. Non-payment results in data being published to their dedicated .onion site. Average Dwell Time: 3–10 days. Qilin affiliates are known to move laterally quickly once valid credentials are obtained via webshell or service exploitation.
Current Campaign Analysis
Sector Targeting: The current campaign exhibits a distinct pivot towards Healthcare and Manufacturing, alongside continued pressure on Financial Services.
- Healthcare: 4 of 15 recent victims (Clinica Avellaneda, Generation Life, B.Care Medical Center, Spirit Medical Transport).
- Manufacturing: 4 of 15 recent victims (Common Part Groupings, NR Engineering, Schulte-Lindhorst, Fab-Masters).
Geographic Concentration: A broad global footprint is observed, with significant clusters in:
- North America (US): Construction, Manufacturing, Healthcare.
- Oceania (AU): Education, Healthcare, Logistics.
- Southeast Asia (MY, TH, PH): Financial Services, Manufacturing, Healthcare.
- South America (CL, AR): Agriculture, Healthcare.
Victim Profile: Targets range from mid-market enterprises (50–500 employees) to larger logistics and education entities. Recent victims like Menzies Group (Logistics) and Australian College of Business Intelligence suggest a willingness to target complex, data-rich environments.
Observed Posting Frequency / Escalation: Posting volume has spiked to 2–3 victims per day (May 13–17). The rapid-fire posting suggests a "dumping" phase where negotiations failed or deadlines were met simultaneously, indicating coordinated operations by multiple affiliates.
CVE Connection: The correlation between the latest CISA KEV list and Qilin victims is high.
- CVE-2024-1708 (ScreenConnect): Highly likely used for initial access against the Turner Supply and Common Part Groupings incidents, given the prevalence of RMM tools in the construction and manufacturing sectors.
- CVE-2023-21529 (Exchange): Suspected vector for the PNSB Insurance Brokers and Australian College of Business Intelligence compromises.
Detection Engineering
---
title: Potential ConnectWise ScreenConnect Authentication Bypass / Path Traversal
id: 8f7e2b1c-9a3d-4f5c-b2a1-8d4e5f6a7b8c
description: Detects potential path traversal or authentication bypass attempts on ConnectWise ScreenConnect web panel related to CVE-2024-1708 and similar vulnerabilities.
author: Security Arsenal Research
date: 2026/05/17
status: experimental
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '.*\.*'
- '%2f'
- '%5c'
- 'App_Extensions'
filter:
cs-uri-query|contains: 'Host'
condition: selection and not filter
falsepositives:
- Legitimate scanning
level: high
tags:
- attack.initial_access
- cve.2024.1708
- ransomware.qilin
---
title: Suspicious Exchange Server PowerShell Deserialization
id: 9d8f3e2a-1b4c-5d6e-9f0a-2b3c4d5e6f7a
description: Detects suspicious PowerShell command execution patterns often associated with deserialization exploits or webshell interaction on Exchange servers.
author: Security Arsenal Research
date: 2026/05/17
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: \powershell.exe
CommandLine|contains:
- 'System.Management.Automation.AmsiUtils'
- 'System.Reflection.Assembly'
- 'DownloadString'
parent_process:
ParentProcessName|endswith:
- \w3wp.exe
- \umworkerprocess.exe
condition: selection and parent_process
falsepositives:
- Exchange Management Shell administration
level: critical
tags:
- attack.execution
- cve.2023.21529
- ransomware.qilin
---
title: Potential Ransomware Data Staging via High Volume SMB Write
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential data staging activity characteristic of Qilin preparations prior to exfiltration, involving high-volume writes to network shares.
author: Security Arsenal Research
date: 2026/05/17
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
RelativeTargetName|contains:
- 'admin$'
- 'c$'
- 'data'
- 'backup'
AccessMask: '0x3'
timeframe: 5m
condition: selection | count() > 50
falsepositives:
- Legitimate backup operations
- Data migration tasks
level: medium
tags:
- attack.collection
- attack.exfiltration
- ransomware.qilin
kql
// Hunt for lateral movement and staging signs associated with Qilin tooling
// Looks for unusual process spawns from system binaries and high-volume file access
SecurityEvent
| where EventID in (4688, 5140, 5145)
| extend ProcessName = tostring(NewProcessName), Account = tostring(TargetUserName)
| where ProcessName contains "powershell.exe" or ProcessName contains "cmd.exe" or ProcessName contains "wmi.exe"
| where CommandLine contains "copy" or CommandLine contains "move" or CommandLine contains "robocopy" or CommandLine contains "7z" or CommandLine contains "rar"
| summarize count(), arg_max(TimeGenerated, *) by Computer, Account, ProcessName
| where count_ > 5
| order by count_ desc
powershell
# Qilin Rapid Response Hardening & Detection Script
# Checks for suspicious Scheduled Tasks and VSS modifications often used by Qilin for persistence/anti-recovery
Write-Host "[+] Checking for recently created suspicious Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
$dateThreshold = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $dateThreshold} | ForEach-Object {
$taskInfo = $_ | Get-ScheduledTaskInfo
$action = $_.Actions.Execute
$author = $_.Author
if ($author -eq $null -or $author -match "S-1-5" -or $action -match "powershell" -or $action -match "cmd") {
Write-Host "[!] Suspicious Task Found: $($_.TaskName)" -ForegroundColor Red
Write-Host " Author: $author" -ForegroundColor DarkGray
Write-Host " Action: $action" -ForegroundColor DarkGray
}
}
Write-Host "[+] Checking for Shadow Copy Deletion Attempts..." -ForegroundColor Cyan
$events = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12343} -ErrorAction SilentlyContinue -MaxEvents 10
if ($events) {
Write-Host "[!] WARNING: Recent Volume Shadow Copy Deletion events detected!" -ForegroundColor Red
$events | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host " No VSS deletion events found recently." -ForegroundColor Green
}
Write-Host "[+] Checking for Qilin-specific service names..." -ForegroundColor Cyan
Get-Service | Where-Object {$_.DisplayName -like "*Qilin*" -or $_.ServiceName -like "*Qilin*"} | ForEach-Object {
Write-Host "[!] CRITICAL: Qilin Service Detected: $($_.DisplayName)" -ForegroundColor Red
}
# Incident Response Priorities
* **T-Minus Detection Checklist:**
1. **Webshell Scanning:** Immediately scan public-facing IIS and ScreenConnect servers for `web.config` modifications or suspicious `.aspx`/`.ashx` files created in the last 48 hours.
2. **Exchange Logs:** Review IIS logs on Exchange CAS servers for POST requests to `/OAB/` or `/EWS/` containing serialized data patterns (large base64 strings).
3. **MFA Audit:** Verify that all VPN, RDP, and email accounts have MFA enforced. Qilin affiliates frequently bypass legacy MFA via token manipulation or session hijacking.
* **Critical Assets (Prioritize for Isolation):**
* **EMR/EHR Systems** (Active Directory connections for these services are prime targets).
* **File Servers** containing intellectual property (Manufacturing) or financial records (Insurance).
* **Backup Repositories:** Qilin specifically seeks out and deletes or encrypts shadow copies and backup agents.
* **Containment Actions (Ordered by Urgency):**
1. **Disconnect Internet-Facing RMM:** If ScreenConnect is in use, disconnect the server from the internet immediately pending patch verification.
2. **Reset Service Account Credentials:** Specifically for Exchange and IIS application pool identities.
3. **Isolate Hyper-V Hosts:** Qilin often encrypts .vhdx files to maximize impact.
# Hardening Recommendations
**Immediate (24h):**
* **Patch Critical CVEs:** Apply patches for **CVE-2024-1708 (ScreenConnect)**, **CVE-2023-21529 (Exchange)**, and the **SmarterMail** CVEs immediately. These are confirmed active exploitation paths.
* **Block RDP from Internet:** Implement a strict VPN requirement or Zero Trust Network Access (ZTNA) for all RDP and SMB traffic.
* **Disable Exchange Powershell Remoting:** Restrict `New-ManagementRoleAssignment` and cmdlet access to specific admin IPs if possible.
**Short-term (2 weeks):**
* **Network Segmentation:** Ensure healthcare and manufacturing OT/IoT networks are logically segmented from the IT domain to prevent lateral movement.
* **Implement MFA for All Services:** Move beyond email/RDP to enforce MFA on management consoles (ScreenConnect, vCenter, ESXi).
* **EDR Deployment:** Ensure comprehensive EDR coverage on all servers, particularly legacy systems that might be vulnerable to the SmarterMail exploits.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.