Aliases: Agenda (Rust-based variant) Operational Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Highly variable, typically ranging from $500k to $5M depending on revenue, with aggressive negotiation tactics. Initial Access Vectors: Qilin operators aggressively exploit exposed edge infrastructure (VPN appliances, Firewalls) and remote management tools (ScreenConnect). They leverage valid credentials obtained via initial access brokers (IABs) or brute-forcing RDP. Extortion Strategy: Double extortion. The gang exfiltrates sensitive data (HR, financials, client databases) prior to encryption and threatens to leak it on their .onion site if demands are not met. Dwell Time: Short. Recent campaigns indicate an average dwell time of 3–5 days between initial access and encryption.
Current Campaign Analysis
Based on live data harvested from Qilin's dark web leak site on 2026-07-01, the group has accelerated its posting cadence, listing 15+ victims within a 72-hour window.
Sector Targeting:
- Business Services (33%): Law firms (Laughlin Nunnally Hood & Crum), integration firms (Rossum Integration), and staffing (Hemmersbach).
- Manufacturing (26%): Heavily targeted, including metal processing (Mattatuck, Metal Sur Famin) and textile (Kunert Fashion).
- Geographic Spread: Highly globalized, with heavy saturation in the US and UK, but significant expansion into Asia-Pacific (SK, JP, TH) and South America (AR).
Victim Profile: Targets range from mid-market entities (revenue $50M–$200M) to large educational institutions like Musashino University. The targeting of Gsma (Telecommunication) suggests a pivot toward critical infrastructure supply chains.
CVE Correlation & TTPs: The campaign correlates strongly with the recent addition of CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco FMC) to the CISA KEV list. Several victims in the Business Services sector operate Check Point perimeter firewalls. The gang is likely leveraging these improper authentication vulnerabilities to bypass MFA and establish persistent VPN tunnels for lateral movement.
Detection Engineering
Sigma Rules (Integrated)
---
title: Potential Check Point Security Gateway IKEv1 Exploitation
id: 9e8b7c12-3d45-4a6b-9c8d-1e2f3a4b5c6d
description: Detects potential exploitation of CVE-2026-50751 involving abnormal IKEv1 key exchange patterns or authentication bypass attempts on Check Point gateways.
status: experimental
author: Security Arsenal Research
date: 2026/07/01
tags:
- attack.initial_access
- cve.2026-50751
logsource:
product: firewall
service: check_point
detection:
selection:
action|contains: 'accept'
service: 'ike'
ike_version: 'v1'
vpn_community|startswith: 'No_M'
condition: selection
falsepositives:
- Legacy VPN configurations for specific vendors
level: high
---
title: Suspicious Rclone Execution for Exfiltration
id: f1a2b3c4-d5e6-7890-1234-56789abcdef0
description: Detects the execution of rclone, a tool frequently used by Qilin affiliates for data staging and exfiltration to cloud storage prior to encryption.
status: experimental
author: Security Arsenal Research
date: 2026/07/01
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\rclone.exe'
- '\rc.exe'
condition: selection
falsepositives:
- Legitimate administrator backup tasks
level: high
---
title: ConnectWise ScreenConnect Path Traversal Exploit
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects exploitation of CVE-2024-1708 targeting ConnectWise ScreenConnect via suspicious URI patterns.
status: experimental
author: Security Arsenal Research
date: 2026/07/01
tags:
- attack.initial_access
- cve.2024-1708
logsource:
category: web
product: check_point
service: uri_query
detection:
selection:
cs-uri-query|contains:
- '..\'
- '%2e%2e%5c'
- 'UploadFileHandler.ashx'
condition: selection
falsepositives:
- Unknown
level: critical
**KQL (Microsoft Sentinel)
kql
// Hunt for lateral movement indicators common in Qilin campaigns
// Looks for PsExec, WMI, and Cobalt Strike beacon patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has any("-accepteula", "process call create", "EncodedCommand")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
**PowerShell Response Script
powershell
<#
.SYNOPSIS
Rapid Response: Identify recent scheduled tasks and suspicious shadow copy activity often associated with Qilin staging.
#>
Write-Host "Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author
Write-Host "Checking for recent Volume Shadow Copy deletions (Event ID 5145 or 5103 correlation)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -like '*delete*' -and $_.Message -like '*Shadow Copy*'} |
Select-Object TimeCreated, Id, Message | Format-List
---
Incident Response Priorities
T-minus Detection Checklist:
- Check Point & Cisco FMC Logs: Immediately hunt for authentication logs around IKEv1 or management interface access anomalies (CVE-2026-50751 / CVE-2026-20131).
- ScreenConnect Sessions: Audit ConnectWise ScreenConnect logs for anonymous logins or path traversal attempts (CVE-2024-1708).
- Process Anomalies: Hunt for
rclone.exe,powershell.exespawning fromsvchost.exe, or unexpectedPsExecusage.
Critical Assets for Exfiltration:
- Intellectual Property (CAD files, formulas) – Priority for Manufacturing victims.
- Client Databases & PII – Priority for Business Services/Legal victims.
- Financial Records & HR Data.
Containment Actions:
- Isolate: Disconnect infected segments from the core network immediately; do not power off endpoints if memory forensics are needed.
- Revoke Credentials: Force reset of all local admin and domain admin credentials used on the identified segment.
- Block IOCs: Block known C2 IPs and the public IPs of the attackers' VPN endpoints identified in firewall logs.
Hardening Recommendations
Immediate (24 Hours):
- Patch Critical CVEs: Immediately apply patches for CVE-2026-50751 (Check Point), CVE-2026-20131 (Cisco FMC), and CVE-2024-1708 (ConnectWise). If patching is delayed, disable affected services (e.g., block IKEv1 or restrict ScreenConnect to internal VPN only).
- Disable RDP/VPN for Non-Essential Staff: Enforce MFA for all remote access and audit active RDP sessions.
Short-term (2 Weeks):
- Network Segmentation: Move Business Services and Manufacturing OT/IoT networks into isolated VLANs with strict firewall rules.
- EDR Deployment: Ensure coverage on all management servers and jump hosts.
- Asset Inventory: Complete a sweep of all internet-facing assets to identify shadow IT or forgotten VPN appliances.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.