Aliases: Agenda (historical), Qilin.
Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate-heavy model, allowing diverse initial access vectors while maintaining a consistent custom encryption payload written in Rust or Go for cross-platform capabilities.
Typical Operations:
- Ransom Demands: Variable, typically ranging from $500k to $5M depending on victim revenue.
- Initial Access: Historically relies on phishing with macro-laced documents, but recent intelligence indicates a shift toward exploiting external-facing services (VPNs, Firewalls, Email Gateways) as seen in the CVE list below.
- Double Extortion: Aggressive data exfiltration prior to encryption. Leaks are published on their .onion site if negotiations fail or stall.
- Dwell Time: Short. Qilin affiliates typically move laterally within 2–4 days of initial access before detonating the payload.
Current Campaign Analysis
Campaign Overview: Based on data harvested from the Qilin leak site on 2026-04-21, the group has posted a significant volume of victims (15 in the last 48 hours), indicating a high-velocity campaign.
Sector Targeting:
- Manufacturing (High Risk): 40% of recent victims (e.g., Industrial Carrocera Arbuciense, Heartland Steel, Kolin Turkey). This sector remains the primary target due to low tolerance for downtime.
- Business Services (Elevated Risk): 20% of recent victims (e.g., PTS Office Systems, GUEGUEN Avocats). Targeted for sensitive client data access.
- Other: Logistics, Healthcare, Construction, and Public Sector entities were also hit.
Geographic Concentration:
- North America: US and Canada are heavily targeted.
- Europe: Spain (ES), France (FR), and Germany (DE) are secondary hot zones.
Victim Profile: Recent targets range from mid-market logistics firms (e.g., Sea Air International Forwarders) to municipal entities (Roman Catholic Archdiocese of St John). The broad spread suggests a spray-and-pray approach using exploits for common enterprise software rather than highly tailored spear-phishing.
CVE Correlation: The recent victimology, particularly Business Services and Healthcare (STERIMED), strongly correlates with the exploitation of:
- CVE-2023-21529 (Microsoft Exchange): Allows authenticated code execution—likely used to pivot from compromised user accounts.
- CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Critical file upload and auth bypass flaws. These are likely the primary access vectors for the email/tech-service providers hit.
Detection Engineering
The following detection rules and hunt queries are designed to identify the specific TTPs observed in Qilin's recent campaigns, focusing on the CVEs listed above and their standard lateral movement.
YAML
title: Potential SmarterMail Exploitation CVE-2025-52691
description: Detects potential exploitation of SmarterMail unrestricted file upload vulnerability via web access patterns and subsequent process execution.
status: experimental
date: 2026/04/23
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: webserver
service: iis
definition: 'Requirements: IIS Log fields date, time, c-ip, cs-uri-stem, sc-status'
detection:
selection:
cs-uri-stem|contains:
- '/Mail/Default.aspx'
- '/Services/Mail.asmx'
filter_status:
sc-status: 200
filter_method:
cs-method: 'POST'
condition: selection and filter_status and filter_method | count(cs-uri-stem) by src_ip > 10
falsepositives:
- Legitimate high-volume API usage by email clients
level: high
---
title: Microsoft Exchange Deserialization Exploit Attempt CVE-2023-21529
description: Detects patterns associated with deserialization attacks on Microsoft Exchange Server, specifically looking for suspicious serialization formats in Exchange backend logs.
status: experimental
date: 2026/04/23
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: exchange
service: frontend
detection:
selection:
EventID:
- 4103 # PowerShell Module Logging
- 4104 # Script Block Logging
selection_payload:
ScriptBlockText|contains:
- 'BinaryFormatter'
- 'LosFormatter'
- 'ObjectStateFormatter'
selection_context:
ScriptBlockText|contains:
- 'Microsoft.Exchange.Management'
condition: all of selection*
falsepositives:
- Legitimate Exchange Management Scripts
level: critical
---
title: Qilin Ransomware Lateral Movement Indicators
description: Detects typical lateral movement patterns used by Qilin affiliates, including PsExec usage and WMI command line execution often seen prior to encryption.
status: experimental
date: 2026/04/23
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection_psexec:
EventID: 5145
ShareName|contains: 'ADMIN$'
RelativeTargetName|contains: 'PSEXESVC.exe'
selection_wmi:
EventID: 4688
NewProcessName|contains: 'WMIC.exe'
CommandLine|contains: 'process call create'
selection_suspicious_parent:
EventID: 4688
ParentProcessName|contains:
- '\\System32\\cmd.exe'
- '\\System32\\powershell.exe'
NewProcessName|contains:
- '\\Temp\\'
- '\\Public\\'
condition: 1 of selection_
falsepositives:
- Legitimate administrative IT maintenance
level: high
KQL Hunt Query (Microsoft Sentinel)
Hunts for signs of data staging or remote process execution associated with Qilin preparations.
KQL — Microsoft Sentinel / Defender
let TimeFrame = 1d;
SecurityEvent
| where TimeGenerated > ago(TimeFrame)
// Hunting for PsExec and WMI lateral movement
| where EventID in (5145, 4688)
| extend ProcessName = iff(EventID == 4688, NewProcessName, "")
| extend CommandLine = iff(EventID == 4688, CommandLine, "")
| extend ShareName = iff(EventID == 5145, ShareName, "")
| where ProcessName contains "psexec"
or CommandLine contains "wmic"
or ShareName contains "ADMIN$"
// Filter for potential staging activity - copying to temp or public folders
| or (
SubjectUserName contains "admin",
CommandLine contains ".exe" and CommandLine contains "\\"
)
| summarize count(), TimeGenerated = max(TimeGenerated) by Computer, SubjectUserName, ProcessName, CommandLine
| order by count_ desc
PowerShell Rapid Response Script
Checks for active network connections to known C2 ports and recent scheduled tasks often used for persistence.
PowerShell
# Qilin Persistence Check
Write-Host "Checking for Qilin Persistence Indicators..." -ForegroundColor Yellow
# 1. Check for unusual scheduled tasks created in last 24 hours
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($suspiciousTasks) {
Write-Host "[ALERT] Recently Created Scheduled Tasks:" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Date, Author, Actions | Format-List
} else {
Write-Host "[INFO] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
# 2. Check for Active Network Connections on non-standard ports (Potential C2)
$connections = Get-NetTCPConnection -State Established |
Where-Object { $_.LocalPort -notin (80,443,135,139,445,3389,5985,5986) -and $_.RemoteAddress -ne "0.0.0.0" -and $_.RemoteAddress -notlike "127.*" }
if ($connections) {
Write-Host "[WARNING] Active connections on non-standard ports found:" -ForegroundColor Orange
$connections | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | Format-Table
}
# 3. Check for Shadow Copy manipulation attempts (Event ID 1 from Sysmon)
Write-Host "Checking Sysmon for vssadmin deletion attempts..."
$wevtutil = wevtutil qe sysmon /c:10 /rd:true /f:text | Select-String "vssadmin"
if ($wevtutil) {
Write-Host $wevtutil
}
---
# Incident Response Priorities
**T-Minus Detection Checklist (Pre-Encryption):**
1. **Email Gateway Logs:** Audit SmarterMail and Exchange logs immediately for failed logins followed by successful POST requests on the dates 2026-04-20 through 2026-04-23.
2. **Firewall Logs:** Review outbound connections on non-standard ports; Qilin affiliates often use `rclone` or custom tools for exfiltration over ports 443 or 80.
3. **User Account Behavior:** Look for service accounts (e.g., `SQL`, `IUSR`) performing interactive logins or creating new processes.
**Critical Assets for Exfiltration:**
Qilin prioritizes exfiltrating high-value intellectual property before encryption:
- Manufacturing: CAD drawings, client databases, supply chain manifests.
- Healthcare: PII/PHI databases.
- Business Services: Client financial records and legal contracts.
**Containment Actions:**
1. **Isolate:** Immediately disconnect Exchange and Mail gateway servers from the network if compromise is suspected.
2. **Revoke Credentials:** Force reset of privileged credentials (Domain Admins) for any user with a mailbox on the affected servers.
3. **Block IP:** Block IP ranges associated with unusual access patterns in firewall logs.
---
# Hardening Recommendations
**Immediate (24 Hours):**
- **Patch Exchange:** Apply the patch for **CVE-2023-21529** immediately.
- **Patch SmarterMail:** Apply the security updates for **CVE-2025-52691** and **CVE-2026-23760**. Disable the `Mail.aspx` endpoint or restrict access to trusted internal IP subnets if patching is delayed.
- **MFA Enforcement:** Enforce Conditional Access/MFA for all OWA, VPN, and Email administration portals.
**Short-term (2 Weeks):**
- **Network Segmentation:** Ensure Email servers and Management interfaces (Cisco FMC) reside in a hardened management VLAN, not reachable directly from the internet without a VPN jump host.
- **Disable Legacy Protocols:** Ensure PowerShell Remoting (WinRM) is disabled on internet-facing systems unless strictly necessary.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinransomwaremanufacturingexchange-serversmartermaillateral-movement
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.