QILIN Ransomware: Surge in Manufacturing & Financial Services Attacks — Detection Rules for CVE-2023-21529 & SmarterMail Exploits

Threat Actor Profile — QILIN

Aliases: Agenda, Agenda Ransomware (formerly known as Qilin).

Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program, offering a customizable encryptor written in Rust and Go for cross-platform capabilities and evasion. Recent shifts suggest a move towards aggressive "big game hunting" with affiliates focused on high-revenue sectors.

Ransom Demands: Variable, typically ranging from $500,000 to $5 million USD depending on victim revenue. They are known to negotiate aggressively and strictly enforce deadlines for data leaks.

Initial Access Vectors:

• Phishing: Initial access frequently via spear-phishing campaigns delivering malicious macros or ISO files.
• Vulnerability Exploitation: Historically exploited VPN vulnerabilities (e.g., Fortinet, Pulse Secure). Current intelligence indicates a pivot towards exploiting public-facing email services (Microsoft Exchange, SmarterMail) and firewall management interfaces (Cisco FMC).
• Valid Credentials: Purchased credentials or brute-forcing RDP and VPN endpoints.

Double Extortion: Standard playbook. Exfiltration occurs via tools like Rclone or MegaSync prior to encryption. Pressure is applied via leak site postings and direct emails to executives/partners.

Dwell Time: Short to moderate (3–10 days). Qilin affiliates move quickly from initial access to lateral movement to encryption, minimizing blue team response windows.

Current Campaign Analysis

Campaign Date: 2026-04-25

Targeted Sectors: The latest postings indicate a diversified but focused campaign against:

1. Manufacturing (30%): Buckley Powder (CA), Leistritz Turbine Technology (DE), Denso (JP), Progressive Propane (US).
2. Financial Services (20%): KEMBA Indianapolis Credit Union (US), First County FCU (US).
3. Agriculture & Food Production: Cahbo Produkter (SE), SanCor (AR).
4. Healthcare: Mid Florida Dermatology & Plastic Surgery (US).
5. Business Services/Hospitality: Woodfields Consultants (PH), Travel Expert (HK).

Geographic Concentration: Significant spread across North America (US, CA) and Europe (DE, SE, GB), with specific expansion into APAC (PH, HK, JP). The US remains the primary target due to the high value of data and willingness to pay.

Victim Profile: Mid-to-large enterprises. Victims include critical manufacturing suppliers and regional financial institutions (Credit Unions). These organizations likely have complex supply chains and legacy infrastructure (e.g., older Exchange versions or exposed firewalls).

Observed Frequency & Escalation: Qilin has posted 15 victims within the last 48 hours. This high velocity suggests an automated or highly efficient affiliate operation, likely exploiting a specific set of unpatched vulnerabilities at scale.

CVE Connection — Initial Access: There is a strong correlation between the recent victims (Finance, Healthcare, Business Services) and the CISA Known Exploited Vulnerabilities (KEVs) listed:

• CVE-2023-21529 (Microsoft Exchange): Financial and healthcare victims (KEMBA, Mid Florida Dermatology) are heavy Exchange users.
• CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): These vulnerabilities provide unauthenticated file upload and auth bypass. Victims in business and professional services sectors likely rely on this mail server.
• CVE-2026-20131 (Cisco FMC): Exploitation of firewall management centers provides network-level pivoting capabilities, crucial for accessing segmented manufacturing environments.

Detection Engineering

The following detection logic targets Qilin's specific TTPs observed in this campaign, focusing on the exploitation of email services and lateral movement.

SIGMA Rules

title: Potential SmarterMail Webshell Upload CVE-2025-52691
id: 6a1b2c3d-4e5f-6789-0abc-1def23456789
status: experimental
description: Detects potential webshell upload activity related to SmarterMail Unrestricted Upload of File vulnerability (CVE-2025-52691).
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/04/25
tags:
    - attack.initial_access
    - attack.web_shell
    - cve.2025.52691
logsource:
    product: windows
    service: file
detection:
    selection:
        TargetFilename|contains:
            - 'C\\\Program Files (x86)\\\SmarterTools\\\SmarterMail\\\MRS\\'
            - 'C\\\Program Files\\\SmarterTools\\\SmarterMail\\\MRS\\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: selection
falsepositives:
    - Legitimate administrative file uploads
level: high
---
title: Microsoft Exchange Deserialization Anomaly CVE-2023-21529
id: 7b2c3d4e-5f6a-7890-1bcd-2ef34567890a
status: experimental
description: Detects exploitation attempts for Microsoft Exchange Server Deserialization of Untrusted Data (CVE-2023-21529).
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/04/25
tags:
    - attack.initial_access
    - attack.execution
    - cve.2023.21529
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        EventID: 6 # Generic Exchange error/log ID, adjust based on specific environment logs for deserialization failures
        Message|contains:
            - 'deserialization'
            - 'BinaryFormatter'
            - 'LosFormatter'
    condition: selection
falsepositives:
    - Known application errors
level: critical
---
title: Qilin Ransomware Lateral Movement Patterns
id: 8c3d4e5f-6a7b-8901-2cde-3f45678901ab
status: experimental
description: Detects typical Qilin lateral movement via PsExec and WMI often used after initial access.
references:
    - https://attack.mitre.org/techniques/T1021/002/
author: Security Arsenal Research
date: 2026/04/25
tags:
    - attack.lateral_movement
    - attack.execution
logsource:
    product: windows
    service: security
detection:
    selection_psexec:
        EventID: 5145
        ShareName|contains: 'IPC$'
        RelativeTargetName: 'PSEXESVC'
    selection_wmi:
        EventID: 4688
        NewProcessName|endswith:
            - '\\\wmiprvse.exe'
            - '\\\powershell.exe'
        CommandLine|contains:
            - 'Invoke-Command'
            - 'New-CimInstance'
    condition: 1 of selection_*
falsepositives:
    - Administrative IT tasks
level: high

KQL (Microsoft Sentinel)

// Hunt for SmarterMail exploitation and potential Qilin staging
let TimeRange = 1d;
let SmarterMailPaths = dynamic([\"C:\\\Program Files\\\SmarterTools\\\SmarterMail\", \"C:\\\Program Files (x86)\\\SmarterTools\\\SmarterMail\"]);
let FileExtensions = dynamic([\".aspx\", \".ashx\", \".config\"]);
DeviceFileEvents
| where Timestamp > ago(TimeRange)
| where FolderPath has_any (SmarterMailPaths)
| where FileName has_any (FileExtensions)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| join kind=leftanti (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where ProcessVersionInfoOriginalFileName in ~(\"services.exe\", \"w3wp.exe\") // Noise reduction
) on DeviceName
| distinct Timestamp, DeviceName, FileName, InitiatingProcessAccountName, SHA256

PowerShell Hardening Script

<#
.SYNOPSIS
    Qilin Ransomware Hardening and Hunt Script
.DESCRIPTION
    Checks for exposed RDP, recent VSS shadow copy modifications (ransomware precursor), and enumerates scheduled tasks.
#>

Write-Host \"[+] Initiating Qilin Threat Hunt...\" -ForegroundColor Cyan

# 1. Check for Shadow Copy Deletion (Common in Qilin playbook)
Write-Host \"\
[*] Checking for recent VSS Shadow Copy deletions or alterations...\"
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) {
    Write-Host \"[!] Found recent VSS events - Investigate manually:\" -ForegroundColor Yellow
    $vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host \"[-] No recent suspicious VSS events found.\" -ForegroundColor Green
}

# 2. Enumerate Scheduled Tasks created in last 7 days (Persistence)
Write-Host \"\
[*] Checking for Scheduled Tasks created/modified in last 7 days...\"
$scheduleService = New-Object -ComObject Schedule.Service
$scheduleService.Connect()
$rootFolder = $scheduleService.GetFolder(\"\")
$tasks = $rootFolder.GetTasks(0)
$now = Get-Date
foreach ($task in $tasks) {
    $xml = $task.Xml
    $dateNode = [xml]$xml
    $regDate = $dateNode.Task.RegistrationInfo.Date
    if ($regDate -gt $now.AddDays(-7)) {
        Write-Host \"[!] Suspicious recent task: $($task.Name) - Registered: $regDate\" -ForegroundColor Red
    }
}

# 3. Check for RDP Exposure (Port 3389)
Write-Host \"\
[*] Checking for active RDP listeners...\"
$rdpListeners = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
if ($rdpListeners) {
    Write-Host \"[!] RDP is listening on the following addresses:\" -ForegroundColor Yellow
    $rdpListeners | Select-Object LocalAddress, OwningProcess
} else {
    Write-Host \"[-] RDP not listening.\" -ForegroundColor Green
}

Write-Host \"\
[+] Hunt Complete. Please review highlighted items.\" -ForegroundColor Cyan


---

Incident Response Priorities

Based on Qilin's operational tempo and the CVEs currently in play:

T-minus Detection Checklist:

1. Exchange & Mail Logs: Immediate review of IIS logs for SmarterMail ( /MRS/ endpoints) and Exchange Ecp or Owa directories for POST anomalies.
2. Process Anomalies: Hunt for powershell.exe spawning from w3wp.exe (web server process) or svchost.exe.
3. Credential Dumping: Look for procdump or rundll32.exe accessing lsass.exe.

Critical Assets for Exfiltration:

• Financial: ACH routing files, customer PII databases (SSN/TaxID).
• Manufacturing: Intellectual Property (CAD designs, proprietary formulas), Supply Chain ERP data (SAP/Oracle).
• Healthcare: Patient PHI records (EMR exports).

Containment Actions (Ordered by Urgency):

1. Isolate: Disconnect infected segments from the core network; specifically isolate Exchange and Mail server subnets immediately.
2. Block: Block inbound internet access to ports 443/80 on mail servers from untrusted IPs at the perimeter firewall.
3. Reset: Force password resets for all service accounts and privileged users (Domain Admins) if compromise is confirmed.

Hardening Recommendations

Immediate (24 Hours):

• Patch: Apply updates for CVE-2023-21529 (Exchange) and CVE-2025-52691 (SmarterMail). Disable the specific vulnerable endpoints if patching is delayed.
• External Attack Surface: Identify and block internet access to Cisco FMC and SmarterMail management interfaces from the public internet. Enforce VPN-only access.
• MFA: Enforce strict MFA (phishing-resistant FIDO2) on all OWA, VPN, and Remote Desktop gateways.

Short-term (2 Weeks):

• Network Segmentation: Implement strict Zero Trust controls between manufacturing OT networks and IT corporate networks.
• EDR Deployment: Ensure full EDR coverage on all Mail Servers and Domain Controllers; review alert tuning for deserialization anomalies.
• Application Control: Implement allow-listing for scripts executing on mail servers (powershell.exe, cmd.exe, cscript.exe should be blocked for IIS worker processes).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub