Qilin
Qilin, also known as Agenda, is a ransomware-as-a-service (RaaS) operation first observed in 2022. The operation surfaced under the Agenda name in mid-2022 and was later rebranded to Qilin. It uses double extortion: affiliates steal data from victim environments and then deploy ransomware to encrypt systems, threatening to leak stolen data via a dedicated leak site if payment is not made. Qilin has been described as one of the most active ransomware groups in 2025 and has claimed large numbers of victims on its leak site.
The malware family supports cross-platform targeting. Reporting in the provided content describes Windows, Linux, and VMware ESXi-focused variants, including a Linux ELF64 encryptor and later Rust-based variants such as Qilin.B. The Linux/ESXi encryptor is highly configurable, with embedded configuration and command-line options controlling encryption behavior, file and directory targeting, process termination, file renaming, VM exclusion, snapshot deletion, and VM termination. On ESXi, Qilin enumerates virtual machines, force-stops them, removes snapshots, and encrypts virtualization-related files, then drops ransom notes named with the configured extension plus "_RECOVER.txt" containing Tor negotiation links and victim-specific credentials. The malware can target documents, archives, databases, source code, media, and virtualization files including vmdk, vhdx, qcow2, ova, ovf, vmem, and vswp.
The content also describes Windows-focused tradecraft and evolving variants. Qilin has been delivered through malicious email attachments and spearphishing emails with malicious attachments. In one reported intrusion, attackers used compromised credentials, remote access, and a customized bring-your-own-vulnerable-driver technique to disable endpoint defenses before ransomware deployment. That case involved a sideloading chain using Carbon Black Cloud Sensor upd.exe, a malicious avupdate.dll, and an XOR-encoded payload web.dat that decoded into a customized EDRSandblast variant. The tool loaded the signed Toshiba driver TPwSav.sys and abused it to gain kernel-level memory access and disable EDR-related kernel callbacks and event tracing. Other observed activity includes use of SSH reverse proxy tooling, RDP and remote management tools, and scheduled tasks pushed via GPO. Sophos-reported activity also included modification of domain policy to deploy logon-based scripts harvesting Chrome credentials.
Qilin’s affiliate model allows customization of skipped directories and files, killed processes, encryption mode, and virtual machines that should not be shut down. Reported encryption modes include skip-step, percent, and fast modes. The content states that affiliates were advertised on Russian-language cybercriminal forums including RAMP and XSS, and that affiliates were instructed not to target Commonwealth of Independent States countries. Qilin has been linked in reporting to Russian cybercriminal ecosystems, and multiple sources in the content note partnerships or use by Scattered Spider/Octo Tempest affiliates beginning in 2024.
Victimology in the provided content spans multiple sectors and geographies. Qilin is described as targeting organizations across sectors, with repeated mention of healthcare, emergency services, manufacturing, construction and engineering, professional services, and financial organizations. Healthcare targeting is specifically highlighted, including use of Linux- and ESXi-based malware against databases storing electronic health records and disruption linked by reporting to the Synnovis incident affecting NHS hospitals in London. Named victim claims in the content include Yanfeng Automotive Interiors, Hikari Seiko Co. Ltd., Die Linke, and a U.S. financial advisory firm. The content also notes victim postings across countries including Australia, Brazil, Canada, Colombia, France, the Netherlands, Serbia, the United Kingdom, Japan, and the United States.
Known indicators and artifacts directly mentioned in the content include the ransom note pattern "[extension]_RECOVER.txt"; the email/Jabber contact qilin@exploit[.]im; the machine name WIN-8OA3CCQAE4D as a reported compromise marker in one source; infrastructure and IPs observed in one intrusion including 31.192.107[.]144 and 216.120.203[.]26; and filenames upd.exe, avupdate.dll, web.dat, main.exe, and the vulnerable driver TPwSav.sys. The content also notes that Qilin maintains a proprietary leak site with unique company IDs and leaked account details, and that ransom demands observed by reporting ranged from $25,000 to millions of dollars.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Known Exploited Vulnerabilities: CVE-2024-55591 — Authentication Bypass Vulnerability — Fortinet FortiOS — CVSS 9.8
Known Exploited Vulnerabilities: CVE-2023-27532 — Missing Authentication for Critical Function Vulnerability — Veeam Backup & Replication Cloud Connect — CVSS 7.5
Known Exploited Vulnerabilities: CVE-2024-21762 — Out-of-Bound Write Vulnerability — Fortinet FortiOS — CVSS 9.8
“ThrottleStop.sys is a legitimate, signed driver… The ThrottleStop vulnerability (CVE-2025-7771) comes from the way the driver handles memory access. Attackers can exploit this to gain control, ultimately leading to disabling security tools.”
Groups observed using it
13 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. We responded to a Qilin ransomware incident for the first time this quarter, identifying tools and TTPs that have not been previously publicly reported.
By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.
The Qilin ransomware operation that Scattered Spider just joined surfaced in August 2022 under the "Agenda" name but was rebranded as Qilin just one month later.
Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.
Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.
Cornerstone Staffing ransomware attack leaks 120,000 resumes, claims Qilin gang.
“DragonForce operators posted… launching a partnership between themselves, LockBit, and Qilin operations.”
“Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates it the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid.”
“Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates it the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid.”
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueFurther analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Initial Access
4 techniquesThe threat actors likely leveraged stolen valid credentials to gain initial access...
used a combination of commercial remote monitoring and management (RMM) solutions to facilitate lateral movement and data staging, including TeamViewer, VNC, AnyDesk, Chrome Remote Desktop, Distant Desktop, QuickAssist, and ToDesk.
Qilin affiliates have been observed gaining initial access via social engineering attacks like phishing emails with malicious attachments, and valid credentials that have been leaked and/or purchased.
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
5 techniquesthe actors created an AutoRun entry in the Software registry Hive on each infected system to trigger the ransomware execution each time the system was rebooted and a scheduled task to silently relaunch Qilin at every new logon.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions. | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Persistence
6 techniquesthe actors created an AutoRun entry in the Software registry Hive on each infected system to trigger the ransomware execution each time the system was rebooted and a scheduled task to silently relaunch Qilin at every new logon.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The threat actors likely leveraged stolen valid credentials to gain initial access...
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
used a combination of commercial remote monitoring and management (RMM) solutions to facilitate lateral movement and data staging, including TeamViewer, VNC, AnyDesk, Chrome Remote Desktop, Distant Desktop, QuickAssist, and ToDesk.
AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence. AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode. Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key... | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
5 techniquesthe actors created an AutoRun entry in the Software registry Hive on each infected system to trigger the ransomware execution each time the system was rebooted and a scheduled task to silently relaunch Qilin at every new logon.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The threat actors likely leveraged stolen valid credentials to gain initial access...
Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence. AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode. Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key... | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
the service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Defense Impairment
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Discovery
1 techniqueThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
3 techniquesThe attacker proceeded to connect to internal machines using remote desktop protocol (RDP) and remote management tools.
The attacker proceeded to connect to internal machines using remote desktop protocol (RDP) and remote management tools.
During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Qilin has run cmd /C [PsExec] ... to execute its encryptor to target multiple network shares.
Command and Control
2 techniquesWhen we look at Qilin's dark web portal hosted on TOR has some links that pertain to an email address connected to a jabber account “qilin@exploit[.]im”
CTU researchers investigated the potential scale of malicious use of these devices and identified multiple internet-exposed systems associated with cybercriminal activity, including ransomware operations and commodity malware delivery.
Exfiltration
1 techniqueAccording to the threat actors, which announced the data breach on the gang’s leak website, 502.5 GB of the organization’s data was exfiltrated during the attack.
Impact
3 techniquesInotiv had its operations interrupted following a ransomware attack earlier this month, which was discovered to have led to the encryption of some of its systems.
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.
Published on the Qilin ransomware group's data-leak site with sample documents and a stated file count and size. Listings of this type typically follow a failed or refused ransom.
IOCs tracked for this family
143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware family mentioned only as an external association for a workstation observed in the second incident.
A ransomware family whose affiliates were tied to Fox Tempest infrastructure and services.
A ransomware family linked by Microsoft’s investigation to Fox Tempest’s code-signing service.
A ransomware family linked through Fox Tempest-associated affiliates.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.