qilin
Group profile
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
MITRE ATT&CK TTPs
Initial Access
T1078Valid Accounts
Compromised credentials used to authenticate via VPN and RDP. Qilin notably steals credentials from Chrome browsers on compromised endpoints before encryption.
T1190Exploit Public-Facing Application
Exploitation of vulnerabilities in VPN appliances and remote management tools to gain initial access.
T1566Phishing
T1566.003Phishing: Spearphishing via Service
Qilin affiliates spear-phished MSP administrators via ScreenConnect to gain access to downstream customers. Phishing campaigns using credential-harvesting pages targeting VPN and SSO portals.
Execution
T1059.001Command and Scripting Interpreter: PowerShell
PowerShell scripts used for payload execution, lateral movement, and post-exploitation tasks.
T1059.004Command and Scripting Interpreter: Unix Shell
Shell scripts used to execute the Linux/ESXi variant of the Qilin ransomware payload.
T1569System Services
T1569.002System Services: Service Execution
Persistence
T1037Boot or Logon Initialization Scripts
T1053Scheduled Task/Job
T1053.005Scheduled Task/Job: Scheduled Task
Scheduled tasks created to maintain persistence and execute post-exploitation scripts.
T1098.004Account Manipulation: SSH Authorized Keys
T1136Create Account
T1547Boot or Logon Autostart Execution
Privilege Escalation
T1068Exploitation for Privilege Escalation
Defense Evasion
T1027Obfuscated Files or Information
Qilin.B variant (October 2024) introduced enhanced obfuscation and anti-analysis techniques compared to earlier versions.
T1036.001Masquerading: Invalid Code Signature
T1134.004Access Token Manipulation: Parent PID Spoofing
T1211Exploitation for Defense Evasion
T1480Execution Guardrails
T1497.001Virtualization/Sandbox Evasion: System Checks
T1553.002Subvert Trust Controls: Code Signing
T1562.001Disable or Modify Tools
Security tools and EDR solutions disabled via batch scripts and Group Policy modifications.
T1562.004Impair Defenses: Disable or Modify System Firewall
T1564Hidden Artifacts
T1564.003Hidden Artifacts: Hidden Window
Credential Access
T1003.001OS Credential Dumping: LSASS Memory
LSASS memory dumped to harvest credentials for lateral movement and privilege escalation.
T1040Network Sniffing
T1110.002Brute Force: Password Cracking
T1555.003Credentials from Web Browsers
Qilin notably deployed a custom script to steal credentials stored in Google Chrome browsers on all domain-joined machines via Group Policy — a distinctive TTP first observed in the Synnovis NHS attack (June 2024).
Discovery
Lateral Movement
Collection
Exfiltration
T1011Exfiltration Over Other Network Medium
T1011.001Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Data exfiltrated to cloud storage and actor-controlled servers for double extortion via the Qilin leak site.
Command and Control
Impact
T1486Data Encrypted for Impact
Qilin (formerly Agenda) uses ChaCha20 for file encryption with RSA-4096 for key protection. Originally written in Go, later rewritten in Rust (Qilin.B). Targets Windows, Linux, and VMware ESXi. Notable attack: Synnovis NHS pathology services (June 2024) causing 10,000+ NHS appointment cancellations. Active RaaS with high affiliate revenue share.
T1490Inhibit System Recovery
Shadow copies deleted; ESXi snapshots removed to prevent VM recovery.
T1561Disk Wipe
T1561.001Disk Wipe: Disk Content Wipe
Resource Development
T1587.001Develop Capabilities: Malware
Reconnaissance
T1590.004Gather Victim Network Information: Network Topology
Recent victims
showing 50 of 1,946| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2026-06-24 |  Cash Canadawww.cashcanada.com | Financial Services | CA |
| 2026-06-23 |  Lee Internationalwww.leeinternational.com | Not Found | KR |
| 2026-06-22 |  Schumacher Homeswww.schumacherhomes.com | Construction | US |
| 2026-06-22 |  Central Bank of Libyawww.cbl.gov.ly | Financial Services | LY |
| 2026-06-21 |  Taiwan Sintong Machinery Co., Ltdwww.twsinto.com.tw | Manufacturing | TW |
| 2026-06-21 |  Sivatel Bangkokwww.sivatelbangkok.com | Telecommunication | TH |
| 2026-06-21 |  Tri-tecwww.tri-tec.com | Not Found | US |
| 2026-06-21 |  Florida Engineering Serviceswww.florida-engineering-services.com | Construction | US |
| 2026-06-20 |  Pacific Lamp & Supplywww.pacificlamp.com | Manufacturing | US |
| 2026-06-19 |  Roth Industrieswww.roth-industries.com | Manufacturing | DE |
| 2026-06-19 |  Sparkle Poolswww.sparklepoolsinc.com | Consumer Services | US |
| 2026-06-19 |  PJ Daly Contractingwww.pjdalycontracting.com | Construction | IE |
| 2026-06-19 |  Commune d'Eyguireswww.eyguieres.org | Public Sector | FR |
| 2026-06-18 | T THL PROJECT MANAGEMENT SDN. BHD.THL PROJECT MANAGEMENT SDN. BHD. | Business Services | MY |
| 2026-06-18 |  Homes By J Anthonywww.homesbyjanthony.com | Construction | US |
| 2026-06-18 |  ATCOM Outsourcingwww.atcom.cl | Business Services | CL |
| 2026-06-18 |  Skupina Don Don - GRUPO BIMBOwww.dondon.si | Agriculture and Food Production | SI |
| 2026-06-18 |  Makel Companies Groupwww.makel.com.tr | Construction | TR |
| 2026-06-16 |  Golfview Developmental Centerwww.golfview.org | Healthcare | US |
| 2026-06-16 |  Misericórdia de Santo Tirsowww.iscmst.pt | Healthcare | PT |
| 2026-06-16 |  Q Link Wirelesswww.qlinkwireless.com | Telecommunication | US |
| 2026-06-15 |  Cng Ty Cp T Vn Xd Tng Hpwww.nagecco.com | Not Found | VN |
| 2026-06-15 |  Grupo Indiwww.grupoindi.mx | Business Services | MX |
| 2026-06-15 |  Can Healthcare Groupwww.izmircanhastanesi.com | Healthcare | TR |
| 2026-06-12 |  DISTINET MURCIA SLwww.distinetmurcia.es | Business Services | ES |
| 2026-06-11 |  Maui Divers Jewelrywww.mauidivers.com | Consumer Services | US |
| 2026-06-11 |  Bitek Systemwww.bitek.co.kr | Technology | KR |
| 2026-06-10 |  AltaVista Strategic Partnerswww.altavistasp.com | Business Services | MX |
| 2026-06-10 |  Plaxen & Adlerwww.plaxenadler.com | Not Found | DE |
| 2026-06-10 |  Miller & Zoiswww.millerandzois.com | Business Services | US |
| 2026-06-10 |  Iliffwww.ilimer.com | Not Found | US |
| 2026-06-10 |  Efficient Homewww.efficienthomellc.com | Consumer Services | US |
| 2026-06-10 |  Bekman Marder Hopper Malarkey & Perlinwww.mdtrialfirm.com | Business Services | MD |
| 2026-06-10 |  Dulany Leahy Curtis & Brophywww.dulany.com | Business Services | US |
| 2026-06-10 |  dbHMSwww.dbhms.com | Healthcare | DE |
| 2026-06-10 |  Teserra Outdoorswww.teserraoutdoors.com | Consumer Services | US |
| 2026-06-10 |  Wright Constable & Skeenwww.wcslaw.com | Business Services | US |
| 2026-06-10 |  Milstein Siegelwww.milsteinsiegel.com | Financial Services | US |
| 2026-06-10 |  JV Equipmentwww.jvequipment.com | Manufacturing | US |
| 2026-06-10 |  SAMESwww.samesincweb.com | Not Found | US |
| 2026-06-10 |  C.C. Creationswww.cccreationsusa.com | Consumer Services | US |
| 2026-06-10 |  TagleRock Technologieswww.taglerock.com | Technology | |
| 2026-06-10 |  Metro Electricwww.metroelectric-rgv.com | Energy | US |
| 2026-06-08 |  The Banyans Health and Wellnesswww.thebanyans.com.au | Healthcare | AU |
| 2026-06-08 |  Kinetic Educationwww.kineticeducation.com.au | Education | AU |
| 2026-06-08 |  SatCom CXwww.satcommarketing.com | Telecommunication | US |
| 2026-06-08 |  Isuzu Motorswww.isuzu-motors.co.th | Manufacturing | TH |
| 2026-06-08 |  Opera Comiquewww.opera-comique.com | Hospitality and Tourism | FR |
| 2026-06-08 |  Shipping Association of NY and NJwww.sanynj.org | Transportation/Logistics | US |
| 2026-06-05 |  Central Florida Cosmetic & Family Dentistrywww.kissimmeesmile.com | Healthcare | US |