In the latter half of 2025, the Qilin ransomware group has emerged as a formidable cyber threat, disclosing over 40 victims monthly on its public leak site. Initially known as Agenda before rebranding in July 2022, Qilin operates as a ransomware-as-a-service (RaaS) platform, impacting organizations across various continents and industries.
Dual-Extortion Tactics and Targeted Sectors
Qilin employs a dual-extortion strategy, combining file encryption with data theft and public disclosure to pressure victims into meeting ransom demands. The manufacturing sector has been particularly affected, accounting for 23% of attacks, followed by professional services at 18%. The United States has experienced the highest concentration of these attacks.
Sophisticated Attack Infrastructure
The group’s attack infrastructure is comprehensive, encompassing initial access, data exfiltration, encryption, and persistence mechanisms. Cisco Talos analysts have observed that Qilin operators typically gain network entry through compromised VPN credentials obtained from dark web leaks, often exploiting the absence of multi-factor authentication.
Reconnaissance Using Legitimate Windows Utilities
Once inside a network, Qilin conducts extensive reconnaissance using legitimate Windows utilities such as `nltest.exe` and `net.exe` to map domain infrastructure and identify high-value targets. This approach allows the attackers to navigate the network effectively and locate critical assets.
Innovative Use of MSPaint and Notepad
A particularly ingenious technique employed by Qilin involves the use of built-in Windows applications like MSPaint and Notepad during the reconnaissance phase. Artifact logs consistently show executions of `mspaint.exe` and `notepad.exe` to manually inspect and view sensitive information across network storage systems. This manual inspection enables attackers to verify data quality before compression and exfiltration, allowing them to prioritize valuable intellectual property, financial records, and confidential documents while avoiding detection by automated data discovery tools.
Dual-Encryptor Deployment Strategy
Qilin’s operational sophistication is further demonstrated through its dual-encryptor deployment strategy:
1. First Variant (`encryptor_1.exe`): This variant spreads laterally using PsExec across compromised hosts with administrator privileges and internal passwords hardcoded into the binary.
2. Second Variant (`encryptor_2.exe`): Operating from a single system, this variant encrypts multiple network shares simultaneously, maximizing coverage and impact across distributed infrastructure.
Before initiating encryption, Qilin establishes persistence through scheduled tasks named `TVInstallRestore` and registry modifications under RUN keys, ensuring the ransomware survives system reboots. The malware specifically targets critical infrastructure, including Cluster Shared Volumes hosting Hyper-V virtual machines and databases, while deliberately excluding system files required for boot functionality. This calculated approach ensures victims cannot easily recover by reinstalling the operating system.
Data Exfiltration Techniques
For data exfiltration, Qilin operators utilize Cyberduck, an open-source file transfer utility, to obscure malicious activity within legitimate cloud service traffic directed toward Backblaze servers. Before data departure, administrators deploy WinRAR with specialized parameters to create optimized archive configurations, excluding base folders and disabling recursive subdirectory processing.
Implications for Cybersecurity
The combination of manual file inspection using standard Windows applications, sophisticated deployment tactics, and cloud-based exfiltration underscores the maturity of Qilin’s operations. This multifaceted approach demands comprehensive detection and response capabilities from organizations worldwide.
