Skip to content
Ransomware group EsxiLinuxWindows

Qilin

Qilin, also known as Agenda, is a financially motivated ransomware-as-a-service operation that emerged in 2022 and later rebranded under the Qilin name.

Profile source: Mallory opens in a new tab

Qilin

Family profile

Qilin, also known as Agenda, is a financially motivated ransomware-as-a-service operation that emerged in 2022 and later rebranded under the Qilin name. It is widely associated with Russian-speaking cybercriminal activity and reportedly enforces rules against targeting organizations in Russia and other CIS countries. The operation uses an affiliate model in which core operators provide ransomware infrastructure, payload customization, negotiation support, and leak-site operations in exchange for a share of extortion proceeds.

Qilin has become one of the most active ransomware threats globally and has targeted organizations across a broad range of sectors, including manufacturing, healthcare, education, financial services, government, legal services, retail, technology, and critical infrastructure. Public reporting has also highlighted significant impact on industrial and operationally sensitive environments, where disruption of adjacent IT systems can halt business operations even without ICS-specific malware.

The malware has evolved from earlier Go-based implementations to more advanced Rust-based variants, including Qilin.B, improving portability and support for Windows, Linux, and VMware ESXi environments. Qilin supports extensive affiliate customization, including configurable ransom notes, encrypted-file extensions, process and service kill lists, and propagation options. Its encryption workflow has been described as using strong modern cryptography, and the malware is capable of deleting logs, removing shadow copies, disabling backup and recovery mechanisms, terminating security tools, and rebooting systems after encryption. Some reporting also describes Safe Mode abuse and anti-analysis features such as packing, string encryption, sandbox checks, and obfuscation.

Qilin intrusions commonly begin through phishing or spearphishing, exploitation of exposed remote services such as RDP and VPNs, use of stolen credentials, and exploitation of public-facing vulnerabilities. Reported activity has linked Qilin to exploitation of enterprise infrastructure weaknesses including Veeam, SAP NetWeaver, Fortinet, and other edge-facing technologies. After access is obtained, operators and affiliates have been observed using tools such as Mimikatz, PowerShell, PsExec, and credential-harvesting utilities to escalate privileges, steal credentials, move laterally, and prepare for ransomware deployment. Reporting also notes credential theft from Chrome browsers and use of PsExec and vCenter-assisted propagation to spread across Windows domains and ESXi estates.

Qilin is a double-extortion operation: it exfiltrates victim data before encryption and threatens public release if ransom demands are not met. The group maintains leak infrastructure for publishing stolen data and has introduced pressure tactics intended to professionalize negotiations, including legal-themed coercion services and media-style victim shaming. Public reporting has linked Qilin deployments to multiple notable incidents and to activity by other threat actors and affiliates, including Scattered Spider and Moonstone Sleet in some cases. Overall, Qilin is regarded as a mature, adaptable, and high-volume ransomware ecosystem with strong affiliate enablement, cross-platform capability, and significant enterprise impact.

Capabilities

  • Byovd
  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Persistence
  • Privilege Escalation
  • Scanning

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Defense Evasion

  • EDRSandBlast
  • PCHunter
  • PowerTool
  • Toshiba power management driver (BYOVD)
  • Updater for Carbon Black’s Cloud Sensor AV (upd.exe)
  • YDArk
  • Zemana Anti-Rootkit driver

Discovery Enum

  • Nmap
  • Nping

Exfiltration

  • EasyUpload.io
  • MEGA

LOLBAS

  • PowerShell
  • PsExec
  • WinRM
  • fsutil

Networking

  • Proxychains

Offsec

  • Cobalt Strike
  • Evilginx
  • Kali Linux
  • NetExec
  • SystemBC
  • Tofsee

RMM Tools

  • NetSupport
  • ScreenConnect

Ransomware.live

Published indicators

Full source record ↗

Md5

54 total
  • d6e7547ad7dfd1fbc62e8282aebcc391
  • f588802958c35fe18eb87bc36651a3d1
  • 2bb209ccfc5103eccab523c875050cfa
  • a7e7d00d531cb7ca27d0f3bee448573f
  • 964c13b68dc6b6b918b66a9a10469d2a
  • 3b10127e65fa3e215d21e0a2e7fd32be
  • d1c331c17ddd4abe0d53755461c1ec9a
  • 417ad60624345ef85e648038e18902ab
  • b04e8ee43aba85fa5c585b9335c953c2
  • 59d756280b06cf113ca43abc0050edd5

Ip

5 total
  • 176.113.115.97
  • 176.113.115.209
  • 85.209.11.49
  • 31.41.244.100
  • 188.119.66.189

Ftp

2 total
  • ftp://176.113.115.97/
  • ftp://176.113.115.209/

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

18 named in public reporting
Spikey Scorpius

Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius.

Scattered Spider

Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year and have operated as a Ransomware-as-a-service (‘RaaS’) since February 2023.

Moonstone Sleet

Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year and have operated as a Ransomware-as-a-service (‘RaaS’) since February 2023.

DragonForce

According to VX-Underground, DragonForce proposed establishing communication channels with the LockBit and the Qilin group.

KongTuke

Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.

Woodgnat

Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.

Qilin

During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints.

STAC4365

Qilin is a Ransomware-as-a-Service program that has been in operation since 2022, previously operating under the name “Agenda.”

phantom_mantis

The financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).

ArmCorp

The Gentlemen - не стартап с нуля. Ядро группы работало как ArmCorp - affiliate-команда внутри Qilin RaaS.

WIZARD SPIDER

By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.

Hastalamuerte

Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.

MuddyWater

Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.

Devman

Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.

Arkana

Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.

WikiLeaksV2

“Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates it the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid.”

Lazarus

Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.

Exploited software

Vulnerabilities linked to Qilin

8 CVEs

MITRE ATT&CK

Qilin in ATT&CK

122 distinct techniques

Techniques

122 techniques
T1486 Data Encrypted for Impact T1078 Valid Accounts T1190 Exploit Public-Facing Application T1059.001 PowerShell T1134 Access Token Manipulation T1027 Obfuscated Files or Information T1497 Virtualization/Sandbox Evasion T1016 System Network Configuration Discovery T1562.009 Safe Mode Boot T1566.001 Spearphishing Attachment T1570 Lateral Tool Transfer T1003 OS Credential Dumping T1569.002 Service Execution T1555 Credentials from Password Stores T1498 Network Denial of Service T1046 Network Service Discovery T1087 Account Discovery T1070.001 Clear Windows Event Logs T1566 Phishing T1562.001 Disable or Modify Tools T1562 Impair Defenses T1566.002 Spearphishing Link T1021.001 Remote Desktop Protocol T1490 Inhibit System Recovery T1021 Remote Services T1529 System Shutdown/Reboot T1588.002 Tool T1562.002 Disable Windows Event Logging T1210 Exploitation of Remote Services T1480.002 Mutual Exclusion T1491.001 Internal Defacement T1547.001 Registry Run Keys / Startup Folder T1027.002 Software Packing T1098 Account Manipulation T1070.004 File Deletion T1021.002 SMB/Windows Admin Shares T1055.002 Portable Executable Injection T1497.001 System Checks T1021.004 SSH T1041 Exfiltration Over C2 Channel T1567 Exfiltration Over Web Service T1219 Remote Access Tools T1112 Modify Registry T1537 Transfer Data to Cloud Account T1489 Service Stop T1105 Ingress Tool Transfer T1133 External Remote Services T1657 Financial Theft T1090.003 Multi-hop Proxy T1071 Application Layer Protocol T1053 Scheduled Task/Job T1587.001 Malware T1553.002 Code Signing T1036 Masquerading T1059.003 Windows Command Shell T1057 Process Discovery T1484.001 Group Policy Modification T1053.005 Scheduled Task T1070 Indicator Removal T1204.002 Malicious File T1204 User Execution T1018 Remote System Discovery T1580 Cloud Infrastructure Discovery T1531 Account Access Removal T1074 Data Staged T1048 Exfiltration Over Alternative Protocol T1218 System Binary Proxy Execution T1020 Automated Exfiltration T1548.002 Bypass User Account Control T1213 Data from Information Repositories T1480 Execution Guardrails T1567.002 Exfiltration to Cloud Storage T1135 Network Share Discovery T1012 Query Registry T1083 File and Directory Discovery T1007 System Service Discovery T1055.001 Dynamic-link Library Injection T1087.001 Local Account T1204.001 Malicious Link T1003.001 LSASS Memory T1106 Native API T1573.002 Asymmetric Cryptography T1222 File and Directory Permissions Modification T1027.013 Encrypted/Encoded File T1547.004 Winlogon Helper DLL T1614.001 System Language Discovery T1656 Impersonation T1518.002 Backup Software Discovery T1679 Selective Exclusion T1680 Local Storage Discovery T1673 Virtual Machine Discovery T1566.003 Phishing: Spearphishing via Service T1059.004 Command and Scripting Interpreter: Unix Shell T1569 System Services T1037 Boot or Logon Initialization Scripts T1098.004 Account Manipulation: SSH Authorized Keys T1136 Create Account T1547 Boot or Logon Autostart Execution T1068 Exploitation for Privilege Escalation T1036.001 Masquerading: Invalid Code Signature T1134.004 Access Token Manipulation: Parent PID Spoofing T1211 Exploitation for Defense Evasion T1562.004 Impair Defenses: Disable or Modify System Firewall T1564 Hidden Artifacts T1564.003 Hidden Artifacts: Hidden Window T1040 Network Sniffing T1110.002 Brute Force: Password Cracking T1555.003 Credentials from Web Browsers T1082 System Information Discovery T1614 System Location Discovery T1560.001 Archive Collected Data: Archive via Utility T1602.002 Network Device Configuration Dump T1011 Exfiltration Over Other Network Medium T1011.001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth T1048.003 Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol T1001 Data Obfuscation T1001.001 Data Obfuscation: Junk Data T1071.001 Application Layer Protocol: Web Protocols T1572 Protocol Tunneling T1561 Disk Wipe T1561.001 Disk Wipe: Disk Content Wipe T1590.004 Gather Victim Network Information: Network Topology

Reporting

Research mentioning Qilin

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Qilin6

Jul 13
Itsecurityguru

UK Cyber Attacks Climb 34% as Ransomware Leadership Shifts, Check Point Research Reveals - IT Security Guru

The Gentlemen, a ransomware-as-a-service operation founded in mid-2025, overtook Qilin to become the most active ransomware group, responsible for 17% of published attacks compared with Qilin’s 11%.

Jul 10
Palo Alto Networks Unit 42

No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius.

Jul 10
Threataft

Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft

Qilin ransomware groups publish over 40 victim listings per month using similar tactics, including PsExec lateral movement and NirSoft credential harvesting.

Jul 8
Hisolutions Research

Die Perimeter-Schmelze | HiSolutions Research

Die Ausnutzung begann bereits am 7. Mai, verstärkte sich Anfang Juni, und Check Point bewertet mit mittlerer Konfidenz, dass der Akteur finanziell motiviert ist und Qilin-Ransomware einsetzt.

Jul 1
Huntress

How the RaaS Business Model Actually Works | Huntress

Figure 2: An example of the Qilin RaaS model.

Jun 30
Bleeping Computer

Insurance giant Aflac discloses data breach after subsidiary hack

They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...

Jun 28
Codeby

ICS ransomware атаки на промышленные системы в 2026

Qilin держит первое место с марта 2025... RaaS с двойным вымогательством: шифрование + публикация украденных данных.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.