Credential Theft
- Mimikatz
Qilin, also known as Agenda, is a financially motivated ransomware-as-a-service operation that emerged in 2022 and later rebranded under the Qilin name.
Profile source: Mallory opens in a new tabQilin
Qilin, also known as Agenda, is a financially motivated ransomware-as-a-service operation that emerged in 2022 and later rebranded under the Qilin name. It is widely associated with Russian-speaking cybercriminal activity and reportedly enforces rules against targeting organizations in Russia and other CIS countries. The operation uses an affiliate model in which core operators provide ransomware infrastructure, payload customization, negotiation support, and leak-site operations in exchange for a share of extortion proceeds.
Qilin has become one of the most active ransomware threats globally and has targeted organizations across a broad range of sectors, including manufacturing, healthcare, education, financial services, government, legal services, retail, technology, and critical infrastructure. Public reporting has also highlighted significant impact on industrial and operationally sensitive environments, where disruption of adjacent IT systems can halt business operations even without ICS-specific malware.
The malware has evolved from earlier Go-based implementations to more advanced Rust-based variants, including Qilin.B, improving portability and support for Windows, Linux, and VMware ESXi environments. Qilin supports extensive affiliate customization, including configurable ransom notes, encrypted-file extensions, process and service kill lists, and propagation options. Its encryption workflow has been described as using strong modern cryptography, and the malware is capable of deleting logs, removing shadow copies, disabling backup and recovery mechanisms, terminating security tools, and rebooting systems after encryption. Some reporting also describes Safe Mode abuse and anti-analysis features such as packing, string encryption, sandbox checks, and obfuscation.
Qilin intrusions commonly begin through phishing or spearphishing, exploitation of exposed remote services such as RDP and VPNs, use of stolen credentials, and exploitation of public-facing vulnerabilities. Reported activity has linked Qilin to exploitation of enterprise infrastructure weaknesses including Veeam, SAP NetWeaver, Fortinet, and other edge-facing technologies. After access is obtained, operators and affiliates have been observed using tools such as Mimikatz, PowerShell, PsExec, and credential-harvesting utilities to escalate privileges, steal credentials, move laterally, and prepare for ransomware deployment. Reporting also notes credential theft from Chrome browsers and use of PsExec and vCenter-assisted propagation to spread across Windows domains and ESXi estates.
Qilin is a double-extortion operation: it exfiltrates victim data before encryption and threatens public release if ransom demands are not met. The group maintains leak infrastructure for publishing stolen data and has introduced pressure tactics intended to professionalize negotiations, including legal-themed coercion services and media-style victim shaming. Public reporting has linked Qilin deployments to multiple notable incidents and to activity by other threat actors and affiliates, including Scattered Spider and Moonstone Sleet in some cases. Overall, Qilin is regarded as a mature, adaptable, and high-volume ransomware ecosystem with strong affiliate enablement, cross-platform capability, and significant enterprise impact.
Ransomware.live
Ransomware.live
d6e7547ad7dfd1fbc62e8282aebcc391f588802958c35fe18eb87bc36651a3d12bb209ccfc5103eccab523c875050cfaa7e7d00d531cb7ca27d0f3bee448573f964c13b68dc6b6b918b66a9a10469d2a3b10127e65fa3e215d21e0a2e7fd32bed1c331c17ddd4abe0d53755461c1ec9a417ad60624345ef85e648038e18902abb04e8ee43aba85fa5c585b9335c953c259d756280b06cf113ca43abc0050edd5176.113.115.97176.113.115.20985.209.11.4931.41.244.100188.119.66.189ftp://176.113.115.97/ftp://176.113.115.209/Ransomware.live
Reported operators
Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius.
Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year and have operated as a Ransomware-as-a-service (‘RaaS’) since February 2023.
Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year and have operated as a Ransomware-as-a-service (‘RaaS’) since February 2023.
According to VX-Underground, DragonForce proposed establishing communication channels with the LockBit and the Qilin group.
Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.
Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.
During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints.
Qilin is a Ransomware-as-a-Service program that has been in operation since 2022, previously operating under the name “Agenda.”
The financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
The Gentlemen - не стартап с нуля. Ядро группы работало как ArmCorp - affiliate-команда внутри Qilin RaaS.
By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.
Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.
Qilin is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the "Agenda" name and rebranded as Qilin in September 2022.
“Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates it the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid.”
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
"... led to the deployment of Qilin ransomware"
Exploited software
MITRE ATT&CK
Reporting
Qilin6
The Gentlemen, a ransomware-as-a-service operation founded in mid-2025, overtook Qilin to become the most active ransomware group, responsible for 17% of published attacks compared with Qilin’s 11%.
Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius.
Qilin ransomware groups publish over 40 victim listings per month using similar tactics, including PsExec lateral movement and NirSoft credential harvesting.
Die Ausnutzung begann bereits am 7. Mai, verstärkte sich Anfang Juni, und Check Point bewertet mit mittlerer Konfidenz, dass der Akteur finanziell motiviert ist und Qilin-Ransomware einsetzt.
Figure 2: An example of the Qilin RaaS model.
They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...
Qilin держит первое место с марта 2025... RaaS с двойным вымогательством: шифрование + публикация украденных данных.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.