Qilin Ransomware Group

Qilin (also tracked as Agenda, Gold Feather, and Water Galura) has evolved into one of the most prolific Ransomware‑as‑a‑Service (RaaS) operations active today. Since the start of 2025 the group has been posting more than 40 victims per month (January was the lone exception), peaking at roughly 100 leak-site entries in June and recording 84 victims in each of August and September 2025. Active since about July 2022, Qilin’s pace and tactics make it a high‑risk actor for enterprises worldwide.

Who Was Hit - Geography And Industries

Analysis of incident telemetry shows Qilin’s victims are concentrated in North America and Western Europe, with the United States, Canada, the United Kingdom, France, and Germany among the most affected countries. The group favors certain verticals: manufacturing accounts for about 23% of observed targets, professional and scientific services about 18%, and wholesale trade roughly 10%.

Initial Access And Early Foothold

Investigators believe many Qilin affiliate intrusions begin with leaked administrative credentials obtained from dark‑web repositories. Adversaries use those credentials to log in via a VPN interface and then perform RDP connections to domain controllers and other compromised endpoints. From there, they move into environment mapping and deeper reconnaissance.

Credential Harvesting And Tooling

Qilin campaigns make extensive use of credential‑harvesting tools and techniques. Operators and affiliates run Mimikatz along with utilities such as WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to pull secrets from browsers, system stores, and other applications. Harvested credentials are exfiltrated to external SMTP servers using Visual Basic scripts. Mimikatz usage observed in the wild included actions to:

• clear Windows event logs and otherwise erase traces;
• enable SeDebugPrivilege;
• extract saved Chrome passwords from SQLite databases;
• recover credentials from previous logons; and
• harvest configuration and credentials for RDP, SSH, and Citrix.

Living‑off‑the‑land And Legitimate Tools Abused

The threat actors mix obvious malware with legitimate system utilities and well‑known admin tools to blend in. They have been seen opening files with mspaint.exe, notepad.exe, and iexplore.exe to manually inspect content for sensitive information, and using the bona fide Cyberduck client to transfer chosen files to remote servers while hiding malicious intent.

How Stolen Credentials Are Leveraged

Once credentials are in hand, Qilin actors escalate privileges and spread laterally. Elevated access has been used to install a variety of remote monitoring and management (RMM) and remote‑access products — AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect — although researchers (Talos) could not always determine whether each product was used primarily for lateral movement or for persistent remote control.

Evasion, Persistence, and Post‑exploitation

To evade detection the attackers execute PowerShell sequences that disable AMSI, turn off TLS certificate validation, and enable Restricted Admin mode. They also deploy kill‑switch style utilities such as dark‑kill and HRSword to terminate security products. For persistence and covert command‑and‑control they use Cobalt Strike and SystemBC.

Ransomware Deployment And Cleanup

The final stage is the deployment of Qilin ransomware: files are encrypted, ransom notes are dropped in encrypted folders, Windows event logs are wiped, and all shadow copies created by the Volume Shadow Copy Service (VSS) are deleted to frustrate recovery efforts.

Advanced hybrid attack chains (Linux binary on Windows + BYOVD)
Some sophisticated Qilin incidents have combined several advanced techniques. Operators have deployed a Linux‑compiled ransomware binary but executed it on Windows hosts, paired that payload with a 'bring your own vulnerable driver' (BYOVD) technique to disable defenses, and used legitimate IT management tooling to move through the environment and execute payloads. In these attacks the eskle.sys driver was observed as the vulnerable driver component used to disable security controls, kill processes, and evade detection.

Backup Targeting And Tailored Credential Theft

Qilin has specifically targeted Veeam backup infrastructure. Attackers used specialized credential extraction tools against backup databases to harvest credentials, systematically compromising organizations’ disaster‑recovery platforms before dropping ransomware, significantly raising the stakes for affected victims.

Phishing And Fake CAPTCHA Delivery Mechanisms

Beyond valid account abuse, certain intrusions began with spear‑phishing or with ClickFix‑style fake CAPTCHA pages hosted on Cloudflare R2. Those pages appear to deliver information‑stealer payloads that harvest credentials, which are then reused to gain initial network access.

Key techniques and infrastructure observed, include:

• Deploying a SOCKS proxy DLL to enable remote access and command execution.
• Abusing ScreenConnect to run discovery commands and network scanning tools to locate lateral movement targets.
• Targeting Veeam backup systems to extract backup credentials from multiple databases.
• Using the eskle.sys driver in BYOVD attacks to neutralize security software and terminate defensive processes.
• Deploying PuTTY SSH clients to move laterally into Linux hosts.
• Running SOCKS proxy instances across different directories to obfuscate C2 traffic via the COROXY backdoor.
• Using WinSCP to move the Linux ransomware binary onto Windows systems.
• Leveraging Splashtop Remote’s SRManager.exe to execute the Linux ransomware binary directly on Windows machines.

Cross‑platform Impact And Virtualization Targeting

The Linux binary provides cross‑platform capability: a single payload can affect both Linux and Windows systems in an environment. More recently, Qilin samples were updated to detect Nutanix AHV environments, demonstrating that the group is expanding targeting beyond traditional VMware deployments into modern hyperconverged infrastructures.

Summary

Qilin’s operation combines credential stealing, misuse of legitimate admin tooling, BYOVD techniques, targeted attacks on backup systems, and cross‑platform ransomware to maximize impact and avoid detection. Defenders should prioritize credential hygiene, multifactor authentication on remote access interfaces, segmentation of backup systems, rigorous monitoring for anomalous use of legitimate remote‑management tools, and controls to detect driver‑based BYOVD activity. These measures reduce the likelihood that harvested credentials or a single point of compromise will lead to full‑scale ransomware deployment.