Threat Actor Profile
Critical
Cybercriminal
Description
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
AI Threat Intelligence Report
April 29, 2026 14:33Threat Intelligence Report: qilin
Automated AI-generated threat intelligence report for qilin.
View full AI reportIndicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Qilin ransomware was first observed in July of 2022. Qilin '
'Ransomware is written in Golang and supports multiple '
'encryption modes; all of which are controlled by the '
'operator. Qilin actors practice double extortion – demanding '
'payment for a decryptor, as well as for the non-release of '
'stolen data.',
'firstseen': '2022-10-08T05:43:10.034028+00:00',
'group': 'qilin',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2026-04-28T18:55:39.480241+00:00',
'locations': [{'available': True,
'fqdn': 'ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion',
'slug': 'http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion',
'title': 'Qilin blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion',
'slug': 'http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion',
'title': 'Qilin',
'type': 'DLS'},
{'available': False,
'fqdn': 'kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion',
'slug': 'http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion',
'title': 'DDOS Protection',
'type': 'DLS'},
{'available': False,
'fqdn': 'ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion',
'slug': 'http://ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion/site/login',
'title': 'Sign In',
'type': 'Admin'}],
'negotiation_count': 2,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion',
'slug': 'http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion',
'title': 'Qilin blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion',
'slug': 'http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion',
'title': 'Qilin',
'type': 'DLS'},
{'available': False,
'fqdn': 'kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion',
'slug': 'http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion',
'title': 'DDOS Protection',
'type': 'DLS'},
{'available': False,
'fqdn': 'ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion',
'slug': 'http://ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion/site/login',
'title': 'Sign In',
'type': 'Admin'}],
'negotiation_count': 2,
'ransomnotes_count': 3,
'ransomware_live_group': 'qilin',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['EDRSandBlast',
'PCHunter',
'PowerTool',
'Toshiba power management '
'driver (BYOVD)',
'Updater for Carbon Black’s '
'Cloud Sensor AV (upd.exe)',
'YDArk',
'Zemana Anti-Rootkit driver'],
'DiscoveryEnum': ['Nmap', 'Nping'],
'Exfiltration': ['EasyUpload.io', 'MEGA'],
'LOLBAS': ['fsutil',
'PsExec',
'WinRM',
'PowerShell'],
'Networking': ['Proxychains'],
'Offsec': ['Cobalt Strike',
'Evilginx',
'NetExec',
'Kali Linux',
'SystemBC',
'Tofsee'],
'RMM-Tools': ['NetSupport', 'ScreenConnect']},
'url': 'https://www.ransomware.live/group/qilin',
'victims': 1754,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['EDRSandBlast',
'PCHunter',
'PowerTool',
'Toshiba power management driver (BYOVD)',
'Updater for Carbon Black’s Cloud Sensor AV '
'(upd.exe)',
'YDArk',
'Zemana Anti-Rootkit driver'],
'DiscoveryEnum': ['Nmap', 'Nping'],
'Exfiltration': ['EasyUpload.io', 'MEGA'],
'LOLBAS': ['fsutil', 'PsExec', 'WinRM', 'PowerShell'],
'Networking': ['Proxychains'],
'Offsec': ['Cobalt Strike',
'Evilginx',
'NetExec',
'Kali Linux',
'SystemBC',
'Tofsee'],
'RMM-Tools': ['NetSupport', 'ScreenConnect']},
'ttps': [],
'url': 'https://www.ransomware.live/group/qilin',
'victims': 1754,
'vulnerabilities': []}