Threat Actor Profile: Qilin (Ransomware Group)

Overview and Origin

Qilin is a financially motivated cybercriminal ransomware group first observed in July 2022. The group operates as a ransomware-as-a-service (RaaS) affiliate model, with its core malware written in the Golang programming language. While the group's country of origin and regional affiliation remain unconfirmed in open-source intelligence, its operational patterns, tooling, and victimology align with the broader ecosystem of Russian-speaking ransomware groups. Qilin is assessed as a non-state-sponsored actor, driven purely by financial gain through extortion. The group maintains a public-facing data leak site (DLS) on the Tor network, currently accessible at `ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion`, where it publishes stolen data from victims who refuse to pay.

Victimology and Impact

As of late April 2026, Qilin has claimed responsibility for 1,754 victims, indicating a high-volume, indiscriminate targeting strategy. The group does not appear to focus on a specific sector or geographic region, instead targeting organizations across multiple industries including healthcare, manufacturing, technology, finance, and government. This broad victimology suggests that Qilin affiliates prioritize network access and financial viability over ideological or geopolitical considerations. The group's double extortion model—demanding payment for both a decryptor and the non-release of stolen data—places significant pressure on victims, particularly those in regulated sectors where data breaches carry severe compliance and reputational consequences.

Tactics, Techniques, and Procedures (TTPs)

Qilin employs a sophisticated and multi-stage attack chain, leveraging a combination of living-off-the-land binaries (LOLBAS), commercial penetration testing tools, and custom malware. Initial access is often achieved through phishing campaigns, exploitation of public-facing applications, or the use of stolen credentials. Once inside the network, the group deploys a range of tools for discovery, lateral movement, and persistence.

For discovery and enumeration, Qilin actors utilize Nmap and Nping to map network topology and identify active hosts and services. Lateral movement is facilitated through legitimate Windows administration tools such as PsExec, WinRM, and PowerShell, allowing attackers to move stealthily across the environment. The group also employs Cobalt Strike for command-and-control (C2) and post-exploitation activities, alongside NetExec for remote execution and credential testing.

Defense evasion is a critical component of Qilin's operations. The group uses a variety of tools to disable or bypass endpoint detection and response (EDR) solutions, including EDRSandBlast, PCHunter, PowerTool, YDArk, and Zemana Anti-Rootkit driver. Notably, Qilin leverages a bring-your-own-vulnerable-driver (BYOVD) technique using the Toshiba power management driver to terminate security processes at the kernel level. Additionally, the group abuses the legitimate Carbon Black Cloud Sensor AV updater (`upd.exe`) to disable antivirus protections, further demonstrating its deep understanding of security product internals.

For credential theft, Qilin relies on Mimikatz to extract plaintext passwords, hashes, and Kerberos tickets from compromised systems. Exfiltration of stolen data is performed using cloud-based file-sharing services such as EasyUpload.io and MEGA, which provide anonymity and high transfer speeds. The group also employs proxy chains and tools like SystemBC and Tofsee to anonymize C2 traffic and evade network-based detection.

Ransomware Deployment and Encryption

The Qilin ransomware binary, written in Golang, supports multiple encryption modes controlled by the operator. This flexibility allows affiliates to tailor the encryption process to the target environment, balancing speed with stealth. The ransomware is typically deployed after data exfiltration is complete, ensuring that the group retains leverage even if the victim can restore from backups. The group leaves ransom notes on compromised systems and maintains a negotiation portal, with at least two recorded negotiation instances and three distinct ransom note variants observed in the wild.

Notable Capabilities and Campaigns

Qilin's operational maturity is evidenced by its extensive toolset, which includes remote monitoring and management (RMM) tools such as NetSupport and ScreenConnect for persistent access, and Evilginx for credential harvesting via reverse proxy attacks. The group's use of Kali Linux for post-exploitation activities further underscores its technical proficiency. While Qilin has not been linked to any single high-profile campaign, its sustained activity over nearly four years and its victim count of over 1,700 organizations indicate a highly active and successful ransomware operation. The group's ability to maintain multiple DLS infrastructure nodes, including a dedicated admin panel, suggests a well-organized and resourced operation.

Conclusion

Qilin represents a significant and persistent threat to organizations worldwide. Its use of double extortion, advanced defense evasion techniques, and a diverse arsenal of both legitimate and malicious tools makes it a formidable adversary. Security teams should prioritize robust endpoint protection, network segmentation, credential hygiene, and regular backup testing to mitigate the risk posed by this group. Monitoring for the specific tools and techniques outlined in this report can aid in early detection and response.