In the latter half of 2025, the Qilin ransomware group has solidified its standing as a formidable threat, continuing to post details of more than 40 victims per month on its public leak site.
This rapid, relentless campaign—primarily impacting manufacturing, professional and scientific services, and wholesale trade—has propelled Qilin among the world’s most impactful ransomware gangs.
Qilin (formerly Agenda) emerged in July 2022, employing a double-extortion strategy: combining file encryption with the threat of public data exposure.
Evidence from the Talos threat intelligence team highlights a consistent operational tempo, with a pronounced focus on manufacturing—constituting roughly 23% of all cases.
Professional and scientific services follow at 18%, with wholesale trade comprising another 10%. Critical sectors like healthcare, construction, retail, education, and finance each make up about 5% of incidents, while primary industries and general services remain under 2%.
The United States leads in victim count, trailed by Canada, the UK, France, and Germany. Qilin’s consistent monthly case volume, which exceeded 100 postings at its summer 2025 peak, underscores the persistent and global threat the group poses.
Their leak site—a central piece of Qilin’s extortion methodology—serves both as evidence of compromise and as a high-pressure tactic pushing victims toward ransom payment.
Recent incident analysis uncovered a distinctive twist in Qilin’s toolkit: leveraging legitimate Windows applications—mspaint.exe and notepad.exe—to comb through files containing sensitive data.
This technique, seldom seen at scale, likely aids attackers in reviewing confidential content quickly and evading security platforms tuned to block or flag only non-native or typical “hacker” tools.
Logs from victim environments reveal not only the opening of sensitive files with Notepad and Paint, but also the use of open-source utilities such as Cyberduck for exfiltrating stolen data to cloud destinations, often masking the activity within normal business traffic.
Artifacts tie attacker scripts to potential operators from Eastern Europe or Russian-speaking regions, with character encodings (windows-1251/Cyrillic) surfacing notably in credential theft scripts. Still, analysts caution that this could be a deliberate false flag.
The Qilin attack chain mirrors many contemporary human-operated ransomware campaigns with added nuances.
Notably, the VPN implicated in this case had no multi-factor authentication (MFA) configured, which would allow an attacker with credentials unfettered access.
Initial access often traces back to VPN logins using credentials leaked or sold on dark web forums. Some cases involved group policy tweaks to enable RDP and facilitate lateral movement across Windows environments.
Qilin attackers methodically perform reconnaissance, collecting user lists, domain controllers, and privilege information, using built-in tools like nltest, net, whoami, and tasklist.
Credential access is a multi-stage process—leveraging a toolkit including Mimikatz, NirSoft utilities, and custom batch files to harvest passwords and escalate privileges.
These credentials often allow the attackers to propagate across the network, alter firewall or RDP settings, and create broad-access shares for unrestricted lateral movement.
Dual encryptor deployment sets Qilin apart: encryptor_1.exe spreads laterally via PsExec, infecting multiple hosts, while encryptor_2.exe centrally encrypts network shares from a single vantage point.
Ransomware execution is preceded by defense evasion tactics—obfuscating PowerShell commands, disabling EDR and AMSI, and using both open-source and commercial remote access tools, including AnyDesk and ScreenConnect.
Obfuscation, Exfiltration, and Lasting Impact
For exfiltration, Qilin actors wrap up loot with tools like WinRAR, followed by upload using Cyberduck to cloud storage, often Backblaze.
In this code, the decrypted_buf is registered as the callback function via the arguments to CreateThreadpoolWait, creating a mechanism that will invoke this callback when the wait object becomes signaled.
They comb through files, using mspaint.exe and notepad.exe, to spot valuable data—an indicator that manual operator review remains a critical part of high-value extortion.
After deploying ransomware, Qilin leaves behind ransom notes offering data recovery in exchange for payment, often with sector- and victim-specific configuration, including targeted file, process, and service whitelists and blacklists.
Persistence mechanisms further ensure continued extortion pressure by establishing scheduled tasks and registry modifications.
Qilin’s ongoing activity—rooted in well-coordinated affiliates, agile tactics, and innovative abuse of mundane Windows tools—shows that defenders must adapt quickly.
Asset inventory, privilege segmentation, and continuous monitoring of both common and uncommon application behaviors remain non-negotiable for organizations aiming to thwart one of 2025’s most industrious ransomware adversaries.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
