Qilin ransomware has emerged as one of the most devastating threats in the second half of 2025, operating at an alarming pace with over 40 victim disclosures per month on its public leak site.
Originally tracked under the name Agenda before rebranding to Qilin around July 2022, this ransomware-as-a-service platform has evolved into a global menace affecting organizations across multiple continents and industrial sectors.
The group’s dual-extortion model combines file encryption with data theft and public disclosure, creating compounded pressure on victims to pay extortion demands.
Manufacturing represents the hardest-hit sector at 23% of all cases, trailed by professional services at 18%, while the United States faces the highest concentration of attacks.
The threat landscape reveals Qilin’s sophisticated attack infrastructure spanning from initial access through data exfiltration to final encryption and persistence mechanisms.
Cisco Talos analysts identified that attackers typically gain network entry through compromised VPN credentials sourced from dark web leaks, combined with the absence of multi-factor authentication protections.
.webp "Qilin Ransomware Leveraging Mspaint and Notepad to Find Files with Sensitive Information 3")
Once inside victim networks, operators perform extensive reconnaissance using legitimate Windows utilities like nltest.exe and net.exe to map domain infrastructure and identify high-value targets.
The investigation uncovered that Qilin operators employ a methodical data harvesting approach before deploying encryption payloads, allowing them to identify and exfiltrate the most sensitive company information before triggering system-wide encryption.
Cisco Talos analysts identified a particularly ingenious technique where attackers leverage built-in Windows applications to locate sensitive files during the reconnaissance phase.
The research reveals that artifact logs consistently show mspaint.exe and notepad.exe being executed to manually inspect and view high-sensitivity information across network storage systems.
Rather than relying solely on automated file discovery scripts, operators use these seemingly innocuous applications to open and review files, perhaps to verify data quality before compression and exfiltration.
This manual inspection approach allows attackers to prioritize the most valuable intellectual property, financial records, and confidential documents while avoiding common security signatures associated with automated data discovery tools.
Dual-Encryptor Deployment Strategy
The dual-encryptor deployment strategy further demonstrates operational sophistication within the Qilin ecosystem.
The first variant, encryptor_1.exe, spreads laterally using PsExec across compromised hosts with administrator privileges and internal password specifications hardcoded into the binary.
The second variant, encryptor_2.exe, operates from a single system to encrypt multiple network shares simultaneously, maximizing coverage and impact across distributed infrastructure.
Before encryption initiates, operators establish persistence through scheduled tasks named TVInstallRestore and registry modifications under RUN keys, ensuring ransomware survives system reboots.
The malware specifically targets critical infrastructure including Cluster Shared Volumes hosting Hyper-V virtual machines and databases while deliberately excluding system files required for boot functionality, a calculated approach ensuring victims cannot easily recover through operating system reinstallation.
For data exfiltration, Qilin operators employ Cyberduck, an open-source file transfer utility that obscures malicious activity within legitimate cloud service traffic directed toward Backblaze servers.
Before data departure, administrators deploy WinRAR with specialized parameters excluding base folders and disabling recursive subdirectory processing, creating optimized archive configurations.
The combination of manual file inspection using standard Windows applications, sophisticated deployment tactics, and cloud-based exfiltration represents a mature threat operation demanding comprehensive detection and response capabilities from organizations worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
