The cybercriminal group Qilin, also known as Agenda, Gold Feather, and Water Galura, has been responsible for over 40 attacks per month since the beginning of 2025, excluding January. The number of incidents posted on their data leak site peaked at 100 cases in June.
Qilin has become one of the most active ransomware groups, with 84 victims each in August and September 2025. The group has been operational since around July 2022.
According to data from Cisco Talos, countries such as the U.S., Canada, the U.K., France, and Germany have been heavily impacted by Qilin. The attacks have predominantly targeted industries like manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%).
Qilin affiliates have been using leaked administrative credentials from the dark web to gain initial access, utilizing VPN interfaces and RDP connections to breach endpoints and domain controllers.
The attackers have conducted system reconnaissance and network discovery to map out the infrastructure. They have used tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to harvest credentials and exfiltrate data to an external SMTP server using a Visual Basic Script.
Mimikatz commands targeted sensitive data and system functions, including clearing Windows event logs, extracting passwords from Chrome’s database, recovering credentials, and harvesting configuration data related to RDP, SSH, and Citrix.
Additionally, the threat actors have used mspaint.exe, notepad.exe, and iexplore.exe to analyze files for sensitive information, as well as Cyberduck for transferring files to a remote server while masking their malicious activities.
The stolen credentials have allowed for privilege escalation and lateral movement within networks, with the installation of remote monitoring tools like AnyDesk, Chrome Remote Desktop, and ScreenConnect.
To evade detection, the attackers use PowerShell commands to disable security features, terminate processes, and enable Restricted Admin. They also use tools like dark-kill and HRSword to bypass security software. Cobalt Strike and SystemBC are deployed for persistent remote access.
The attack culminates in the deployment of the Qilin ransomware, which encrypts files and leaves a ransom note in each encrypted folder. Before encryption, the attackers wipe event logs and delete shadow copies maintained by the Windows Volume Shadow Copy Service.
Recent discoveries have revealed a sophisticated Qilin attack that involved deploying their Linux ransomware variant on Windows systems, utilizing the bring your own vulnerable driver technique and legitimate IT tools to evade security measures.
Qilin attackers have targeted Veeam backup infrastructure, extracting credentials to compromise disaster recovery capabilities before deploying the ransomware payload.
Some attacks have utilized spear-phishing and fake CAPTCHA pages to deliver malicious payloads and harvest credentials for initial access.
Key steps taken by the attackers include deploying a SOCKS proxy DLL for remote access, using ScreenConnect for network scanning and lateral movement, targeting the Veeam backup infrastructure, and employing various techniques to evade detection.
- Using the “eskle.sys” driver in a BYOVD attack to disable security solutions
- Deploying PuTTY SSH clients for lateral movement to Linux systems
- Utilizing SOCKS proxy instances for obfuscating command-and-control traffic
- Transferring the Linux ransomware binary to Windows systems using WinSCP
- Executing the Linux ransomware binary on Windows systems using Splashtop Remote’s management service
The Linux ransomware binary used by the attackers has cross-platform capability, enabling them to target both Windows and Linux systems with a single payload. The threat actors have adapted to modern virtualization environments beyond traditional platforms like VMware.
