Financially Motivated3 malware familiesExploits CVEs in the wild

Qilin

Also known asagendaGOLD FEATHERqilinqilin_gangqilin_ransomwareqilin_ransomware_gangqilin_ransomware_groupqirinWater Galura

Qilin is a financially motivated ransomware-as-a-service (RaaS) group active since at least March 2022. Known aliases in the provided content include Agenda, Gold Feather, Qilin, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qilin Ransomware Group, Qirin, and Water Galura. The group is described as having high scalability, with multiple personas including @Haise promoting Qilin on the RAMP forum. The content places Qilin within a broader ransomware ecosystem that includes affiliates, access brokers, and cooperation or overlap with other crews. Symantec, Carbon Black, and related reporting link the initial access broker Woodgnat, also known as KongTuke, to attacks involving Qilin; Woodgnat has been observed using ModeloRAT and Mistic to obtain and sell access to ransomware operators including Qilin. ModeloRAT was separately observed in attacks that deployed Qilin ransomware. The content also states that DragonForce attempted public cooperation with Qilin and LockBit, and that VX-Underground reported DragonForce, LockBit, and Qilin attempted to establish communication channels. Group-IB reported that Gentlemen was founded by hastalamuerte, described as a former Qilin affiliate. Qilin has broad victim reach. Black Kite’s 2026 European Cyber Risk Report states Qilin operated in 26 of 31 analyzed European countries, giving it the widest geographic reach among the ransomware groups covered. S2W ranked Qilin among the top five highest-risk ransomware groups in H1 2025 and reported that Qilin carried out the most attacks against government agencies in that period, with 12 cases. The content specifically identifies Qilin as highly active in healthcare. It states that Qilin remained one of the most active ransomware groups affecting the healthcare sector in June 2026. A notable incident attributed to Qilin was the June 2024 attack on Synnovis, in which the group targeted the company’s internal network and exfiltrated about 394.1 GB of sensitive patient data shared by several NHS foundation trusts for pathology testing. Reporting in the content states that more than 90,000 NHS patients’ records were affected and that the disruption impacted pathology, blood testing, and diagnostic services across multiple NHS organizations. Based on the provided content, Qilin should be characterized as a major ransomware operation with wide geographic reach, active affiliate or ecosystem relationships, and observed links to initial access brokers and tooling used to facilitate ransomware deployment.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

53 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics68 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

6 techniques

T1078×6

Valid Accounts

T1133×5

External Remote Services

T1189

Drive-by Compromise

T1190×6

Exploit Public-Facing Application

T1566×2

Phishing

T1659

Content Injection

TA0002

Execution

2 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003

Windows Command Shell

TA0003

Persistence

6 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×6

Valid Accounts

T1098

Account Manipulation

T1112

Modify Registry

T1133×5

External Remote Services

T1136

Create Account

TA0004

Privilege Escalation

5 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1068

Exploitation for Privilege Escalation

T1078×6

Valid Accounts

T1098

Account Manipulation

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0005

Stealth

6 techniques

T1014

Rootkit

T1027×2

Obfuscated Files or Information

T1027.002

Software Packing

T1070×2

Indicator Removal

T1070.001×2

Clear Windows Event Logs

T1070.004

File Deletion

T1078×6

Valid Accounts

T1211

Exploitation for Stealth

T1218

System Binary Proxy Execution

T1218.011

Rundll32

TA0112

Defense Impairment

2 techniques

T1112

Modify Registry

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0006

Credential Access

4 techniques

T1212

Exploitation for Credential Access

T1539

Steal Web Session Cookie

T1555×2

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1016

System Network Configuration Discovery

T1033×2

System Owner/User Discovery

T1046×2

Network Service Discovery

T1069

Permission Groups Discovery

T1069.002

Domain Groups

TA0008

Lateral Movement

3 techniques

T1021×2

Remote Services

T1021.001

Remote Desktop Protocol

T1210

Exploitation of Remote Services

T1550

Use Alternate Authentication Material

TA0009

Collection

2 techniques

T1074

Data Staged

T1560

Archive Collected Data

TA0011

Command and Control

5 techniques

T1071×2

Application Layer Protocol

T1090

Proxy

T1090.002

External Proxy

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

T1659

Content Injection

TA0010

Exfiltration

4 techniques

T1041×2

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

T1537×2

Transfer Data to Cloud Account

T1567×2

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

TA0040

Impact

3 techniques

T1486×15

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1657×3

Financial Theft

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

QilinDuring a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints.7Jun 14, 2026

PCHunterCTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software.1Mar 18, 2026

PowerToolCTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software.1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.

CVE-2026-50751Check Point IKEv1 Remote Access VPN Authentication BypassIn the wildEvidence6

CVE-2026-50751 is a critical vulnerability (CVSS 9.3) in Check Point Remote Access VPN, Mobile Access, and Spark Firewall products using the deprecated IKEv1 key exchange protocol. The flaw is due to a logic error in certificate validation during the IKEv1 handshake that enables unauthenticated attackers to bypass user authentication entirely and initiate VPN connections.

CVE-2023-27532Unauthenticated credential extraction in Veeam Backup & Replication Cloud ConnectIn the wildEvidence1

Known Exploited Vulnerabilities: CVE-2023-27532 — Missing Authentication for Critical Function Vulnerability — Veeam Backup & Replication Cloud Connect — CVSS 7.5

CVE-2024-21762Fortinet FortiOS/FortiProxy SSL-VPN Out-of-Bounds Write RCEIn the wildEvidence1

Known Exploited Vulnerabilities: CVE-2024-21762 — Out-of-Bound Write Vulnerability — Fortinet FortiOS — CVSS 9.8

CVE-2024-55591Authentication Bypass in FortiOS and FortiProxy Node.js WebSocket ModuleIn the wildEvidence1

Known Exploited Vulnerabilities: CVE-2024-55591 — Authentication Bypass Vulnerability — Fortinet FortiOS — CVSS 9.8

CVE-2026-1731Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and Privileged Remote AccessIn the wildEvidence1

13 февраля 2026 года CISA дала организациям три дня на устранение CVE-2026-1731 - pre-authentication RCE в BeyondTrust Remote Support с CVSS 9.9. Три дня. Эксплуатация шла в активных ransomware-кампаниях ещё до того, как большинство команд успели скачать патч...

IOCS

Observables

30 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

30 IOCsView more in app

hash.sha256

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

ip.v4

13 total

hash.md5

2 total

•••••••••••••••••

Domains

1 total

••••••.com

Email addresses

1 total

••••@•••••.•••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

hackreadNews

Jun 26, 2026

Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

Referenced as a downstream ransomware operation that may purchase access from Woodgnat.

help net securityNews

Jun 26, 2026

Ransomware gangs find Europe's weakest link in third-party suppliers - Help Net Security

Ransomware operations across Europe with the widest geographic reach among the groups covered in the report, operating across 26 of 31 analyzed countries.

security affairsNews

Jun 25, 2026

Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

Named as a ransomware crew that purchases or uses access brokered by KongTuke/Woodgnat.

the hacker newsNews

Jun 25, 2026

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

Ransomware actor associated in this content with attacks where ModeloRAT was observed, suggesting use of brokered access or follow-on ransomware deployment.

+190 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping53

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs5

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables30

Domains, IPs, and hashes tied to this actor, refreshed continuously.