Qilin
Qilin is a ransomware-as-a-service (RaaS) operation active since 2022 and previously operated under the name Agenda. It is associated with double-extortion activity, using data theft alongside file encryption and operating a Tor-hosted leak site; reporting also notes use of the public-facing WikiLeaksV2 leak site launched in May 2024. Qilin has been described as a scalable RaaS with multiple personas, including @Haise, recruiting on Russian-language cybercrime forums. Reporting also links affiliate disputes to the group, including allegations involving hastalamuerte, a former Qilin affiliate later tied to The Gentlemen.
Technically, Agenda/Qilin is written in Go. Agenda was first spotted in August 2022 and was reported as primarily targeting healthcare and education organizations in Africa and Asia. Reporting on Agenda describes configurable intermittent/partial encryption modes including skip-step, percent, and fast. Qilin is also referenced as having Linux ransomware capability, consistent with the broader trend of ransomware groups adding Linux encryptors.
Observed Qilin intrusions used valid compromised credentials for initial access, including VPN access where MFA was absent, and in at least one 2026 case a Qilin affiliate was tied to exploitation of Check Point VPN authentication-bypass vulnerability CVE-2026-50751. Sophos documented a January 2025 campaign in which a Qilin affiliate tracked as STAC4365 used adversary-in-the-middle phishing against a managed service provider’s ScreenConnect administrator, leveraging spoofed ScreenConnect domains and evilginx to steal credentials and intercept MFA, then deploying a malicious ScreenConnect instance across multiple customer environments. Cisco Talos reported Qilin operators using valid compromised credentials, a victim-customized encryptor, and CyberDuck for data exfiltration.
Post-compromise behavior associated with Qilin includes lateral movement, credential theft, backup targeting, exfiltration, and defense evasion. Sophos X-Ops reported a July 2024 Qilin incident in which attackers modified default domain policy to deploy a malicious logon GPO containing IPScanner.ps1 and logon.bat to harvest credentials stored in Google Chrome from multiple endpoints, writing collected data into SYSVOL directories organized by hostname. In that case, the attackers later deleted harvested files, cleared event logs, and again used GPO to create a scheduled task that downloaded and executed Qilin ransomware. In MSP-focused intrusions, attackers used tools including PsExec, NetExec, WinRM, ScreenConnect, WinRAR, and veeam.exe associated with exploitation of CVE-2023-27532 to obtain Veeam credentials, then exfiltrated archives to easyupload.io using Chrome Incognito mode and modified systems to boot into Safe Mode with networking before ransomware deployment.
Qilin has also been linked to broader criminal tooling ecosystems. Symantec and Carbon Black reported ModeloRAT observed in attacks that deployed Qilin ransomware, and assessed related access-broker activity as likely supporting ransomware affiliates. Sophos and other reporting linked Qilin incidents to EDR-killer tooling delivered via HeartCrypt- or Shanya-packed loaders; recurring sequences included EDR killer deployment followed by Qilin ransomware. Qilin has also been named among ransomware programs associated with Muddled Libra/Scattered Spider partnerships.
Targeting in the provided reporting spans healthcare, education, government, public administration, and MSP/customer environments, with one notable public case being the June 2024 attack on Synnovis affecting UK healthcare services. S2W ranked Qilin among the highest-risk ransomware groups in H1 2025 and reported it carried out the most attacks against government agencies in that period. Additional reporting states Qilin recorded 338 victims in Q1 2026 and remained the most prominent ransomware operation for the third consecutive quarter.
High-confidence indicators and artifacts directly mentioned in the content include the aliases Agenda and Qilin Ransomware; persona @Haise; the malicious scripts IPScanner.ps1 and logon.bat used in a Qilin intrusion; Sophos detections Troj/Qilin-B, Impact_6a, Lateral_8a, and Troj/Ransom-HDV; the phishing domain cloud.screenconnect[.]com.ms resolving to 186.2.163[.]10 in a Qilin affiliate campaign; use of awstrack[.]me redirects; exfiltration to easyupload.io; and observed association with exploitation of CVE-2026-50751 and CVE-2023-27532 in separate campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-50751 is a critical vulnerability (CVSS 9.3) in Check Point Remote Access VPN, Mobile Access, and Spark Firewall products using the deprecated IKEv1 key exchange protocol. The flaw is due to a logic error in certificate validation during the IKEv1 handshake that enables unauthenticated attackers to bypass user authentication entirely and initiate VPN connections.
Additionally, the actors downloaded a file named “veeam.exe,” an executable coded to exploit CVE-2023-27532, a vulnerability in the Veeam Cloud Backup service which allows an unauthenticated user to request unencrypted credentials from the local Veeam configuration database.
On June 8th 2026, Check Point Research identified two CVEs (CVE-2026-50751, CVE-2026-50752) which can be abused to bypass Checkpoint VPN Authentication services, allowing threat actors to access network devices and traffic behind the VPN. | Check Point Research has medium confidence that the attacker is affiliated with Qilin as they use the Qilin ransomware toolkit.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Known Exploited Vulnerabilities: CVE-2024-55591 — Authentication Bypass Vulnerability — Fortinet FortiOS — CVSS 9.8
Known Exploited Vulnerabilities: CVE-2024-21762 — Out-of-Bound Write Vulnerability — Fortinet FortiOS — CVSS 9.8
“ThrottleStop.sys is a legitimate, signed driver… The ThrottleStop vulnerability (CVE-2025-7771) comes from the way the driver handles memory access. Attackers can exploit this to gain control, ultimately leading to disabling security tools.”
Groups observed using it
19 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
According to VX-Underground, DragonForce proposed establishing communication channels with the LockBit and the Qilin group.
Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.
Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment.
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints.
Qilin is a Ransomware-as-a-Service program that has been in operation since 2022, previously operating under the name “Agenda.”
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Initial Access
4 techniques
Initial Access
After intercepting the MFA inputs, the attacker successfully authenticated to the legitimate ScreenConnect Cloud portal using the administrator’s super administrator account.
CVE-2026-50751 allows attackers to establish a Check Point VPN session without valid credentials under certain configurations, effectively giving them a path through the organization’s front door.
Execution
1 technique
Execution
Persistence
4 techniques
Persistence
the actors created an AutoRun entry in the Software registry Hive on each infected system to trigger the ransomware execution each time the system was rebooted and a scheduled task to silently relaunch Qilin at every new logon.
After intercepting the MFA inputs, the attacker successfully authenticated to the legitimate ScreenConnect Cloud portal using the administrator’s super administrator account.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
... разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая ... техники обфускации (T1027) ...
Defense Impairment
2 techniques
Defense Impairment
Additionally, they modified various boot options to ensure that the targeted devices would boot into Safe Mode with networking.
Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Lateral Movement
1 technique
Lateral Movement
Command and Control
4 techniques
Command and Control
Check Point Research reported the use of TOX Protocol for communications.
Check Point Research reported the use of TOX Protocol for communications. They also found that the actor was using a dedicated VPS to orchestrate the attacks...
Shortly after successfully authenticating into the ScreenConnect environment as the super administrator account, the attacker pushed out a new ScreenConnect instance using a file named ‘ru.msi,’ which installed an attacker-managed ScreenConnect instance across multiple of the MSP’s managed customers.
Exfiltration
3 techniques
Exfiltration
...the Qilin ransomware group targeted Synnovis’ internal network and exfiltrated about 394.1 GB of sensitive patient data...
Impact
4 techniques
Impact
The ransomware attack took place in June 2024 when the Qilin ransomware group targeted Synnovis’ internal network and exfiltrated about 394.1 GB of sensitive patient data...
Agenda ransomware has some customization options, which include changing the filename extensions of encrypted files and the list of processes and services to terminate.
Using the malicious ScreenConnect instance, the attacker made sure to identify and target backups at multiple customer locations to prevent restoration of services ... SophosLabs analyzed the ransomware binary ... Stop and disable Volume Shadow Copy Service (VSS) service ... Delete shadow copies
IOCs tracked for this family
193 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family deployed in attacks where ModeloRAT was observed as part of the intrusion chain.
A ransomware family explicitly linked in the content to attacks where ModeloRAT was used for deployment.
An established ransomware-as-a-service operation cited as the primary lineage for The Gentlemen and part of Hyflock’s claimed operator background. The content states Qilin led Q1 2026 with 338 victims.
A ransomware-as-a-service operation previously used by the affiliate group; later mentioned in connection with a payment dispute and allegations of scamming affiliates.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.