✅ Report Title: Quick Overview of Qilin Ransomware
✅ Executive Summary:
- Qilin ransomware has been active since at least May 2022. Its name originates from the Chinese mythical creature “Qilin (麒麟),” but the group communicates in Russian on cybercrime forums, suggesting a likely origin in Russia.
- Qilin operates under a Ransomware-as-a-Service (RaaS) model, providing tooling to affiliates who conduct intrusions while the core group handles ransom negotiations.
- The group is known to specifically target healthcare services, prompting the U.S. Department of Health and Human Services (HHS) to publish a profiling report.
- It drew significant attention after attacks on major National Health Service (NHS) hospitals in London, United Kingdom.
- In August and September 2025, attacks against South Korean organizations noticeably increased.
📌 Key Characteristics of Qilin Ransomware
(Darkweb Profile)
- The user @Haise has been active on the RAMP forum since May 2022 and promoted Qilin’s RaaS program in February 2023.
- Since January 2023, a user under the alias @XORacle has appeared on forums including XSS, CryptBB, and Exploit.
- From March 2025, the user @QilinRansom has been active on BreachForums.
(Affiliate)
- Security researcher Bushidotoken noted overlaps between Qilin’s leak-site victims and those of BlackCat and Conti.
- Pistachio Tempest (DEV-0237/FIN12), an affiliate known to use Conti and BlackCat, experimented with Agenda ransomware in June 2022—suggesting a possible affiliate relationship with Qilin.
- Additional links have been proposed with BlackMatter, REvil, BlackBasta, BlackCat, and Akira.
- Microsoft reported that the North Korea–backed threat group Moonstone Sleet deployed Qilin ransomware.
- Sophos tracks a group dubbed STAC4365 distributing Qilin via phishing emails spoofing ScreenConnect authentication alerts.
(Cooperate)
- Security research group VX-Underground mentioned an alliance among LockBit, Qilin, and DragonForce.
📌 Malware, Tools, Vulnerabilities, and TTPs Used in Qilin Campaigns
- Malware: Qilin Ransomware, SmokeLoader, NETXLOADER
- Tools: Evilginx2, PsExec, NetExec, WinRM, ScreenConnect, WinRAR
- Vulnerabilities: CVE-2023-27532, CVE-2024-21762, CVE-2024-55591
- TTPs: T1566.002 (Phishing via Link), T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1204.002 (User Execution via Malicious File), among others
📌 Recent Qilin-Related Activity
| Date | Details |
|---|---|
| 2025-09-18 | Three records involving South Korean financial firms uploaded to Qilin's leak site |
| 2025-09-15 | Ten records involving South Korean financial firms uploaded to the leak site |
| 2025-08-21 | A record involving South Korean construction company DAOR E&C uploaded to the leak site |
| 2025-08-18 | A record involving South Korean Financial Group added to Qilin's leak site |
| 2025-06-06 | Prodaft disclosed a case in which Qilin exploited a FortiGate vulnerability |
| 2025-05-07 | Trend Micro published details of a Qilin campaign using SmokeLoader and NETXLOADER |
| 2025-04-11 | A post involving South Korean S* Group appeared on Qilin's leak site |
| 2025-04-01 | Sophos revealed a phishing campaign disguised as ScreenConnect alerts, attributed to group STAC4365, used to distribute Qilin ransomware |
| 2025-03-07 | Microsoft reported that Moonstone Sleet, a threat group backed by North Korea, had used Qilin ransomware |
| 2024-10-24 | Halcyon identified a new variant named Qilin.B |
| 2024-08-22 | Sophos published a report on Qilin’s use of scripts for stealing Chrome credentials |
| 2024-06-18 | HHS released a profiling report on Qilin |
| 2023-12-03 | Linux variant of Qilin ransomware discovered |
| 2023-06-26 | Qilin announced changes to its affiliate payment system |
| 2023-05-15 | Group-IB revealed technical details about Qilin’s affiliate panel |
| 2023-02-13 | Qilin RaaS program promoted on the RAMP forum |
| 2022-05-29 | The user @Haise registered on the RAMP forum |
🧑💻 Report Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request and for QUAXAR subscribers.