Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group that first emerged in 2022 and remains active through early 2025. Qilin is notable for offering customizable payloads that adapt to both Windows and Linux environments, enabling affiliates to tailor encryption methods to the victim’s infrastructure for maximum impact. Threat actors deploying Qilin ransomware use a double extortion model, both exfiltrating sensitive data and encrypting systems to pressure victims into payment.

The group maintains a TOR-based data leak site, where victims are listed alongside samples of exfiltrated data. Accessing the site requires navigating a queue and completing a CAPTCHA challenge, after which visitors can browse published victim data and preview leaked documents. The screenshot below captures a redacted view of the Qilin leak site interface.

Figure 1: Qilin data leak site.

Key Highlights

‍Targeted Industries: In Q1 2025, threat actors deploying Qilin ransomware impacted organizations across most industries. In the United States, attacks were particularly concentrated in Manufacturing & Production, Professional Services, Technology, and Healthcare.

Global Insights: Campaigns involving Qilin ransomware have been observed across the globe, with most of the reported attacks being in the United States. Additional activity spans Canada, Japan, Denmark, Spain, and several other countries with limited incidents reported.

‍Initial Access: MOXFIVE primarily observed threat actors deploying Qilin ransomware gaining initial access through compromised VPN (remote access) credentials, particularly in environments lacking multi-factor authentication (MFA). Qilin has also been delivered through phishing campaigns, typically involving malicious attachments or embedded links to initiate malware execution.

Notable Leveraged Exploits: Threat actors leveraging Qilin ransomware have exploited known vulnerabilities to support initial access, lateral movement, and privilege escalation:

• CVE-2023-4966 (Citrix Bleed) – An information disclosure vulnerability in Citrix NetScaler ADC and Gateway that allows attackers to hijack authenticated sessions and access sensitive data. Confirmed usage by Qilin affiliates.
• CVE-2023-27532 (Veeam Backup & Replication) – A vulnerability that enables unauthenticated users to extract encrypted credentials from the Veeam configuration database, facilitating deeper access into internal systems.

Tooling and Execution: Qilin-affiliated threat actors have been observed using a variety of tools and techniques during intrusions:

• AnyDesk and ConnectWise – Legitimate remote access tools abused by threat actors to maintain persistence within compromised environments.
• Mimikatz – A post-exploitation tool used to extract credentials and escalate privileges on compromised systems.
• EDRSandBlast – A tool leveraging the bring your own vulnerable driver (BYOVD) technique used to disable or evade endpoint detection and response (EDR) solutions by exploiting trusted but vulnerable drivers.

These tools are typically introduced post-access to facilitate network traversal, data collection, and ransomware deployment.

‍Ransomware Payment Demands: MOXFIVE has observed Qilin ransomware demands ranging from $300,000 to $2 million, depending on the profile and size of the targeted organization. The highest known ransom demand recorded in a Qilin case was $50 million, demonstrating the capacity for aggressive extortion when targeting high-impact environments.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.