Qilin is a mature RaaS group that disrupts organizations by leveraging cross-platform ransomware, credential theft, and the abuse of legitimate remote management tools, making it a critical and persistent threat to manufacturing, technology, financial, and healthcare sectors worldwide. Their advanced tactics, including dual-encryptors and strategic targeting, have led to major breaches and operational shutdowns across several global industries.

CYBER INSIGHTS CYBER INSIGHTS NOV 05, 2025 NOV 05, 2025

Overview

Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) operation that has evolved into one of the most disruptive ransomware families in active circulation. The group’s affiliates employ cross-platform techniques that enable Linux ransomware binaries to execute on Windows hosts through legitimate remote management and file-transfer tools such as Splashtop, ScreenConnect, and ATERA. This approach bypasses endpoint protection that monitors only native Windows binaries, enabling stealthy propagation across hybrid environments. Qilin operators frequently deploy dual encryptors to accelerate network-wide encryption and abuse Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to disable endpoint defenses. They also target backup infrastructure, particularly Veeam systems, to extract credentials, delete recovery snapshots, and prevent restoration. These combined capabilities make Qilin a critical threat to enterprise resilience by combining credential theft, data destruction, and hybrid-platform compromise into a single attack chain. Real-world incidents, including the confirmed breach of Nissan’s Creative Box design studio, demonstrate that Qilin’s operations are mature, opportunistic, and financially motivated, with a persistent focus on manufacturing, technology, financial, and healthcare sectors worldwide.

Key Findings:

  • Qilin affiliates deploy Linux ransomware binaries on Windows systems via legitimate tools such as Splashtop, ScreenConnect, and ATERA, bypassing traditional endpoint defenses and spreading across hybrid infrastructures.
  • The group steals credentials from memory, browsers, and Veeam databases using tools such as mimikatz.exe and SharpDecryptPwd.exe, enabling domain-wide compromise and deletion of recovery snapshots.
  • Affiliates use Bring-Your-Own-Vulnerable-Driver techniques with drivers such as eskle[.]sys to disable antivirus and EDR tools, achieving kernel-level privileges before executing dual encryptors.
  • Targeting has consistently focused on the industrial, manufacturing, and technology sectors, with confirmed incidents at Nissan Creative Box and Asahi Group Holdings involving large-scale data theft and operational disruption.
  • Immediate Action: Enforce multifactor authentication on remote services, isolate and secure backup infrastructure, restrict use of administrative tools, and monitor for unsigned driver loads or PowerShell-based credential harvesting.

1.0 Threat Overview

1.1 Historical Context

Qilin, originally known as Agenda, emerged in mid-2022 as a Ransomware-as-a-Service (RaaS) platform designed for affiliate-driven operations. Early versions were written in Go and targeted Windows environments, using customized payloads with configurable encryption routines and victim-specific extensions. By late 2023, the group expanded to include Linux variants capable of encrypting VMware ESXi hosts, signaling a shift toward enterprise virtualization targets. In 2024, researchers identified a major update, Qilin.B, developed in Rust with improved encryption strength, better evasion of security tools, and more aggressive disruption of recovery mechanisms. Throughout 2025, Qilin’s affiliates demonstrated increased operational maturity, maintaining a pace of more than forty disclosed victims per month across the United States, Canada, France, Germany, and the United Kingdom. Recent campaigns have showcased advanced tactics such as cross-platform execution of Linux binaries on Windows systems, abuse of legitimate IT management tools for deployment, and targeted credential theft from backup and virtualization infrastructure.

1.2 Threat Actor Profile

Qilin Ransomware Threat Profile
Emergence
Mid-2022. Qilin, also known as Agenda, first appeared as a Go-based ransomware targeting Windows systems, later expanding into cross-platform operations.
Qilin Agenda Go-Based Cross-Platform Mid-2022
Attribution
Moderate confidence in Russian-speaking operators. Evidence includes Cyrillic encodings, windows-1251-character sets, and behavioral overlaps with other Eastern European RaaS ecosystems.
Russian-Speaking Cyrillic Encodings Windows-1251 Eastern European RaaS
Associated Malware
Qilin (Agenda) ransomware variants: Agenda (Go), Qilin.B (Rust), and Linux encryptors for ESXi and Nutanix AHV. Supporting tools include mimikatz[.]exe, SharpDecryptPwd[.]exe, PsExec[.]exe, WinRAR[.]exe, Cyberduck[.]exe, and socks64[.]dll.
Agenda (Go) Qilin.B (Rust) ESXi Encryptor Mimikatz SharpDecryptPwd PsExec
Targets
Manufacturing, technology, financial services, scientific research, and healthcare sectors across the United States, Canada, Western Europe, and Japan.
Manufacturing Technology Financial Services Healthcare Scientific Research
Common Tactics
Credential theft, brute-force intrusion, and exploitation of remote services (VPN/RDP). Use of BYOVD with esklet[.]sys for privilege escalation, data exfiltration via CyberDuck. Dual encryptors (encryptor_t[.]exe, encryptor_z[.]exe) for lateral encryption, and execution of Linux binaries on Windows through Sshashfop and WSL.
Credential Theft VPN/RDP Exploitation BYOVD Privilege Escalation Dual Encryption WSL Execution
Recent Activities
In October 2025, Qilin claimed responsibility for the ransomware attack against Asahi Group Holdings, Japan's largest brewery. The attack disrupted production at six facilities and reportedly caused losses exceeding $35 million, with 27 GB of exfiltrated data later leaked online.
October 2025 Asahi Group Holdings $35M+ Losses 27 GB Exfiltrated Production Disruption

1.3 Operational Tactics and Capabilities

Qilin’s operational maturity is reflected in the repeatable structure of its campaigns. The group relies on affiliate participation and modular tooling that supports initial access, privilege escalation, data theft, and encryption at scale. Its methods are optimized for speed, persistence, and stealth rather than zero-day exploitation. Each phase of the attack chain is supported by legitimate software and native OS utilities that blend into administrative workflows. These operations reveal Qilin’s focus on flexibility and reliability. Affiliates adapt the tooling to different enterprise environments but preserve a consistent emphasis on hybrid execution, recovery inhibition, and credential-driven expansion.

2.0 Attack Methodology

Qilin Ransomware Attack Lifecycle
Initial Access
Phase 1
Most Qilin intrusions begin with compromised or brute-forced credentials against remote services. Affiliates routinely acquire leaked VPN or RDP credentials from underground marketplaces or reuse data obtained from prior breaches. Once inside the environment, they establish persistence through exposed VPN appliances or by enabling Remote Desktop Protocol on administrative systems that lack multifactor authentication.
Key Techniques
Compromised VPN and RDP credentials from underground markets
Fake CAPTCHA phishing pages on Cloudflare R2 infrastructure
Credential stuffing against remote access services
Exploitation of systems lacking MFA protection
VPN Compromise RDP Brute-Force Fake CAPTCHA Cloudflare R2 No MFA
Privilege Escalation and Persistence
Phase 2
After achieving entry, Qilin operators elevate privileges through Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, most notably by loading eskle[.]sys, a repurposed driver originally developed for gaming software. This driver is leveraged to disable endpoint defenses, terminate antivirus processes, and gain kernel-level control.
Key Techniques
BYOVD exploitation using eskle[.]sys driver
Creation of administrative accounts (e.g., "Supportt")
Registry modification for command execution on reboot
Scheduled tasks disguised as trusted utilities
BYOVD eskle.sys Disable EDR Kernel Control Registry Persistence
Credential Harvesting
Phase 3
Credential theft plays a central role in Qilin's lateral movement strategy. Affiliates execute PowerShell commands to modify the WDigest registry setting, forcing Windows to store plaintext passwords in memory. In more advanced operations, attackers directly query Veeam backup SQL databases to retrieve stored administrative credentials.
Key Techniques
WDigest registry modification for plaintext password storage
mimikatz[.]exe, netpass[.]exe, SharpDecryptPwd[.]exe execution
Browser credential extraction from Chrome, Firefox, Edge
Veeam backup SQL database credential queries
WDigest Mimikatz SharpDecryptPwd Veeam Exploitation Browser Passwords
Lateral Movement and Command Execution
Phase 4
With administrative credentials in hand, Qilin operators expand laterally using legitimate remote access software. Commonly observed tools include Splashtop Remote, ScreenConnect, AnyDesk, and ATERA, which provide attackers with persistent GUI or command-line access to multiple systems under the guise of routine maintenance.
Key Techniques
Deployment of RMM tools: Splashtop, ScreenConnect, AnyDesk, ATERA
PsExec[.]exe for remote binary execution
Symbolic link manipulation via fsutil[.]exe
Exploitation of Windows built-in utilities
Splashtop ScreenConnect AnyDesk PsExec RMM Tools
Data Exfiltration
Phase 5
Before encrypting any files, Qilin affiliates exfiltrate sensitive information to strengthen their position in extortion. Data is compressed using WinRAR[.]exe with specific command-line flags to exclude system directories and minimize noise. The resulting archives are uploaded via Cyberduck[.]exe to legitimate cloud storage services, most commonly Backblaze or Dropbox.
Key Techniques
WinRAR[.]exe compression with optimized flags
Cyberduck[.]exe uploads to Backblaze or Dropbox
Multipart uploads for large datasets
Targeting financial docs, credentials, IP, and contracts
WinRAR Cyberduck Backblaze Dropbox Multipart Upload
Encryption and Impact
Phase 6
Once exfiltration is complete, the group initiates the encryption phase using dual payloads—encryptor_1[.]exe and encryptor_2[.]exe. Prior to encryption, the malware stops critical services including backup, SQL, and EDR processes, and deletes Volume Shadow Copies to prevent recovery. Encryption is accompanied by operational disruptions to production systems.
Key Techniques
Dual encryptors for lateral and local encryption
Service termination: backup, SQL, EDR processes
Volume Shadow Copy deletion
Ransom notes and wallpaper replacement
Dual Encryption Service Termination Shadow Copy Deletion Production Disruption Ransom Demand

3.0 Campaign Analysis and Geographic Impact

3.1 Geographic Distribution

The Asahi attack (October 2025) demonstrated Qilin’s ability to disrupt large-scale production environments. The group exfiltrated roughly 27 GB of data across 9,300 files, including financial statements, employee IDs, and contract documents. Asahi confirmed production halts at six breweries, reporting potential losses exceeding $335 million. The Nissan Creative Box breach (August 2025) similarly focused on intellectual property, resulting in the theft of 4 TB of design assets, internal financial records, and 3D vehicle models, which were later showcased as proof-of-compromise on Qilin’s leak site.

These incidents show that Qilin’s affiliates deliberately target industrial organizations with high restoration costs and brand sensitivity, thereby exerting maximum leverage during ransom negotiations.

Qilin Ransomware Geographic Targeting
Qilin maintains a truly global footprint, but several regions exhibit particularly high activity:
North America
United States, Canada
The United States remains Qilin's most heavily targeted country, followed by Canada. Affiliates focus on critical infrastructure, construction, and healthcare entities.
Primary Targets
Critical infrastructure operators
Construction and engineering firms
Healthcare providers and hospital systems
Manufacturing and industrial facilities
United States Canada Critical Infrastructure Construction Healthcare
Europe
United Kingdom, France, Germany
The United Kingdom, France, and Germany collectively account for a significant portion of reported victims. Campaigns in this region often emphasize professional and scientific service firms with large data repositories.
Primary Targets
Professional services firms with extensive client data
Scientific research institutions and laboratories
Organizations with large intellectual property repositories
Technology and engineering consultancies
United Kingdom France Germany Professional Services Scientific Research Data Repositories
Asia-Pacific
Japan (Strategic Expansion in 2025)
2025 marked a strategic expansion into Japan, highlighted by attacks on Nissan Creative Box Inc. and Asahi Group Holdings, both emblematic of industrial and manufacturing precision targets.
Primary Targets
Industrial manufacturers and precision engineering firms
Large-scale production facilities
Automotive industry suppliers and OEMs
Food and beverage manufacturing conglomerates
Notable 2025 Attacks
Nissan Creative Box Inc. - Automotive manufacturing disruption
Asahi Group Holdings - Japan's largest brewery, $35M+ losses, 27GB exfiltrated
Japan 2025 Expansion Industrial Manufacturing Automotive Nissan Asahi Group

Qilin’s target selection emphasizes supply chain interdependencies, choosing victims whose operations impact downstream entities. This approach mirrors tactics seen in late-2024 attacks against logistics providers and industrial manufacturers, in which downtime at one company triggered broader sectoral disruptions.

Qilin Ransomware Target Sectors
While Qilin's victims span over a dozen industries, several sectors are repeatedly impacted:
Manufacturing
≈23%
Primary focus area, with consistent targeting of production plants, automotive suppliers, and industrial engineering firms.
Why This Sector?
High operational disruption costs and time-sensitive production schedules
Complex supply chain dependencies increase pressure to pay
Often rely on legacy systems with weaker security controls
Critical just-in-time manufacturing makes downtime extremely costly
Primary Target Production Plants Automotive Industrial Engineering
Professional and Scientific Services
≈18%
Secondary priority, typically targeted for research data and intellectual property theft.
Why This Sector?
High-value intellectual property and proprietary research data
Confidential client information provides additional extortion leverage
Research institutions often have distributed security postures
Scientific data loss can set back projects by months or years
Secondary Target Research Data IP Theft Scientific Research
Wholesale Trade and Logistics
≈10%
Chosen for disruption potential and high dependency on network uptime.
Why This Sector?
Real-time logistics systems are critical for operations
Supply chain disruptions cascade to multiple customers
Warehouse management system downtime halts all operations
Seasonal peaks increase pressure to restore operations quickly
Tertiary Target Supply Chain Logistics Network Dependency
Healthcare, Construction, and Financial Services
≈5% each
Opportunistic but increasingly frequent, particularly in affiliates seeking faster payouts or data leverage.
Why These Sectors?
Healthcare: Patient data sensitivity and life-safety concerns drive rapid payment
Construction: Project delays and contract penalties create urgency
Financial Services: Regulatory compliance requirements and reputational risk
All three sectors handle sensitive data valuable for secondary extortion
Opportunistic Healthcare Construction Financial Services Data Leverage

3.3 Campaign Characteristics

Together, these traits underline Qilin’s transition from a regional ransomware collective to a globalized, enterprise-level threat actor. The alignment of tactics, tooling, and targeting across affiliates reflects a disciplined, scalable model—one that now poses a sustained risk to industrial and hybrid IT environments worldwide.

Qilin Ransomware Operational Playbook
Across its global operations, Qilin maintains a disciplined technical and procedural playbook:
Consistent Tooling
All known affiliates employ the same core utilities—Cyberduck[.]exe, WinRAR[.]exe, and PsExec[.]exe—for staging, compression, and lateral movement. Encryption payloads (encryptor_1[.]exe, encryptor_2[.]exe) and ransom note templates remain uniform across incidents.
Core Toolkit
Cyberduck[.]exe - Data exfiltration to cloud storage
WinRAR[.]exe - Archive compression with specific flags
PsExec[.]exe - Remote execution and lateral movement
encryptor_1[.]exe / encryptor_2[.]exe - Dual encryption payloads
Uniform ransom note templates across all incidents
Cyberduck WinRAR PsExec Dual Encryptors Standardized Templates
Cross-Platform Targeting
The group increasingly deploys Linux encryptors in Windows environments via Splashtop Remote or Windows Subsystem for Linux (WSL), enabling simultaneous disruption of both host and virtualized systems.
Multi-Platform Capabilities
Linux encryptors executed on Windows hosts via WSL
Splashtop Remote used for cross-platform deployment
Targets both host operating systems and virtualized infrastructure
ESXi and Nutanix AHV encryptors for hypervisor attacks
Simultaneous encryption of Windows and Linux environments
Windows Linux WSL ESXi Nutanix AHV Splashtop
Infrastructure Centralization
Ransom notes, Tor portals, and leak site formatting share identical syntax, login structures, and portal design, suggesting centralized infrastructure and possibly automated publication pipelines.
Centralized Infrastructure Indicators
Identical ransom note syntax and formatting across all incidents
Uniform Tor portal login structures and authentication flows
Consistent leak site design and publication methodology
Standardized victim negotiation interfaces
Evidence of automated data publication pipelines
Tor Portals Leak Sites Centralized Control Automated Publishing Uniform Design
Affiliate Homogeneity
Differences among affiliates appear primarily in targeting indicating tight developer control and standardized operating procedures within the RaaS ecosystem.
RaaS Control Indicators
Minimal variation in technical execution across affiliates
Consistent TTPs despite different geographic targeting
Standardized training or operational manuals suggested
Tight developer oversight of affiliate operations
Uniform compliance with centralized RaaS procedures
RaaS Model Affiliate Control Standardized Procedures Developer Oversight Tight Discipline

4.0 Confirmed Campaigns and Major Incidents

Qilin Ransomware Attack Timeline
July 2022
Early Agenda Campaigns (Healthcare, Education)
Technique
Initial Go-based ransomware delivered via compromised RDP credentials and phishing email attachments.
Impact
Early double-extortion operations against hospitals and universities; first signs of Agenda/Qilin's business model.
Healthcare Education Go-Based RDP Compromise Phishing Double Extortion
June-August 2023
London NHS Hospital Systems (United Kingdom)
Technique
Compromised Active Directory environment; privilege escalation using PsExec[.]exe and credential theft via mimikatz[.]exe.
Impact
Widespread hospital service disruption, delayed patient care, and confirmed data exfiltration.
Healthcare NHS Active Directory PsExec Mimikatz Service Disruption
Late 2023
Lee Enterprises (United States)
Technique
Initial access through VPN credential abuse; encryption of newsroom and publishing systems.
Impact
Disrupted newspaper printing and media operations across multiple US states.
Media Publishing VPN Compromise Multi-State Impact Newsroom Systems
Late 2023
Inotiv Pharmaceutical (United States)
Technique
Compromised research network and lab systems; lateral movement through RDP and SMB shares.
Impact
Theft of drug research data and temporary shutdown of lab instrumentation.
Pharmaceutical Research Data Lab Systems RDP SMB Shares IP Theft
Mid 2024
Yanfeng Automotive Interiors (China / Global)
Technique
Stolen VPN credentials; encryptor_1[.]exe and encryptor_2[.]exe deployed via PsExec[.]exe.
Impact
Disrupted supply chain operations across multiple facilities; reinforced focus on manufacturing targets.
Automotive Supply Chain Dual Encryptors VPN Credentials Global Impact
August 2025
Nissan Creative Box Inc. (Japan)
Technique
Unauthorized access to subsidiary design servers through exposed VPN; data exfiltration with Cyberduck[.]exe.
Impact
Theft of 4 TB of vehicle prototypes, 3D design models, and internal financial documents; confirmed leak on Qilin portal.
Automotive Japan Expansion 4 TB Exfiltrated Design IP Cyberduck VPN Exposure
October 2025
Asahi Group Holdings (Japan)
Technique
RDP compromise and lateral movement; dual encryption across production systems.
Impact
Production suspended at six brewery facilities; losses exceeding $35 million; 27 GB exfiltrated and leaked.
Manufacturing Food & Beverage $35M+ Losses 27 GB Data 6 Facilities Production Shutdown

5.0 Risk and Impact

The Qilin ransomware operation represents a high-impact, multi-vector threat that endangers both critical infrastructure and enterprise continuity. Its affiliates exploit weak authentication, poor segmentation, and trusted administrative tools to blend seamlessly into legitimate traffic, making early detection unlikely. Once initial access is established, the group’s methodical credential harvesting and privilege escalation grant domain-wide control, enabling it to disable security systems and erase recovery mechanisms. The dual-encryptor structure of encryptor_1[.]exe and encryptor_2[.]exe enables simultaneous encryption of endpoints, network shares, and virtualized assets, resulting in a full-environment compromise within hours. Organizations lacking strict egress filtering or behavioral monitoring face additional exposure from pre-encryption data theft, which gives Qilin the leverage to extort even if decryption keys are never delivered.

Beyond immediate operational disruption, Qilin’s campaigns pose strategic and reputational risks that extend far beyond ransom payment. The theft of proprietary data creates enduring exposure that competitors, cyber-criminal marketplaces, and nation-state collectors can exploit. Victims also face prolonged downtime, supply-chain interruptions, and regulatory scrutiny tied to data privacy obligations. The group’s consistent targeting of manufacturing, scientific, and healthcare sectors further amplifies societal risk by undermining production and public welfare services. As Qilin continues to refine cross-platform payloads and affiliate tooling, its threat profile remains aligned with top-tier ransomware actors capable of inflicting enterprise-scale damage across global industries.

6.0 Recommendations for Mitigation

6.1 Strengthen Core Security Controls

  • Enforce multifactor authentication on all remote services and disable unnecessary VPN or RDP exposure to block Qilin’s primary entry vectors.
  • Patch network appliances, enforce lockout policies, and restrict administrative access to approved geographies.
  • Maintain isolated, immutable backups disconnected from the production domain and verify recovery integrity regularly.

6.2 Restrict and Monitor Dual-Use Administrative Tools

  • Qilin affiliates depend on legitimate tools like PsExec[.]exe, WinRAR[.]exe, and Cyberduck[.]exe for lateral movement and exfiltration.
  • Apply application control policies to limit who can run these utilities and from where.
  • Correlate their execution with network telemetry to flag unauthorized compression or data transfer activity.

6.3 Detect and Disrupt Credential Harvesting

  • Enable Credential Guard and disable WDigest credential caching through registry configuration.
  • Alert on PowerShell scripts containing encoded commands or credential-dumping behavior.
  • Block execution of tools such as mimikatz.exe and SharpDecryptPwd.exe through allowlists or endpoint protection rules.
  • These measures prevent credential theft and privilege escalation within compromised environments.

6.4 Harden and Isolate Backup Infrastructure

  • Segment backup servers onto dedicated subnets with no inbound connections from production systems.
  • Use unique, non-domain service accounts for backup software and enforce multifactor authentication on all backup consoles.
  • Enable immutability or object-lock on repositories to prevent deletion or modification of stored data.
  • Audit access logs and database queries to credential tables and alert on unauthorized activity.

6.5 Monitor Cross-Platform and Driver Abuse

  • Inventory and approve all remote monitoring and management tools, including Splashtop, ScreenConnect, ATERA, and AnyDesk.
  • Alert on new agent installations or remote sessions occurring outside maintenance windows.
  • Detect and block unsigned or newly added drivers, such as eskle.sys, rwdrv.sys, and hlpdrv.sys.
  • Review service creation logs to identify abnormal driver or persistence activity.

7.0 Hunter Insights

Future cyber threats are likely to resemble the Qilin ransomware operation, with increasing prevalence of hybrid-platform attacks that seamlessly blend Linux and Windows payloads, making traditional endpoint defenses far less effective. As ransomware groups continue to leverage legitimate remote management tools, cross-platform binaries, and BYOVD techniques to bypass detection and mitigation, the lines between IT administration and attacker activity will blur even further, complicating both prevention and forensic response. This evolution signals a future where ransomware operators standardize their modular tooling for automated credential theft, rapid data exfiltration, and sabotage of recovery infrastructure, ensuring maximum operational disruption and negotiation leverage.​

As ransomware-to-extortion pipelines mature, enterprise environments will face not only accelerated lateral spread and deeper credential compromise, but also a shift toward larger-scale, industrial-scale targeting—often enabled by weak segmentation, supply-chain interdependencies, and insufficient egress monitoring. Sectors with high restoration costs, regulatory sensitivity, and production dependencies, such as manufacturing, scientific research, and healthcare, are projected to remain top-tier targets, facing cascading risks from both immediate downtime and long-term strategic data theft. Organizations must anticipate the continued industrialization and automation of ransomware and adopt proactive controls, including forced MFA, aggressive monitoring of dual-use tools, and immutable, network-isolated backups to withstand the next generation of sophisticated, credential-driven attacks.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.