Qilin

Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.^[1]^[2]^[3]^[4]^[5]

ID: S1242

ⓘ

Associated Software: Agenda

ⓘ

Type: MALWARE

ⓘ

Platforms: ESXi, Windows, Linux

Contributors: Jiraput Thamsongkrah; Simon Williams

Version: 2.0

Created: 26 September 2025

Last Modified: 23 April 2026

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
Agenda	^[4]^[1]^[2]^[5]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Qilin can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.^[6]
Enterprise	T1134		Access Token Manipulation	Qilin can use an embedded Mimikatz module for token manipulation.^[6]
Enterprise	T1087	.001	Account Discovery: Local Account	Qilin can list all local users found on a targeted system.^[1]
		.002	Account Discovery: Domain Account	Qilin can use PowerShell cmdlets to enumerate domain users.^[7]
Enterprise	T1071	.002	Application Layer Protocol: File Transfer Protocols	Qilin can use WinSCP for the secure file transfer of the Linux ransomware binary to a targeted system.^[5]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Qilin has created a RunOnce autostart entry at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe` pointing to a dropped copy of itself in the Public folder.^[1]^[8]^[7]
		.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Qilin can configure a Winlogon registry entry.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Qilin has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.^[3]^[6] Qilin has also used PowerShell for discovery in vCenter and Active Directory environments.^[7]
		.003	Command and Scripting Interpreter: Windows Command Shell	Qilin has run `cmd /C [PsExec] -accepteula \\IP Address -c -f -h -d -iC:\Users\xxx\<encryptor_1>.exe --password [PASSWORD] --spread --spread-process` to execute its encryptor to target multiple network shares.^[7]
Enterprise	T1486		Data Encrypted for Impact	Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.^[1]^[2]^[6]^[3]^[8]^[9]^[5]^[7]
Enterprise	T1491	.001	Defacement: Internal Defacement	Qilin can set the wallpaper on compromised hosts to display a ransom message in each encrypted folder.^[4]^[5]^[7]
Enterprise	T1678		Delay Execution	Qilin has the ability to delay execution.^[5]
Enterprise	T1685		Disable or Modify Tools	Qilin can terminate antivirus-related processes and services.^[1]^[2]^[8]^[6]
		.005	Clear Windows Event Logs	Qilin has the ability to clear Windows Event Logs.^[8]^[4]
Enterprise	T1484	.001	Domain or Tenant Policy Modification: Group Policy Modification	Qilin has pushed a scheduled task via a Group Policy Object for payload execution.^[1]^[3]
Enterprise	T1480		Execution Guardrails	Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.^[6]^[5]
		.002	Mutual Exclusion	Qilin can create a mutex to ensure only one instance is running.^[8]
Enterprise	T1190		Exploit Public-Facing Application	Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.^[2]
Enterprise	T1083		File and Directory Discovery	Qilin can exclude specific directories and files from encryption.^[1]^[5]
Enterprise	T1222		File and Directory Permissions Modification	Qilin can use symbolic links to redirect file paths for remote and local objects and can use `chmod +x` to make its payload binary executable.^[6]^[7]
Enterprise	T1070	.004	Indicator Removal: File Deletion	Qilin can delete itself from infected hosts after execution.^[8]^[4]
Enterprise	T1490		Inhibit System Recovery	Qilin can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters.^[1]^[8]^[4]^[7]
Enterprise	T1570		Lateral Tool Transfer	Qilin has used PsExec to distribute a second encryptor, named encryptor_1.exe, across the targeted environment.^[7]
Enterprise	T1680		Local Storage Discovery	Qilin has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares.^[8]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Qilin has created a scheduled task named TVInstallRestore to mimic TeamViewer. ^[7]
		.005	Masquerading: Match Legitimate Resource Name or Location	Qilin has named its payload file TeamViewer_Host_Setup to disguise itself as a legitimate TeamViewer file.^[7]
Enterprise	T1112		Modify Registry	Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.^[8]^[6] Qilin can also modify `HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper` to enable posting of ransom messages.^[7]
Enterprise	T1106		Native API	Qilin can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery.^[1]^[8]
Enterprise	T1135		Network Share Discovery	Qilin has the ability to list network drives.^[1]^[8]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.^[9]
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Qilin can employ an embedded Mimikatz module to dump LSASS memory.^[6]
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	Qilin can run PowerShell cmdlets to discover domain groups.^[7]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Qilin has been delivered to victims through malicious email attachments.^[2]
		.002	Phishing: Spearphishing Link	Qilin has been delivered via malicious links in spearphishing emails.^[2]^[4]
Enterprise	T1057		Process Discovery	Qilin can define specific processes to be terminated or left alone at execution.^[1]^[2]^[8]^[9]^[5]^[7]
Enterprise	T1055	.001	Process Injection: Dynamic-link Library Injection	Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.^[1]
Enterprise	T1012		Query Registry	Qilin can check `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions` to determine if a machine is running in safe mode.^[1]
Enterprise	T1219	.002	Remote Access Tools: Remote Desktop Software	Qilin can use the Splashtop remote management service (SRManager.exe) to execute the Linux ransomware binary directly on Windows systems.^[5]
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.^[6]^[7]
		.004	Remote Services: SSH	Qilin can enable SSH access on ESXi hosts.^[7]
Enterprise	T1018		Remote System Discovery	Qilin can enumerate domain-connected hosts during its discovery phase.^[6]^[4]^[7]
Enterprise	T1688		Safe Mode Boot	Qilin can reboot targeted systems in safe mode to avoid detection.^[1]^[3]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Qilin has pushed scheduled tasks via Group Policy Objects (GPOs) for execution.^[3]^[1] Qilin has also created a scheduled task named TVInstallRestore, configured to run at logon using the `/SC ONLOGON` argument.^[7]
Enterprise	T1489		Service Stop	Qilin can terminate specific services on compromised hosts.^[1]^[8]^[9]^[7]
Enterprise	T1082		System Information Discovery	Qilin can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors.^[5]
Enterprise	T1016		System Network Configuration Discovery	Qilin can accept a command line argument identifying specific IPs.^[1]
Enterprise	T1007		System Service Discovery	Qilin can identify specific services for termination or to be left running at execution.^[1]^[2]^[9]^[7]
Enterprise	T1529		System Shutdown/Reboot	Qilin can initiate a reboot of the backup server to hinder recovery.^[6]
Enterprise	T1204	.001	User Execution: Malicious Link	Qilin has been executed by luring victims into clicking links in spearphishing emails.^[2]^[4]
		.002	User Execution: Malicious File	Qilin has been delivered to victims through spearphishing emails with malicious attachments.^[2]
Enterprise	T1673		Virtual Machine Discovery	Qilin can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCenter environments.^[8]^[7]
Enterprise	T1047		Windows Management Instrumentation	Qilin can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual.^[7]

Groups That Use This Software

ID	Name	References
G1036	Moonstone Sleet	Moonstone Sleet has deployed Qilin ransomware.^[10]
G1050	Water Galura	Water Galura are the operators of the Qilin RaaS.^[3]

Qilin

Associated Software Descriptions

Enterprise Layer

Techniques Used

Groups That Use This Software

References