1. Home
  2. Software
  3. Qilin

Qilin

Qilin ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware and its RaaS affiliates have been observed targeting multiple sectors worldwide, including healthcare and education in Asia, Europe, and Africa. [1][2][3][4]

ID: S1242
Associated Software: Agenda
Type: MALWARE
Platforms: ESXi, Windows
Contributors: Simon Williams; Jiraput Thamsongkrah
Version: 1.0
Created: 26 September 2025
Last Modified: 23 October 2025
Version Permalink

Associated Software Descriptions

Name Description
Agenda

[4][1][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Qilin can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.[5]
Enterprise T1134 Access Token Manipulation

Qilin can use an embedded Mimikatz module for token manipulation.[5]
Enterprise T1087 .001 Account Discovery: Local Account

Qilin can list all local users found on a targeted system.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Qilin has created a runonce autostart entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe pointing to a dropped copy of itself in the Public folder.[1][6]
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Qilin can configure a Winlogon registry entry.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Qilin has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.[3][5]
Enterprise T1486 Data Encrypted for Impact

Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.[1][2][5][3][6][7]
Enterprise T1491 .001 Defacement: Internal Defacement

Qilin can set the wallpaper on compromised hosts to display a ransom message.[4]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Qilin has pushed a scheduled task via a Group Policy Object for payload execution.[1][3]
Enterprise T1480 Execution Guardrails

Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.[5]
.002 Mutual Exclusion

Qilin can create a mutex to insure only one instance is running.[6]
Enterprise T1190 Exploit Public-Facing Application

Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.[2]
Enterprise T1083 File and Directory Discovery

Qilin can exclude specific directories and files from encryption.[1]
Enterprise T1222 File and Directory Permissions Modification

Qilin can use symbolic links to redirect file paths for both remote and local objects.[5]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Qilin can terminate antivirus-related processes and services.[1][2][6][5]
.009 Impair Defenses: Safe Mode Boot

Qilin can reboot targeted systems in safe mode to help avoid detection.[1][3]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Qilin has the ability to clear Windows Event Logs.[6][4]
.004 Indicator Removal: File Deletion

Qilin can delete itself from infected hosts after execution.[6][4]
Enterprise T1490 Inhibit System Recovery

Qilin can execute vssadmin.exe delete shadows /all /quiet to remove volume shadow copies.[1][6][4]
Enterprise T1680 Local Storage Discovery

Qilin has used GetLogicalDrives() and EnumResourceW() to locate mounted drives and shares.[6]
Enterprise T1112 Modify Registry

Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.[6][5]
Enterprise T1106 Native API

Qilin can attempt to log on to the local computer via LogonUserW and use GetLogicalDrives() and EnumResourceW() for discovery.[1][6]
Enterprise T1135 Network Share Discovery

Qilin has the ability to list network drives.[1][6]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.[7]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Qilin can employ an embedded Mimikatz module to dump LSASS memory.[5]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Qilin has been delivered to victims through malicious email attachments.[2]
.002 Phishing: Spearphishing Link

Qilin has been delivered via malicious links in spearphishing emails.[2][4]
Enterprise T1057 Process Discovery

Qilin can define specific processes to be terminated or left alone at execution.[1][2][6][7]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.[1]
Enterprise T1012 Query Registry

Qilin can check HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions to determine if a machine is running in safe mode.[1]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.[5]
Enterprise T1018 Remote System Discovery

Qilin can enumerate domain-connected hosts during its discovery phase.[5][4]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Qilin has pushed scheduled tasks via GPO for execution.[3][1]
Enterprise T1489 Service Stop

Qilin can terminate specific services on compromised hosts.[1][6][7]
Enterprise T1016 System Network Configuration Discovery

Qilin can accept a command line argument identifying specific IPs.[1]
Enterprise T1007 System Service Discovery

Qilin can identify specific services for termination or to be left running at execution.[1][2][7]
Enterprise T1529 System Shutdown/Reboot

Qilin can initiate a reboot of the backup server to hinder recovery.[5]
Enterprise T1204 .001 User Execution: Malicious Link

Qilin has been executed by luring victims into clicking links in spearphishing emails.[2][4]
.002 User Execution: Malicious File

Qilin has been delivered to victims through spearphishing emails with malicious attachments.[2]
Enterprise T1673 Virtual Machine Discovery

Qilin can detect virtual machine environments.[6]

Groups That Use This Software

ID Name References
G1036 Moonstone Sleet

Moonstone Sleet has deployed Qilin ransomware.[8]
G1050 Water Galura

Water Galura are the operators of the Qilin RaaS.[3]

References

  1. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  2. SentinelOne. (2022, November 30). Agenda (Qilin). Retrieved September 26, 2025.
  3. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
  4. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.
  1. Hacioglu, S. (2025, March 10). Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024. Retrieved September 26, 2025.
  2. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025.
  3. Health Sector Cybersecurity Coordination Center. (2024, June 18). Qilin, aka Agenda Ransomware. Retrieved September 26, 2025.
  4. Microsoft Threat Intelligence (@MsftSecIntel). (2025, March 6). Microsoft Threat Intelligence on X. Retrieved September 26, 2025.