Home/ Threat Actors/ Qilin

🇷🇺Qilin

🇷🇺 Qilin is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 14 detection use cases to this actor across 49 MITRE ATT&CK techniques, with 8 threat-intel articles citing them. Active in our corpus from 2025-12-16 to 2026-06-11.

crit 7high 1

View full actor card → All threat actors

14Use cases

8Articles

49Techniques

10IOCs

Known aliases

QilinAgenda ransomware

Top techniques

T1486 · Data Encrypted for Impact T1003.001 · LSASS Memory T1003 · OS Credential Dumping

All other tracked techniques

T1005 · Data from Local System T1014 · Rootkit T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.005 · Indicator Removal from Tools T1027.009 · Embedded Payloads T1036.005 · Match Legitimate Resource Name or Location T1037.001 · Logon Script (Windows)T1055 · Process Injection T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.004 · Unix Shell T1059.005 · Visual Basic T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.004 · DNS T1098.001 · Additional Cloud Credentials T1105 · Ingress Tool Transfer T1133 · External Remote Services T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1489 · Service Stop T1490 · Inhibit System Recovery T1496 · Resource Hijacking T1528 · Steal Application Access Token T1539 · Steal Web Session Cookie T1543.003 · Windows Service T1555.003 · Credentials from Web Browsers T1562.001 · T1562.001 T1562.004 · T1562.004 T1562.006 · T1562.006 T1562.009 · T1562.009 T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1569.002 · Service Execution

Detection use cases (14)

Qilin (Agenda) safe-mode reboot chain — bcdedit safeboot + forced restart prior to encryption AI · profile SΣDD Qilin (Agenda) inhibit-recovery burst — shadow copy + backup catalog + boot recovery destruction AI · profile SDD Talos weekly prevalent malware hash execution (Coinminer/Injector/Dropper.Miner) Bespoke Talos prevalent malware hash dropped to disk (DeviceFileEvents pivot) Bespoke Talos prevalent malware filename pattern — VID001.exe and d4aa3e70..._N_Exe.exe Bespoke Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal File hash IOCs — endpoint file/process match Internal Article-specific behavioural hunt — A tale of two eras Internal Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Asset exposure — vulnerability matches article CVE(s) Internal

Threat-intel articles (8)

high A tale of two eras · 2026-06-11

crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm · 2026-06-11

crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order · 2026-06-08

crit IT threat evolution in Q1 2026. Mobile statistics · 2026-05-18

crit What the ransom note won’t say · 2026-04-20

crit EDR killers explained: Beyond the drivers · 2026-03-19

crit Protecting education: How MDR can tip the balance in favor of schools · 2026-03-04

crit ESET Threat Report H2 2025 · 2025-12-16

Tracked indicators

IP addresses (10)

144.208.127.155 162.33.177.101 176.120.22.127 209.182.225.136 38.54.107.167 38.54.88.201 38.60.157.139 45.76.26.42 45.77.149.152 66.42.99.200

CVEs (9)

CVE-2024-55591 CVE-2025-32433 CVE-2025-33073 CVE-2026-11645 CVE-2026-20131 CVE-2026-20230 CVE-2026-23479 CVE-2026-50751 CVE-2026-50752