: Qilin affiliates leveraged leaked administrative credentials from the dark web to gain initial access through VPN interfaces. : Infrastructure used to host fake CAPTCHA pages for phishing attacks. : Spear-phishing and ClickFix-style fake CAPTCHA pages used to deliver information stealers for credential harvesting. : RDP connections performed to domain controller and breached endpoints following initial access. : Target system accessed via RDP connections. : Attackers conducted system reconnaissance to map the infrastructure. : Network discovery actions performed to map the infrastructure. : Credential harvesting from various applications using multiple tools including Mimikatz. : Used to clear Windows event logs, enable SeDebugPrivilege, extract Chrome passwords, recover credentials from previous logons, and harvest RDP, SSH, and Citrix credentials. : Tool executed to facilitate credential harvesting from web browsers. : Tool executed to facilitate credential harvesting. : Tool executed to facilitate credential harvesting from various applications. : Data exfiltrated to external SMTP server using Visual Basic Script. : Threat actor used mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information. : Used to inspect files for sensitive information. : Used to inspect files for sensitive information. : Used to inspect files for sensitive information. : Cyberduck used to transfer files of interest to a remote server while obscuring malicious activity. : Legitimate tool used to transfer files of interest to a remote server while obscuring malicious activity. : Stolen credentials used to enable privilege escalation. : Multiple RMM tools installed using elevated access, including AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. : RMM tool installed using elevated access for remote access and command execution. : RMM tool installed using elevated access. : RMM tool installed using elevated access. : RMM tool installed using elevated access. : RMM tool installed using elevated access. : RMM tool installed using elevated access for command execution and discovery. : PowerShell commands executed to disable AMSI and turn off TLS certificate validation. : Used to disable AMSI, turn off TLS certificate validation, and enable Restricted Admin. : Tools dark-kill and HRSword used to terminate security software. : Tool used to terminate security software. : Tool used to terminate security software. : Deployed on host for persistent remote access. : Deployed on host for persistent remote access. : Qilin ransomware encrypts files and drops ransom note in each encrypted folder. : Ransomware that encrypts files and drops ransom notes in encrypted folders. : Event logs wiped before ransomware deployment. : All shadow copies maintained by Windows Volume Shadow Copy Service deleted. : Linux ransomware variant deployed on Windows systems to provide cross-platform capability. : BYOVD technique using eskle.sys driver to disable security solutions, terminate processes, and evade detection. : Vulnerable driver used in BYOVD attack to disable security solutions, terminate processes, and evade detection. : Remote monitoring and management platform used to install AnyDesk. : Specialized credential extraction tools used to target Veeam backup infrastructure and harvest credentials from multiple backup databases. : Backup infrastructure targeted for credential harvesting to compromise disaster recovery capabilities. : SOCKS proxy DLL deployed to facilitate remote access and command execution. : ScreenConnect used to execute discovery commands and run network scanning tools to identify lateral movement targets. : PuTTY SSH clients deployed to facilitate lateral movement to Linux systems. : SSH client used to facilitate lateral movement to Linux systems. : Backdoor used with SOCKS proxy instances to obfuscate command-and-control traffic. : WinSCP used for secure file transfer of Linux ransomware binary to Windows system. : Used for secure file transfer of Linux ransomware binary to Windows system. : Splashtop Remote management service used to execute Linux ransomware binary directly on Windows systems. : Management service (SRManager.exe) used to execute Linux ransomware binary directly on Windows systems. : Hyperconverged infrastructure platform targeted by updated ransomware samples
The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has been actively targeting organizations since July 2022, with over 84 victims per month in August and September 2025.