Full Report
The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for
Analysis Summary
# Threat Actor: Qilin
## Attribution & Identity
**Actor Identification:** Ransomware group operating as a Ransomware-as-a-Service (RaaS) operation.
**Known Aliases and Associated Groups:** Agenda, Gold Feather, Water Galura.
## Activity Summary
Qilin has emerged as one of the most active ransomware groups, claiming over 40 victims monthly since the start of 2025 (excluding January). The group reached a high of 100 claims on its data leak site in June 2025. In August and September 2025, Qilin affiliates accounted for 84 victim listings each month. The group has been active since approximately July 2022. They have recently been observed deploying a Linux ransomware variant on Windows systems combined with a Bring Your Own Vulnerable Driver (BYOVD) technique.
## Tactics, Techniques & Procedures
- **Initial Access:** Likely leveraged leaked administrative credentials available on the dark web for initial access via a VPN interface, followed by RDP connections to the domain controller/breached endpoint.
- **Reconnaissance & Discovery:** Performed system reconnaissance and network discovery to map infrastructure.
- **Credential Harvesting:** Executed tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to harvest credentials from applications.
- **Data Exfiltration:** Exfiltrated stolen data to an external SMTP server using a Visual Basic Script.
- **Defense Evasion/Security Software Disablement:**
- Executed PowerShell commands to disable AMSI, turn off TLS certificate validation, and enable Restricted Admin.
- Ran tools like `dark-kill` and `HRSword` to terminate security software.
- **Persistence:** Deployed Cobalt Strike and SystemBC for persistent remote access.
- **Privilege Escalation/Lateral Movement:** Stolen credentials were used for privilege escalation and lateral movement, often involving the installation of multiple Remote Monitoring and Management (RMM) tools (AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, ScreenConnect).
- **File Inspection:** Used legitimate executables (`mspaint.exe`, `notepad.exe`, `iexplore.exe`) to inspect files for sensitive information.
- **Data Staging/Exfiltration:** Utilized the legitimate tool Cyberduck to transfer files of interest to a remote server while obscuring malicious activity.
- **Final Stage Payload:** Launched the Qilin ransomware encryption module. Wiped Windows event logs and deleted all shadow copies using VSS before encryption.
- **Hybrid Attack Technique:** Observed using a Linux ransomware variant deployed on Windows systems, exploiting a BYOVD technique.
- **Ransomware Execution:** Abused legitimate tools like AnyDesk (via Atera Networks RMM) and ScreenConnect for command execution, and used Splashtop for the final ransomware execution.
## Targeting
- **Sectors:** Manufacturing (23%), Professional and Scientific Services (18%), and Wholesale Trade (10%).
- **Geography:** U.S., Canada, U.K., France, and Germany are the most impacted countries.
- **Victims:** Not specified by name in the summary.
## Tools & Infrastructure
- **Malware Families Used:** Qilin Ransomware (including Linux variant), Cobalt Strike, SystemBC.
- **Tools Used (Legitimate/Stolen):** Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, Visual Basic Script, Cyberduck, AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, ScreenConnect, Splashtop, dark-kill, HRSword, Atera Networks RMM platform.
- **Infrastructure (C2, domains, IPs):** External SMTP server used for exfiltration. (No specific C2/domain/IPs provided in the text snippet).
## Implications
Qilin is a rapidly scaling and highly active RaaS operation in 2025, demonstrating operational sophistication by combining established credential-harvesting techniques with modern evasion tactics like BYOVD exploitation and the blending of legitimate IT tools (living off the land) to maintain persistence and execute the final payload. Their hybrid approach shows adaptability across different operating systems/environments.
## Mitigations
- Implement robust monitoring and detection for the unusual execution of legitimate system tools (`mspaint.exe`, `notepad.exe`) alongside known malicious or suspicious credential harvesting tools.
- Strengthen monitoring for the disabling of security features like AMSI and TLS validation via PowerShell execution.
- Review and restrict network access via RDP, especially if accessed via external VPN interfaces utilizing potentially compromised credentials.
- Harden systems against BYOVD exploitation by verifying the integrity and signing status of drivers loaded into the kernel.
- Block or scrutinize the outbound connections and commands executed via RMM tools like AnyDesk, ScreenConnect, and Splashtop within the network environment.