TA2026155
Threat Advisory • Attack Report
Qilin ransomware (aka Agenda, Water Galura, Phantom Mantis, Gold Feather) remains the world's most active ransomware operation, holding the top global ranking for three consecutive quarters through Q1 2026 with over 1,800 cumulative victims, a matured triple-extortion model combining DDoS and a "Call Lawyer" negotiation feature, and demonstrated pre-disclosure exploitation of CVE-2025-31324.
TA2026155A1Qilin, Agenda, Water Galura, Phantom Mantis, Gold FeatherCVE-2025-31324, CVE-2024-21762, CVE-2024-55591, CVE-2023-27532Section 01
First active in July 2022, Qilin ransomware — also tracked as Agenda, Water Galura, Phantom Mantis, and Gold Feather — has emerged as the world's most active ransomware operation, holding the top global ranking for three consecutive quarters through Q1 2026. Qilin ransomware recorded over 330 leak-site victims in a single quarter, a figure exceeding the combined output of the bottom fifty ransomware groups, and a cumulative count exceeding 1,800 victims by late May 2026. Qilin ransomware targets Windows, Linux, and VMware ESXi environments across nearly every industry vertical — including Business Services & Consulting, Manufacturing, Healthcare, Retail, Financial Services, Legal, Real Estate, Technology, Government, Education, Hospitality, Transportation, Food Service, Agriculture, Insurance, Media, Associations, Energy, and Charitable Organizations — on a global scale, with the notable exception of CIS countries.
Qilin ransomware has matured into a fully developed triple-extortion model that layers distributed denial-of-service (DDoS) pressure and a "Call Lawyer" negotiation feature on top of traditional file encryption and data-leak threats. Qilin ransomware affiliates have also demonstrated zero-day exploitation capability, weaponizing the SAP NetWeaver Visual Composer vulnerability CVE-2025-31324 roughly three weeks before public disclosure. Despite the July 2025 departure of top affiliate "Hastalamuerte" — who launched the rival ransomware-as-a-service (RaaS) brand The Gentlemen — and the FBI's January 2026 seizure of the RAMP underground forum, Qilin ransomware has continued absorbing displaced affiliates from disrupted operations such as BlackSuit and 8Base, cementing Qilin ransomware's position as the dominant global ransomware threat heading into the remainder of 2026.
Section 02
| CVE ID | Vulnerability | Affected Product |
|---|---|---|
CVE-2024-55591 | Fortinet FortiOS Authorization Bypass Vulnerability | Fortinet FortiOS |
CVE-2024-21762 | Fortinet FortiOS SSL-VPN Out-of-Bounds Write Vulnerability | Fortinet FortiOS |
CVE-2023-27532 | Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability | Veeam Backup & Replication Cloud Connect |
CVE-2025-31324 | SAP NetWeaver Unrestricted File Upload Vulnerability (exploited as a zero-day) | SAP NetWeaver Visual Composer |
Qilin ransomware has solidified its position as the most active ransomware operation in the world, holding the top global ranking for three consecutive quarters through Q1 2026 with over 330 leak-site victims in a single quarter and a cumulative count exceeding 1,800 by late May 2026. This dominance reflects a broader consolidation of the ransomware ecosystem, in which the top ten groups now claim roughly 71% of all victims — a sharp reversal from the fragmented landscape of 2025. Qilin ransomware has been the principal beneficiary of this consolidation, absorbing displaced affiliates following the disruption of BlackSuit, 8Base, and weakened mid-tier operators, while maintaining operational consistency in negotiations and decryption to preserve its standing across the affiliate economy. Recent confirmed Qilin ransomware victims listed on its Tor leak site span dozens of organizations worldwide, including clinicamaitenes.cl and novajoy.com, among more than forty other publicly disclosed breaches.
A significant structural event occurred in July 2025 when "Hastalamuerte," Qilin's most prolific affiliate and a veteran operator previously associated with Embargo, LockBit, and Medusa, departed the program following a public payment dispute on the RAMP underground forum. Hastalamuerte subsequently launched The Gentlemen as an independent RaaS brand, taking with him an inventory of approximately 14,700 pre-compromised FortiGate devices and roughly 20 experienced operators. Despite this loss, Qilin ransomware has retained its market position by continuing to recruit displaced affiliates from disrupted programs and refining its locker tooling, demonstrating the resilience of Qilin's core infrastructure and brand reputation.
Qilin ransomware's extortion model has matured from double-extortion into a fully developed triple-extortion framework. In addition to file encryption and data leakage, Qilin affiliates now routinely deploy DDoS attacks against a victim's remaining infrastructure to sustain operational pressure during negotiations. The Qilin negotiation panel has also been enhanced with a "Call Lawyer" feature that connects victims directly with legal consultants positioned to push for rapid settlement, exploiting regulatory disclosure pressure and legal liability concerns as additional coercion levers. These developments mark a deliberate shift toward professionalized, multi-vector extortion rather than pure ransomware deployment.
Affiliate operations have been disrupted by significant law-enforcement actions affecting the broader Russian-speaking ransomware ecosystem. The RAMP underground forum, historically Qilin's primary recruitment and coordination platform, was seized by the FBI in January 2026, with affiliate activity migrating to ReHub and other successor platforms. While these actions have introduced friction, Qilin ransomware's affiliate inflow has continued largely uninterrupted, with new affiliates onboarding through successor forums and private referral channels.
Qilin ransomware operators have refined their evasion tradecraft with increasing adoption of Windows Subsystem for Linux (WSL) to execute components from a Linux runtime context on Windows hosts, a technique that deliberately evades endpoint detection tools lacking WSL visibility. Initial access has also expanded to include exploitation of zero-day and known vulnerabilities in public-facing applications, notably the pre-disclosure exploitation of CVE-2025-31324 in SAP NetWeaver Visual Composer, alongside CVE-2024-21762 and CVE-2024-55591 in Fortinet FortiOS and CVE-2023-27532 in Veeam Backup & Replication Cloud Connect. Qilin affiliates have also expanded credential-harvesting capabilities, particularly Chrome credential-extraction routines that target browser-stored credentials for SaaS platforms, Outlook Web Access (OWA), and Microsoft 365, enabling rapid pivot from on-premises compromise to cloud and email environments.
Lateral movement in Qilin ransomware attacks has been streamlined through the embedded deployment of a signed Sysinternals PsExec binary contained directly within the Qilin encryptor itself. Once initial reconnaissance via PowerShell Active Directory enumeration (Get-ADComputer, Test-Connection) identifies domain-joined hosts, the embedded PsExec binary is dropped to disk and used to push the Qilin ransomware payload to every reachable system using harvested credentials. This embedded deployment model reduces dependence on external tool transfer, shortens the dwell-to-encryption window, and complicates detection that relies on identifying standalone admin-tool downloads.
Given Qilin ransomware's sustained dominance, professionalized affiliate management, triple-extortion model, and continued tradecraft evolution, organizations should treat Qilin as a top-tier threat through 2026. Defensive priorities should now include extending EDR coverage to WSL environments, monitoring for embedded PsExec execution patterns originating from non-administrative source processes, deploying behavioral detection over signature-based controls given Qilin's heavy use of signed binaries and living-off-the-land techniques, segmenting Active Directory and VMware ESXi management networks, and reviewing incident response playbooks to account for DDoS pressure and legal-channel coercion during active Qilin ransomware negotiations.
Section 03
Prioritize timely patching of FortiGate appliances (CVE-2024-21762, CVE-2024-55591), SAP NetWeaver Visual Composer (CVE-2025-31324), Veeam Backup & Replication (CVE-2023-27532), and all exposed VPN, RDP, and remote-access infrastructure. Qilin affiliates rely heavily on exploitation of edge-facing CVEs and stolen credentials for initial access, and have demonstrated capability to exploit zero-day vulnerabilities prior to public disclosure.
Apply hardware-based or FIDO2 MFA across VPNs, RDP gateways, OWA/Microsoft 365, and all privileged accounts. Qilin affiliates routinely reuse credentials harvested from infostealer logs and Chrome credential extraction, and unprotected remote-access services remain the most exploited initial access vector.
Treat Domain Controllers as the crown jewel of the Qilin ransomware kill chain, since the group's embedded PsExec deployment relies on AD-joined host enumeration via Get-ADComputer and Test-Connection. Restrict interactive and network logons on DCs, monitor for unusual ADMIN$ writes, abnormal RPC-launched binaries, and bulk PowerShell Active Directory enumeration originating from non-administrative source hosts.
Qilin affiliates leverage Windows Subsystem for Linux (WSL) and legitimate remote management tools like AnyDesk, ScreenConnect, and Splashtop to deploy Linux ransomware variants on Windows hosts, deliberately evading endpoint detection tools that lack WSL or cross-platform visibility. Ensure EDR platforms have explicit WSL telemetry coverage, restrict remote management utilities to approved administrators, and correlate endpoint and network telemetry for faster detection of cross-platform lateral movement.
Regularly back up critical data and systems, and store copies securely offline. Test restoration processes to ensure backup integrity and availability. In the event of a Qilin ransomware attack, up-to-date backups enable recovery without paying the ransom.
Qilin ransomware's negotiation playbook now includes DDoS attacks and lawyer-mediated settlement pressure in addition to data leakage. Update incident response playbooks to account for these vectors, pre-coordinate with DDoS mitigation providers, brief legal and communications teams on regulatory disclosure pressure tactics, and rehearse decision-making under multi-vector coercion scenarios.
Section 04
| Type | Value |
|---|---|
| IPv4 | 68[.]65[.]122[.]246, 104[.]21[.]63[.]167, 184[.]174[.]96[.]74, 184[.]174[.]96[.]67, 180[.]131[.]145[.]73, 88[.]119[.]174[.]107, 177[.]54[.]223[.]24, 176[.]113[.]115[.]209, 176[.]113[.]115[.]97, 188[.]119[.]66[.]189, 31[.]41[.]244[.]100, 85[.]209[.]11[.]49 |
| SHA256 | a51c8fcde0bcc9fe8273f99c8b23e63ca4cd0f66b22cadd0bcb0f3adb0fa05fa, a4e3f6633f3ececd39f0ba8c9644962bb0dd677ee0ecf22a99986d5c80e34bd7, 1306a6b3d73cd4dde97dc3d6407ae783a91c5f312ae77e5cf88674fc99c7caf0, e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb3705773888c22527, d7e4bb95401a19f9bf7ca280a4e743229998494790ab129b31b2a6c1cebebec7, 93c16c11ffca4ede29338eac53ca9f7c4fbcf68b8ea85ea5ae91a9e00dc77f01, 54ff98956c3a0a3bc03a5f43d2c801ebcc1255bed644c78bad55d7f7beebd294, 9e1f8165ca3265ef0ff2d479370518a5f3f4467cd31a7b4b006011621a2dd752, e4882b8e8e414e983cf003a5c4038043002a004b63c4f0844a15268332597e80, 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464, 555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4, 0629cd5e187174cb69f3489675f8c84cc0236f11f200be384ed6c1a9aa1ce7a1, bf9fc34ef4734520a1f65c1ec0a91b563bf002ac63982cbd2df10791493e9147, cd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f, 37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6, 8e1eb0ad22236e325387fdb45aea63f318a672c5d035a21d7b3a64eeafb4c5a2, aa0772fc6784799d59649654879c2b4a23919cda410bede0162751e6d6d6b558, ebb2a1b46a13c308ffe62dda4d9da316d550433707b2c2a38ad710ea4456c608, ceed9fdce420c0558e56bb705664d59f67d62c12d7356ca8643908261638b256, 5e9fc42cf65e1a87e953d00cb2755d3b5b00c1414259534c3a85742295bb6ff9, a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f, c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40, 411b2ed12df1ace6559d3ea666c672617ce23e2ace06806bb53c55bcccb83303 |
| MD5 | 64ca549e78ad1bd3a4bd2834b0f81080, eb6fff4ee0f03ae5191f11570ff221c5, 923c5af6fd29158b757fb876979d250b, 31edb01d243e8d989eb7e5aeeeef54dc, a7ab0969bf6641cd0c7228ae95f6d217, 417ad60624345ef85e648038e18902ab, e01776ec67b9f1ae780c3e24ecc4bf06, 63b89a42c39b2b56aae433712f96f619, d0a711e4a51891ddf00f704d508b1ef2, 14dec91fdcaab96f51382a43adb84016, 88bb86494cb9411a9692f9c8e67ed32c, 470d0261d18ed69990ce94f05d940de1, d67303ba66bcb4dd89de87c83f3f831f, 440810b008eed766f085b69b1723f54b, 6b7eeb860917aa44982d8bd2d971aff1, a42d36f1af2c396e645ffa356fa47a1e, e1d41939dc4cc4116cc3439a01cfb666, 1410b418a078559581725d14fa389cdd, 08a2405cd32f044a69737e77454ee2da, 0d68a310f4265821900249bec89364c2, 11d795baafa44b73766e850d13b8e254, 144183a4217ae0914ba0c865858d07cd, 19ff6488a259d750ec18902fe75a713b, 1bde76f3197123dcc2ecd0bfef567484, 1c4bea81c0da22badd9b7eab574c51cd, 2020979e080d7ac9c0403172573c7de8, 24a8fcd08d9e40d32929b57de9b15385, 2bb209ccfc5103eccab523c875050cfa, 2f76a29d4e4292d7f29a29345717812c, 37155f0bca29ccd6b6d4f5b2bc42eb4d, 3b10127e65fa3e215d21e0a2e7fd32be, 420a2c53386678396f972f09cc7f3a5c, 4a3f22021e4415e8211633fb3735a046, 4ea8adecc5bd45a76cc61430c560924f, 53c8a4f0497929de4a5039b2c14bf426, 575b26c1cc06609722f98e2beaed6a8a, 5862f9fc9c9a0d766eba29eb4945f619, 59d756280b06cf113ca43abc0050edd5, 5cffa3126b9effc279d32b2cf4ef2278, 64a590760fdbb84356544cc90ac3d50f, 670fe8faaede4e2e033311fb662d2a4a, 6f893b1cc5cf534c59eabe932c1bf21e, 6fc6164b3a08669992acad3764fb1922, 826a8e8c05983aa3a884d7abcfa473ac, 88630916b0c6633ca28c8896416a93ee, 8ca5c9745e8a0e18167a9b932821645a, 964c13b68dc6b6b918b66a9a10469d2a, 996c394d0f6d6967df9542c52f6f4661, 9befad1d56d2bd8195813aea1f37f921, 9ea321b6a0f069caab7092cfe1cbbde0, 9f510626c7327a7c2328bc5131726638, a6302fdb63e2244c1246a73a7d65d09e, a7e7d00d531cb7ca27d0f3bee448573f, ab05a1925fee8334a2114811d5283364, b04e8ee43aba85fa5c585b9335c953c2, b4a6152514919a637c22a58bea316fc7, bed0f34673cc93560c17e3ab04ea5d19, d1c331c17ddd4abe0d53755461c1ec9a, d309e3d77ed6a336eb3ad263ddf9db90, d6e7547ad7dfd1fbc62e8282aebcc391, dd42c3e017889c107a81da78d87dc8af, e4c1add9f7606e3fa57976b908b4b375, ea1f8794c73b26724314e5356f1f4128, f588802958c35fe18eb87bc36651a3d1, f982da00c547913fd0ae7d0da0fc77e7, fdc6848dad660414bed9ad1b381cf6e3, 3158a3849ea2695d6ec5aea6512fd030, 348b0ce6af4698061678c8e92b4b2675 |
| SHA1 | 493ff413528f752c5fce3ceabd89d2ab37397b86, c2dfbf554e068195ecc40bebd0617ce09ad65784, 6b3e3ff0495d39c85eca41f336bfd5ff92c97412, 05f60fc706754b317ffc7839a2b0490f7cd6f71d, 002971b6d178698bf7930b5b89c201750d80a07e, e18e6f975ef8fce97790fb8ae583caad1ec7d5b3, 3ef805009f8694e78699932563c09ac3b6bc08a5, 50927809fa3f1ec408d7a1715a714831f41160db, d9ea05933353d1f32b18696877a3396140022f03, a85d9d2a3913011cd282abc7d9711b2346c23899, 82f8060575de96dc4edc4f7b02ec31ba7637fa03, 890581fca724935118606a4d92dbc206f9eff04c, 34bfe0c8aa61f90ca03b7e80271d5a8afae0be4b, 9692644974071cd484455e355f8d79ce8c486e20, d4e3a066e1c1a21e3d44f2ef81a94aec42f5df11, 5914e976598ece1a271a60615a17420319a77812, 6e35dfdf0d09a0313a33fcc6c77f4fe00a79b9dc, 081cd6c242d472db9148fd0ce33346f7a3e87ac2 |
| Domains | cloudflariz[.]com, cloudflariz[.]com/comm.php, cloudflariz[.]com/auload.php |
| URLs | hxxp[:]//184[.]174[.]96[.]74/rs64c[.]exe, hxxps[:]//88[.]119[.]174[.]107[:]22443/file[.]ext |
| File Names | hosts.exe, dato.exe, dato.lnk, vvvivyyl.exe, rs64c.exe, decryptor_399060b2.exe, enc.exe, update.exe, inter.exe, BackupsFrst.exe1, 99.dll, 31edb01d243e8d989eb7e5aeeeef54dc.virus |
| File Paths | C:\Users\[USER]\AppData\Local\Temp\vvvivyyl.exe, C:\ProgramData\[Unique ID]_crypt.exe, C:\ProgramData\svchost[.]exe |
| Ransom Note Filename | README-RECOVER-[rand].txt, README-RECOVER-[rand]_2.txt, [Unique ID]-RECOVER-README.txt |
| Tor Leak Site | ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd[.]onion |
Section 05
T1078T1133T1190T1566.001T1566.002T1110.003T1059.001T1059.003T1059.004T1047T1053.005T1569.002T1106T1204.002T1072T1543.003T1547.001T1053.005T1037.004T1068T1562.001T1562.004T1070.001T1070.004T1036.004T1036.005T1027T1564.001T1497T1480T1112T1218T1003.001T1555.003T1018T1033T1046T1057T1082T1083T1087.002T1135T1482T1518.001T1016T1021.001T1021.002T1021.004T1021.006T1570T1080T1005T1039T1074.001T1071.001T1090.003T1105T1573.002T1219T1041T1048T1567.002T1486T1490T1489T1491.001T1485T1498T1657Section 06