Threat Advisories:
Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC Vietnamese Actors Use Recruitment Lures for Espionage and Theft Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors ClickOnce Deception: SideWinder’s New Path to Diplomats The Gift Card Grinch Uncovered in the Jingle Thief Campaign WordPress Sites Under Siege by Old Critical Flaws Transparent Tribe’s DeskRAT Campaign Targets Indian Military Systems SessionReaper Flaw Enables Seamless Session Hijacking on Adobe Commerce CVE‑2025‑61932: Critical Lanscope Endpoint Manager Flaw Actively Exploited Lazarus Targets Europe’s UAV Innovation October 2025 Linux Patch Roundup MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign Critical Cloud Threat: Azure Blob Storage Under Active Attack Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors

Red | Attack Report
Download PDF

Qilin Ransomware Escalates Global Attacks with Cross-Platform Techniques

Summary

The Qilin ransomware group, also known as Agenda and Water Galura, has rapidly evolved into one of the most aggressive ransomware operations of 2025, claiming over 700 victims across multiple sectors worldwide. The group’s activity spiked in October 2025, with nearly 200 confirmed incidents—marking a major escalation in frequency and impact.

Qilin operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to launch attacks using its infrastructure while retaining up to 85% of ransom profits. The group’s campaigns target manufacturing, technology, healthcare, financial services, energy, government, education, transportation, and aerospace, among others.

A key advancement in 2025 is Qilin’s ability to execute Linux ransomware payloads on Windows systems by exploiting legitimate remote management tools such as AnyDesk, ScreenConnect, and Splashtop. This cross-platform capability enables attackers to bypass traditional Windows defenses, evade detection, and encrypt hybrid environments.

Qilin also leverages Bring Your Own Vulnerable Driver (BYOVD) attacks, phishing-based credential theft, and double-extortion tactics, stealing sensitive data before encryption to increase ransom pressure. The group’s growing sophistication highlights the urgent need for multi-factor authentication (MFA), remote tool restrictions, and hybrid visibility across enterprise networks.

Attack Details

Global Campaign Overview

  • Active Since: 2022
  • Model: Ransomware-as-a-Service (RaaS)
  • Victims (2025): Over 700 globally
  • Victims (October 2025): Nearly 200 confirmed
  • Primary Targets: Manufacturing, healthcare, financial services, energy, legal, technology, education, and government sectors
  • Key Regions: United States, France, Canada, and the United Kingdom

Attack Chain and Execution

  1. Initial Access:
    • Qilin affiliates begin attacks using phishing campaigns that deploy infostealers disguised behind fake CAPTCHA pages.
    • Stolen credentials are used to access corporate systems through legitimate remote management tools.
  2. Privilege Escalation and Persistence:
    • Attackers leverage BYOVD exploits to load signed but vulnerable drivers, granting elevated privileges and disabling endpoint protections.
    • Persistent access is established through hidden administrative accounts and renamed SSH or RMM utilities.
  3. Cross-Platform Execution:
    • Qilin’s Linux ransomware variant is executed on Windows systems via file-transfer tools such as AnyDesk and ScreenConnect.
    • This method enables ransomware execution in mixed operating environments while evading Windows-specific antivirus defenses.
  4. Backup Targeting and Data Theft:
    • The group specifically targets Veeam backup servers to steal credentials and disable restoration using custom PowerShell scripts and SQL commands.
    • Data is exfiltrated prior to encryption, enabling double-extortion—combining data leaks with file encryption to pressure victims.
  5. Encryption and Impact:
    • Once lateral movement is complete, encryption is executed rapidly using a hybrid of Windows and Linux binaries.
    • Victims are then directed to TOR-based negotiation portals for ransom communication.

This combination of credential theft, legitimate tool abuse, and hybrid encryption makes Qilin a severe and stealthy global threat to enterprise networks.

Recommendations

  1. Enforce Multi-Factor Authentication (MFA):
    Implement MFA across all VPNs, remote access tools, and privileged accounts to prevent unauthorized logins using stolen credentials.
  2. Restrict Remote Management Tools:
    Limit or whitelist applications such as AnyDesk, ScreenConnect, and Splashtop to authorized administrators only.
    Continuously monitor for new or rogue installations of remote management software.
  3. Detect and Block BYOVD Exploits:
    • Enforce driver signing policies to prevent unsigned or malicious driver loads.
    • Regularly audit driver inventories to remove known vulnerable versions used for privilege escalation.
  4. Enhance Endpoint and Network Monitoring:
    • Deploy EDR/XDR solutions capable of detecting Linux processes running on Windows systems.
    • Correlate endpoint telemetry with network analytics to identify anomalous cross-platform activity.
  5. Backup and Restoration Strategy:
    • Maintain offline, immutable backups of critical data.
    • Frequently test backup restoration to ensure system recovery in the event of ransomware compromise.

Indicators of Compromise (IoCs)

SHA1 Hash:

  • c150e4ab20d59affc62b916c2c90686f43040a9f

SHA256 Hashes:
c0f7c2bb04aa09dae62f0e5feeb7c9c867685abc788ae6b0e6928ad7979dbcaf
e46bde83b8a3a7492fc79c22b337950fc49843a42020c41c615b24579c0c3251
f488861f8d3d013c3eef88983de8f5f37bb014ae13dc13007b26ebbd559e356e
3dba9ba8e265faefce024960b69c1f472ab7a898e7c224145740f1886d97119f
15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67
331d136101b286c2f7198fd41e5018fcadef720ca0e74b282c1a44310a792e7f
549a1ae688edfcb2e7a254ac3aded866b378b2e829f1bb8af42276b902f475e6
454e398869e189874c796133f68a837c9b7f2190b949a8222453884f84cf4a1b
e38d4140fce467bfd145a8f6299fc76b8851a62555b5c0f825b9a2200f85017c
5f0253f959d65c45a11b7436301ee5a851266614f811c753231d684eb5083782

IPv4 Addresses:
85[.]239[.]34[.]91
86[.]106[.]85[.]36

Domains:
regsvchst[.]com
holapor67[.]top
mimikatzlogs@anti[.]pm
mimikatz@anti[.]pm

URLs:
hxxp[:]//185[.]141[.]216[.]127/tr.e
hxxps[:]//chatgptitalia[.]net/
hxxps[:]//45[.]221[.]64[.]245/mot/
hxxps[:]//104[.]164[.]55[.]7/231/means.d

TOR Addresses:
hxxp[:]//ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion
hxxp[:]//kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad[.]onion
hxxp[:]//securo45z554mw7rgrt7wcgv5eenj2xmxyrsdj3fcjsvindu63s4bsid[.]onion

Recent Victim Websites:

  • microbix[.]com
  • productivetool[.]com
  • lorberlaw[.]com
  • henriettaezeokelaw[.]com
  • doubleoakconstruction[.]com
  • izaki[.]co[.]il
  • medimpact[.]com
  • infracom[.]com[.]au
  • northernlighttech[.]com

  • mainetti[.]com

MITRE ATT&CK TTPs

TacticTechniqueTechnique ID
Initial AccessPhishing / External Remote ServicesT1566, T1133
ExecutionPowerShell, Command Shell, Remote Access SoftwareT1059.001, T1059.003, T1219
PersistenceBoot or Logon Autostart Execution / Registry Run KeysT1547, T1547.001
Privilege EscalationBYOVD Exploit / Group Policy ModificationT1562, T1484.001
Defense EvasionDisable or Modify Tools / Indicator RemovalT1562.001, T1070
Credential AccessOS Credential Dumping / Brute ForceT1003, T1110
Lateral MovementRemote Desktop / SMB / Admin SharesT1021, T1021.001, T1021.002
ExfiltrationExfiltration Over Alternative ProtocolT1048
ImpactData Encrypted for Impact / Inhibit System RecoveryT1486, T1490

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox