Qilin RaaS Expands Global Impact: 40+ Victims/Month, Cyberduck Abuse, and WDigest Credential Theft

In its latest analysis covering the second half of 2025, researchers from Cisco Talos have revealed that the Qilin ransomware group has maintained one of the highest operational tempos in the cybercriminal ecosystem. The report highlights that Qilin has been publishing over 40 victim cases per month on its leak site, solidifying its position as “one of the most impactful ransomware groups worldwide.”

The group’s preferred victims include the manufacturing industry, which accounts for nearly a quarter of all known attacks, followed by professional and scientific services (18%), and wholesale trade (10%). The remaining cases span healthcare, construction, retail, education, and finance sectors — together painting a picture of broad-spectrum disruption across critical infrastructure.

Active since mid-2022, Qilin (formerly known as Agenda) operates under a Ransomware-as-a-Service (RaaS) model, supplying its affiliates with malware platforms and operational playbooks. According to Cisco Talos, “Over the past several years, Qilin has expanded its operations and now ranks among the most prolific and damaging ransomware threats on a global scale.”

The group employs the double-extortion strategy — encrypting files and threatening to leak stolen data — and maintains a professional-looking leak portal showcasing compromised organizations. In June and August 2025 alone, Talos observed peaks of nearly 100 new victim disclosures, signaling a sustained global threat presence.

Cisco Talos’ incident response investigations have reconstructed Qilin’s tactics, techniques, and procedures (TTPs) across multiple attack phases — from initial access to encryption and persistence.

The attackers often gained entry by abusing exposed administrative credentials leaked on the dark web. In several confirmed cases, “credentials had been exposed on the dark web… [and] approximately two weeks later, numerous NTLM authentication attempts were made against the VPN,” resulting in successful intrusion. Notably, multi-factor authentication (MFA) was absent, granting “unfettered access” to the network.

Once inside, the attackers moved laterally using RDP, PsExec, and stolen credentials, running commands such as nltest.exe and net.exe for domain reconnaissance. In many cases, they executed a custom batch file (!light.bat) that enabled plaintext credential storage by altering the WDigest registry key — a known technique for harvesting passwords from memory.

Cisco Talos notes that the batch file triggered Mimikatz, NirSoft utilities, and SharpDecryptPwd to extract passwords from applications including TeamViewer, FileZilla, Chrome, RDCMan, and SunLogin. The stolen credentials were later consolidated and exfiltrated via a Cyrillic-encoded VBScript, suggesting an Eastern European or Russian-speaking origin for at least some operators.

In a notable trend, Qilin affiliates increasingly rely on legitimate cloud transfer tools to mask data theft. Talos discovered traces of the open-source tool Cyberduck, which was used to exfiltrate archives to Backblaze cloud storage, exploiting trusted domains to evade detection.

“In recent trends, the open-source software Cyberduck — which enables file transfers to cloud servers — has been widely abused in cases involving Qilin ransomware,” the researchers wrote.

The adversaries also used everyday Windows utilities such as notepad.exe, mspaint.exe, and iexplore.exe to manually review sensitive documents during reconnaissance — an unusual but effective low-tech data vetting method.

Qilin operators demonstrate multi-layered defense evasion, combining stealth with persistence. Cisco Talos observed Remote Monitoring and Management (RMM) tools like AnyDesk, GoToDesk, and ScreenConnect deployed prior to encryption, likely to maintain covert access. One log showed “ScreenConnect established a connection to the command and control (C2) server on port 8880.”

To disable security controls, the attackers executed obfuscated PowerShell scripts encoded with numeric patterns. Once decoded, these scripts “disabled AMSI, bypassed TLS certificate validation, and enabled Restricted Admin mode,” effectively neutralizing script scanning and enabling lateral RDP movement via stolen hashes.

Further evidence showed attempts to uninstall endpoint detection tools using both direct service manipulation and open-source rootkit frameworks such as DarkKill and HRSword, executed through elevated VBScript commands.

Before launching ransomware, Qilin operators frequently deployed Cobalt Strike Beacons and SystemBC proxies. Cisco Talos identified a custom RC4 decryption routine within a Cobalt Strike loader, using threadpool APIs and anti-sandbox techniques such as MessageBoxA prompts.

The decrypted beacon communicated over HTTPS (port 443) while spoofing OCSP certificate traffic with headers like “Host: ocsp.verisign.com”, a clever obfuscation tactic for blending in with normal web traffic.

When the encryption phase begins, Talos reports that two ransomware binaries are sometimes used simultaneously:

• encryptor_1.exe — distributed across network hosts via PsExec
• encryptor_2.exe — executed locally to encrypt network shares

Both variants aggressively enumerate Active Directory computers, disable Volume Shadow Copy Service (VSS), and clear all system event logs to inhibit forensic recovery.

Qilin’s PowerShell routines also specifically target VMware vCenter clusters, disabling HA and DRS, changing root passwords, enabling SSH access, and executing payloads on all ESXi hosts.

The ransomware’s configuration defines explicit blacklists and whitelists for file types, directories, and processes. Critical infrastructure directories such as ClusterStorage (used by Windows Server Failover Clusters) are deliberately whitelisted for encryption.

Persistence is achieved via registry autoruns and a scheduled task named “TVInstallRestore,” which masquerades as a legitimate TeamViewer installer — a nod to the RMM tools used earlier in the attack chain.

After encryption, Qilin drops a ransom note in every folder, warning victims that “data has been compromised” and providing both Tor (.onion) and clear-web URLs for negotiation. Each victim company is assigned a unique ID, embedded as the file extension, and supplied with a corresponding login credential to access Qilin’s leak portal.

While attribution remains murky, linguistic traces and codepage hints indicate ties to Eastern Europe or Russian-speaking operators. Talos cautions that some evidence could be deliberate false flags, but the consistency of Cyrillic encoding and familiar credential-theft tools aligns with previous Russian-language cybercrime patterns.

The United States remains the most heavily impacted country, followed by Canada, the United Kingdom, France, and Germany. With its industrial focus and advanced automation, Qilin has become a flagship RaaS operation in 2025’s ransomware landscape.

As Cisco Talos concludes, “These findings indicate that Qilin continues to pose a persistent and significant threat.”

Related Posts:

• Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
• Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• Ransomware Gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
• Qilin Ransomware’s Resilience Exposed: Bulletproof Hosting Network Underpins Asahi Group Holdings Attack
• SAP NetWeaver RCE: Zero-Day Allows File Uploads, Qilin Ransomware Connection