S1242 Qilin
Qilin ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware and its RaaS affiliates have been observed targeting multiple sectors worldwide, including healthcare and education in Asia, Europe, and Africa. 2341
| Item | Value |
|---|---|
| ID | S1242 |
| Associated Names | Agenda |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 September 2025 |
| Last Modified | 23 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Agenda | 123 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Qilin can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.6 |
| enterprise | T1134 | Access Token Manipulation | Qilin can use an embedded Mimikatz module for token manipulation.6 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Qilin can list all local users found on a targeted system.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Qilin has created a runonce autostart entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe pointing to a dropped copy of itself in the Public folder.27 |
| enterprise | T1547.004 | Winlogon Helper DLL | Qilin can configure a Winlogon registry entry.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Qilin has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.46 |
| enterprise | T1486 | Data Encrypted for Impact | Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.236475 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | Qilin can set the wallpaper on compromised hosts to display a ransom message.1 |
| enterprise | T1484 | Domain or Tenant Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | Qilin has pushed a scheduled task via a Group Policy Object for payload execution.24 |
| enterprise | T1480 | Execution Guardrails | Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.6 |
| enterprise | T1480.002 | Mutual Exclusion | Qilin can create a mutex to insure only one instance is running.7 |
| enterprise | T1190 | Exploit Public-Facing Application | Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.3 |
| enterprise | T1083 | File and Directory Discovery | Qilin can exclude specific directories and files from encryption.2 |
| enterprise | T1222 | File and Directory Permissions Modification | Qilin can use symbolic links to redirect file paths for both remote and local objects.6 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Qilin can terminate antivirus-related processes and services.2376 |
| enterprise | T1562.009 | Safe Mode Boot | Qilin can reboot targeted systems in safe mode to help avoid detection.24 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Qilin has the ability to clear Windows Event Logs.71 |
| enterprise | T1070.004 | File Deletion | Qilin can delete itself from infected hosts after execution.71 |
| enterprise | T1490 | Inhibit System Recovery | Qilin can execute vssadmin.exe delete shadows /all /quiet to remove volume shadow copies.271 |
| enterprise | T1680 | Local Storage Discovery | Qilin has used GetLogicalDrives() and EnumResourceW() to locate mounted drives and shares.7 |
| enterprise | T1112 | Modify Registry | Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.76 |
| enterprise | T1106 | Native API | Qilin can attempt to log on to the local computer via LogonUserW and use GetLogicalDrives() and EnumResourceW() for discovery.27 |
| enterprise | T1135 | Network Share Discovery | Qilin has the ability to list network drives.27 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.5 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Qilin can employ an embedded Mimikatz module to dump LSASS memory.6 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Qilin has been delivered to victims through malicious email attachments.3 |
| enterprise | T1566.002 | Spearphishing Link | Qilin has been delivered via malicious links in spearphishing emails.31 |
| enterprise | T1057 | Process Discovery | Qilin can define specific processes to be terminated or left alone at execution.2375 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.2 |
| enterprise | T1012 | Query Registry | Qilin can check HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions to determine if a machine is running in safe mode.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.6 |
| enterprise | T1018 | Remote System Discovery | Qilin can enumerate domain-connected hosts during its discovery phase.61 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Qilin has pushed scheduled tasks via GPO for execution.42 |
| enterprise | T1489 | Service Stop | Qilin can terminate specific services on compromised hosts.275 |
| enterprise | T1016 | System Network Configuration Discovery | Qilin can accept a command line argument identifying specific IPs.2 |
| enterprise | T1007 | System Service Discovery | Qilin can identify specific services for termination or to be left running at execution.235 |
| enterprise | T1529 | System Shutdown/Reboot | Qilin can initiate a reboot of the backup server to hinder recovery.6 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Qilin has been executed by luring victims into clicking links in spearphishing emails.31 |
| enterprise | T1204.002 | Malicious File | Qilin has been delivered to victims through spearphishing emails with malicious attachments.3 |
| enterprise | T1673 | Virtual Machine Discovery | Qilin can detect virtual machine environments.7 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1036 | Moonstone Sleet | Moonstone Sleet has deployed Qilin ransomware.8 |
| G1050 | Water Galura | Water Galura are the operators of the Qilin RaaS.4 |
References
-
Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025. ↩↩↩↩↩↩↩↩↩
-
Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
SentinelOne. (2022, November 30). Agenda (Qilin). Retrieved September 26, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025. ↩↩↩↩↩↩↩
-
Health Sector Cybersecurity Coordination Center. (2024, June 18). Qilin, aka Agenda Ransomware. Retrieved September 26, 2025. ↩↩↩↩↩
-
Hacioglu, S. (2025, March 10). Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024. Retrieved September 26, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence (@MsftSecIntel). (2025, March 6). Microsoft Threat Intelligence on X. Retrieved September 26, 2025. ↩