{ "id": "90320d50-1d81-47a3-a59f-08cf8c3ff53e", "created_at": "2026-04-06T00:17:22.674153Z", "updated_at": "2026-04-10T03:24:29.974279Z", "deleted_at": null, "sha1_hash": "19813450c59d23b65d7e9d622d7830ed22a4bb59", "title": "Rage Against the Powershell - Qilin in the Name - TEHTRIS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142060, "plain_text": "Rage Against the Powershell - Qilin in the Name - TEHTRIS\r\nBy Fabien Lefebvre\r\nPublished: 2025-06-27 · Archived: 2026-04-05 20:05:58 UTC\r\nTEHTRIS unveils Qilin: a rising ransomware threat using tailored attacks to quietly cripple targets.\r\nAuthor: Lefebvre Fabien (CTI)\r\nReview \u0026 Input: Antoine Mevel (CTI), Justine Guyot (CTI)\r\nKey points\r\nQilin is a ransomware group that has been there for nearly 3 years and has become one of the most active\r\ngroup since the beginning of the year.\r\nQilin can target any field, including the healthcare and non-profits organizations.\r\nUSA is by far the most targetted country.\r\nThe group use phishing as a vector of infection.\r\nSamples are protected by a password, preventing it from successfully running in sandbox environments.\r\nEach sample is specific to its target.\r\nThe extension used for encrypted files is unique to the target.\r\nThe Qilin ransomware group\r\nQilin is a russian-speaking ransomware group which was first spotted in October 2022 and has since steadily risen\r\namong the most active ransomware groups, reaching a peak of 73 victims last month and 530 to date.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 1 of 32\n\nQilin’s victims count every month (based on Ransomfeed API).\r\nThe USA is by far the most targeted country, with over 300 victims from this country, and is particularly\r\ndangerous as it is targeting every sector. However, most of its victims are in professional services, manufacturing,\r\nhealthcare and technology industries with over half of the victims being an actor of these sectors.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 2 of 32\n\nCountries with the most victims of Qilin (based on Ransomfeed API).\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 3 of 32\n\nSectors with the most victims of Qilin (based on Ransomfeed API).\r\nThe group has a .onion page to list its victims, and leak data from those who refused to pay the ransom.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 4 of 32\n\nQilin’s blog\r\nTypical infection vectors start with spear-phishing according to Group-IB.\r\nRansomware analysis\r\nThis section will focus on the technical aspect of the ransomware.\r\nConfiguration\r\nQilin handles two configuration sources, the first being embedded in the executable and the second being passed\r\nas arguments.\r\nEmbedded configuration\r\nThe embedded configuration contains the following informations:\r\npublic_rsa_pem\r\nprivate_rsa_pem : empty\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 5 of 32\n\ndirectory_black_list : a list of directory names which should not be encrypted\r\nfile_black_list : a list of file names which should not be encrypted\r\nfile_pattern_black_list : a list of keyword for which the file should not be encrypted if it is contained\r\nin the name ?\r\nprocess_black_list : ?\r\nwin_services_black_list : ?\r\ncompany_id : an identificator for the company generated by Qilin. It is used as the extension for encrypted\r\nfiles ?\r\nn\r\np\r\nfast\r\nskip\r\nstep\r\naccounts : a mapping of leaked accounts and associated cleartext password.\r\nnote : the ransom note.\r\npassword_hash : the password used by the operator to run the executable\r\nThe malware seems to be able to handle the following configurations that were not used:\r\nwhite_symlink_dirs\r\nwhite_symlink_subdirs\r\nThe RSA public key has been tested for vulnerabilities with RsaCtfTool, but none were found.\r\nArguments\r\nQilin offers a lot of arguments to customize its execution:\r\npassword : password used to execute the ransomware.\r\npaths\r\nips : encrypt remote machines.\r\ntimer : delay encryption (in seconds)\r\nno-sandbox : disable sandbox detection.\r\nno-escalate : disable privilege escalation through\r\nimpersonate : SID of the user to impersonate.\r\nsafe : restart computer in safe mode (will change user password and set autologin).\r\nno-priority : disables IO/CPU priority increase\r\nno-admin : disables admin token requirement.\r\nno-local : disables local computer encryption\r\nno-domain : disables domain computers’ encryption.\r\nno-mounted : disables mounted shares encryption.\r\nno-network : disables network shares encryption.\r\nno-ef : disable extension filter.\r\nno-ff : disable file filter.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 6 of 32\n\nno-df : disable directory filter.\r\nno-autostart : don’t add persistence in registry.\r\nno-proc : disable process killer.\r\nno-services : disable service killer.\r\nno-vm : disable VM killer.\r\nkill-cluster : enable cluster killer.\r\nno-extension : disable extension for encrypted files.\r\nno-wallpaper : disable wallpaper changing.\r\nno-note : disables ransom note dropping.\r\nno-delete\r\nno-destruct\r\nno-zero\r\nprint-image\r\nprint-delay\r\nforce\r\ndebug : logs are printed to the console\r\nno-logs\r\nno-delete\r\nfde\r\nspread : spread to domain computers using PsExec\r\nspread-vcenter : spread a payload on ESXi through vCenter\r\ndry-run\r\nlogs\r\nescalated\r\nparent-sid\r\nspread-process\r\nDefense mechanisms\r\nQilin contains multiple ingenious defense mechanism, to avoid detection and to prevent it from being used by an\r\nunauthorized person.\r\nPacking (T1027.002, T1055.002)\r\nThe main executable is an unpacker for Qilin, looping over its memory and unpacking using XOR and AND\r\noperators with hardcodded operands.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 7 of 32\n\nUnpacking routine\r\nQilin then copies each section in a memory buffer using memcpy.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 8 of 32\n\n.edata section being copied to buffer at ECX.\r\nAfterwards, it makes the code executable and calls the unpacked Qilin’s tls_callback_0 , tls_callback_1 and\r\ntls_callback_2 and then calls the entrypoint.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 9 of 32\n\nCalling TLS callbacks using a loop (addresses can be seen in the hex view).\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 10 of 32\n\nCalling the entrypoint of the unobfuscated malware.\r\nPassword (T1497)\r\nThe second layer of protection is a password. The operator must provide this password to the executable using --\r\npassword . The input is then hashed with SHA256 and compared to a password hash stored in the malware\r\nconfiguration. If the hashes don’t match, the executable logs an error and then exits.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 11 of 32\n\nSHA256 constants\r\nAdmin check\r\nThe malware then checks if the process is run with elevated privilege using the GetCurrentProcess ,\r\nOpenProcessToken and GetTokenInformation APIs.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 12 of 32\n\nSandbox evasion (T1497.001)\r\nThe malware starts gathering information about the host in an attempt to detect whether it’s running on a virtual\r\nmachine or not.\r\nFirst, it checks for processor information using cpuid instruction with EAX=1 .\r\nA second check is made with cpuid instruction and EAX=0x40000000 , this time looking for the presence of the\r\nIDs Microsoft Hv , VMwareVMware , VBoxVboxVbox , KVMKVMKVM , XenVMXenVM , lrpepyv vr , indicating the\r\npresence of a hypervisor. If Microsoft Hv is detected, it also checks the presence of the key\r\nHKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters to ensure it’s not a false positive.\r\nA delay can also be specified using the --delay option to delay most capabilities of the ransomware, which can\r\nhelp bypass sandbox detection. By default, the delay is set to 0 seconds.\r\nMutex (T1480.002)\r\nTo avoid duplicate execution, Qilin creates a mutex with the executable password as its name.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 13 of 32\n\nPrivilege escalation\r\nAccess token manipulation (T1134)\r\nQilin escalates its privilege using SeDebugPrivilege, SeImpersonatePrivilege and SeIncreaseBasePriorityPrivilege\r\nusing a loop.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 14 of 32\n\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 15 of 32\n\ntokenPrivileges.Privileges[0].Attributes is set to 2 (SE_PRIVILEGE_ENABLED)\r\nImpersonate\r\nA SID can be given using the --impersonate option to impersonate a user during the encryption.\r\nImpact\r\nChange user password (T1098)\r\nWith --safe mode, Qilin changes the user password to the one passed by the --password argument using\r\nNetUserSetInfo with level=1003 (“specifies a user password”), and then enables autologin using\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon ( AutoAdminLogon , DefaultUserName ,\r\nDefaultPassword )\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 16 of 32\n\nNetUserInfo(NULL, username, 1003, password, NULL)\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 17 of 32\n\nAutologin\r\nImpair defenses (T1562)\r\nSymbolic links behavior are changed using the commands fsutil behavior set SymlinkEvaluation R2R:1 and\r\nfsutil behavior set SymlinkEvaluation R2L:1 which allows encrypting remote network shares by being able\r\nto follow the symbolic links to access another remote share.\r\nDisabling VSS (T1490)\r\nThe shadows copies are disabled and deleted using the command vssadmin.exe delete shadows /all /quiet\r\nand the service is disabled using wmic service where name='vss' call ChangeStartModeDisabled and net\r\nstop vssem32 .\r\nLogs removal (T1562.002)\r\nLogs are continuously removed with a powershell script using the Get-WinEvent module.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 18 of 32\n\nEncryption (T1486, T1491.001)\r\nBefore the encryption, the malware collects information such as storing devices (such as device type, and if it is\r\nDASD capable) and volumes (mount points, whether it’s a system volume), shares and shortcuts on desktop and in\r\nshares.\r\nTo improve its performance, Qilin set the CPU priority to Realtime which is allowed by the\r\nSeIncreaseBasePriorityPrivilege privilege.\r\nQilin makes two passes on the encryption, the first with Chacha20 and the second with AES256.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 19 of 32\n\nChaCha20 and AES encryption blocks.\r\nBcrypGenRandom is used to generate the random number used for both keys, the algorithm is chosen by the\r\nsystem ( BCRYPT_USE_SYSTEM_PREFERRED_RNG ). If it fails, it falls back to RtlGenRandom .\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 20 of 32\n\nBCryptGenRandom(NULL, buffer, 32, BCRYPT_USE_SYSTEM_PREFERRED_RNG)\r\nChaCha20 is used to encrypt the data, this can be seen by the presence of the Brotli-compression constant,\r\noperations specific to ChaCha20 and a 32 bits counter.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 21 of 32\n\nBrotli compression constant.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 22 of 32\n\nChacha20 operations (source).\r\nAES is used for the second round, with the operations corresponding to AES implementation by OpenSSL.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 23 of 32\n\nFiles are renamed using the MoveFileExW API, by adding the company ID embedded in the configuration to the\r\nfile name and a ransom note is dropped in each directory.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 24 of 32\n\nEncrypted files in a directory and ransom.\r\nOnce the encryption process is over, Qilin changes all users’ wallpaper and the lock screen with instructions for\r\nthe user.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 25 of 32\n\nQilin’s wallpaper.\r\nSelf delete (T1070.004)\r\nQilin self delete itself once all encryption operations are over and logs cleared to impair recovery capabilities.\r\nPersistence\r\nRegistry (T1547.001)\r\nA key in SOFTWARE\\Microsoft\\windows\\CurrentVersion\\Run is added to automatically run the ransomware on\r\nmachine startup with the same arguments.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 26 of 32\n\nLateral movement\r\nESXi (T1098, T1021.004; T1210, T1623)\r\nWith option spread-vcenter enabled, Qilin is capable of spreading a payload to ESXi using vCenter credentials.\r\nIt then disables HA and Drs on all clusters, changes the user’s password and enables SSH on all hosts. Finally, it\r\nuploads and runs the payload on these hosts The path to the payload and credentials are given by the operator\r\nthrough the command line.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 27 of 32\n\nPowershell script capable of spreading a payload on ESXi hosts.\r\nA comment in the Powershell script shows a developer’s frustration with Powershell.\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 28 of 32\n\nDomain computers (T1588.002, T1021.002)\r\nQilin is also capable of spreading to other computers via PsExec with the --spread option, prompting the\r\noperator for user credentials.\r\nIOC\r\nSHA256\r\nd628914c72a4294d6b67126eb8b5a08fa4974d05469852cb7ef872721b207498\r\n5b358f7cb6c2f16badbb476f7fa7515d4c142a1c1c47e22ab058155aa3120ba1\r\n5acd1ff8da9958a032cf63fb27d5e4b71c201612461e039f44eb07b2cc6735c0\r\n381c3ed7a3b3d3017faaacb917c911aa266c2fb3e648f0e659222ec38148ee3c\r\n1e52d9f04f99be66d5bc13db767c6acb5f0515906633f76e5c713681af9454df\r\n1455a215def8fe3c7053a21e748d20bcef586014b3d000b9f8e64be6ed99addd\r\n033b4d28791b318fee5017e79c87c974ee621bae3b137d78ff11e2623ecf78a5\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 29 of 32\n\n02835451193c2232094b591b7ef52a18786bae3232330839e63631f077f4946b\r\nf52567ef22018ee7ef696ec1b28b99f019552827445425dd08e98195f6ac56fe\r\nf17c9c6b1f1e4434e2688fc0d25d0bca1efb89582c03028f787fa2b9f765c17a\r\ndb7b88dfbc16f4798b30c135a1e305d11b201ca3d9b600f2b2f3306f0ad32b18\r\nc3fec6dd70f15fdf0683473539f1bde4c24e1aa25d97555c3d330f77b1edc3f1\r\na58adc18c13c4c357039ee5cf5fa5e886a7efc6026350cb7087466d667b87263\r\n9983e9559790c6df67dc78157f65ee42320a9914c0b2cb7eb4b210e50266268c\r\n96de53f71a914113dd1e0ab030b3e0707101af10bd6de3c894ee328d6f175e94\r\n90bf9700d267b34aef7963ca51623daab9f4725253735a66e0a56c532f6b32c4\r\n906f88817e3bf1bd4e800cf798650f3a309c81ee9b78c2a37d9118ce2567ae3d\r\n8410f85c1710bfefccf0517cbbc91c0019073ced28d66539eeb596a9de8be1a9\r\n78b6552fe4e7afbd21d8494dd19c056e16316b7aabdbaf746f5511a2dc2c542c\r\n76dfbf622b6846653eff769e047efedc7a9fdbb00c939965d555da7aef460a5d\r\n690d584bb489f5de42077147b13d5431ef3cd36e429a90fcdfe02bc97fdbec85\r\n57e93d498dd91aebb7473950c12d8dc414aec39f6e3baa2a0b249649adf2ddc9\r\n340351639863a1c01eb0f8e34aafa2a5f36a7ee378c3cb112827ce3e9bfd7a87\r\n147ad250400bb8c5ec2f7542afc82491fd23d665b070db03c17022ec969024a6\r\n6316417fcd979c39a4da672ba3521f62081ff4dfebb868ef65a1f2dff9a738ea\r\nWritten files\r\n%TEMP%/QLOG/ThreadId(1).LOG\r\nRansom note\r\n-- Qilin\r\nYour network/system was encrypted.\r\nEncrypted files have new extension.\r\n-- Compromising and sensitive data\r\nWe have downloaded compromising and sensitive data from your system/network.\r\nOur group cooperates with the mass media.\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and publishe\r\nBlog links:\r\nhttp://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion\r\nhttp://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion\r\nData includes:\r\n- Employees personal data, CVs, DL , SSN.\r\n- Complete network map including credentials for local and remote services.\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements.\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format\r\n- And more...\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 30 of 32\n\n-- Warning\r\n1) If you modify files - our decrypt software won't able to recover data\r\n2) If you use third party software - you can damage/modify files (see item 1)\r\n3) You need cipher key / our decrypt software to restore you files.\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your\r\n-- Recovery\r\n1) Download tor browser: https://www.torproject.org/download/\r\n2) Go to domain\r\n3) Enter credentials\r\nPlease note that communication with us is only possible via the website in the Tor browser, which is specified i\r\nAll other means of communication are not real and may be created by third parties, if such were not provided in\r\n-- Credentials\r\nExtension: neYfIA2niC\r\nDomain: \u003cCENSORED\u003e\r\nlogin: \u003cCENSORED\u003e\r\nESXCLI command\r\nesxcli system settings advanced set -o /User/execInstalledOnly -i 0\r\nWindows commands\r\nfsutil behavior set SymlinkEvaluation R2R:1\r\nfsutil behavior set SymlinkEvaluation R2L:1\r\nnet use\r\nwmic service where name='vss' call ChangeStartMode Manual\r\nnet start vss\r\nvssadmin.exe delete shadows /all /quiet\r\nnet stop vss\r\nwmic service where name='vss' call ChangeStartMode Disabled\r\nQilin blog\r\nhttp://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion\r\nhttp://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion\r\nDetection rules\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 31 of 32\n\nYara rule\r\nimport \"pe\"\r\nrule QilinRansomware : ransomware qilin {\r\n meta:\r\n author = \"TEHTRIS - Lefebvre Fabien\"\r\n description = \"Detects Qilin ransomware\"\r\n sha256 = \"['d628914c72a4294d6b67126eb8b5a08fa4974d05469852cb7ef872721b207498']\"\r\n strings:\r\n $sections = {\r\n // @loop\r\n 8b 72 10 // mov esi, [edx + 0x10]\r\n 8b 42 0c // mov eax, [edx + 0xc]\r\n 8d 7c 05 00 // lea edi, [ebp + eax]\r\n 01 f0 // add eax, esi\r\n 85 f6 // test esi, esi\r\n 0f 44 c7 // cmovz eax, edi\r\n 39 c3 // cmp ebx, eax\r\n 0f 42 d8 // cmovc ebx, eax\r\n 83 c1 01 // add ecx, 1\r\n 83 c2 28 // add edx, 0x28\r\n 39 4c 24 24 // cmp [esp + 0x24], ecx\r\n 75 de // JNZ @loop\r\n }\r\n condition:\r\n pe.is_pe and all of them\r\n}\r\nSource: https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nhttps://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/\r\nPage 32 of 32\n\n https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/ \nCalling TLS callbacks using a loop (addresses can be seen in the hex view).\n Page 10 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/" ], "report_names": [ "rage-against-the-powershell-qilin-in-the-name" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434642, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19813450c59d23b65d7e9d622d7830ed22a4bb59.pdf", "text": "https://archive.orkl.eu/19813450c59d23b65d7e9d622d7830ed22a4bb59.txt", "img": "https://archive.orkl.eu/19813450c59d23b65d7e9d622d7830ed22a4bb59.jpg" } }