{
	"id": "f26f8691-6cda-4971-af69-f48381b2f15a",
	"created_at": "2026-04-29T02:21:00.720303Z",
	"updated_at": "2026-04-29T08:22:41.694096Z",
	"deleted_at": null,
	"sha1_hash": "3b61c9f1f78e75d95d7088fea052b7d465c6b29e",
	"title": "Uncovering Qilin attack methods exposed through multiple cases",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6254686,
	"plain_text": "Uncovering Qilin attack methods exposed through multiple cases\r\nBy Takahiro Takeda\r\nPublished: 2025-10-27 · Archived: 2026-04-29 02:14:02 UTC\r\nSunday, October 26, 2025 22:00\r\nIn the second half of 2025, the ransomware group Qilin has continued to publish victim information on its\r\nleak site at a pace of more than 40 cases per month, making it one of the most impactful ransomware\r\ngroups worldwide. The manufacturing sector has been the most affected, followed by professional and\r\nscientific services, and wholesale trade.\r\nAlthough this could be a false flag, some of the scripts used by the attacker contained character encodings\r\nthat point to Eastern Europe or a Russian-speaking region.\r\nTalos identified an open-source tool named Cyberduck, which enables file transfers to cloud servers,\r\namong the tools used for data exfiltration. In recent trends, Cyberduck has been widely abused in cases\r\ninvolving Qilin ransomware. Artifact logs also show the use of notepad.exe and mspaint.exe, which were\r\nleveraged to view high-sensitivity information.\r\nIn Qilin cases, we observed dual deployments: encryptor_1.exe spreads via PsExec across hosts, while\r\nencryptor_2.exe runs from one system to encrypt multiple network shares.\r\nSummary of Qilin Ransomware\r\nThe Qilin (formerly Agenda) ransomware group has been active since around July 2022. This group employs a\r\ndouble-extortion strategy, combining file encryption with the public disclosure of stolen information. Figure 1\r\nillustrates the leak site used by the attackers to publish lists of compromised companies.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 1 of 27\n\nFigure 1. Qilin ransomware leak site.\r\nOver the past several years, Qilin has expanded its operations and now ranks among the most prolific and\r\ndamaging ransomware threats on a global scale. The group adopts a Ransomware-as-a-Service (RaaS) business\r\nmodel, where it develops and distributes ransomware platforms and associated tools to affiliates. In turn, these\r\naffiliates attack organizations worldwide.\r\nVictimology and prevalence \r\nCurrent reporting indicates that the countries most severely affected include the United States, followed by\r\nCanada, the United Kingdom, France, and Germany.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 2 of 27\n\nFigure 2. Countries affected by Qilin ransomware.\r\nFigure 3 illustrates the number of victims whose information was posted on Qilin ransomware leak site.\r\nThe data shows that the number of postings reached a peak of 100 cases in June 2025, with a nearly equivalent\r\nfigure recorded again in August. Although the number of victims fluctuates from month to month, it is noteworthy\r\nthat, except for January, every month recorded more than 40 cases. These findings indicate that Qilin continues to\r\npose a persistent and significant threat.\r\nFigure 3. Number of victims listed on Qilin ransomware leak site.\r\nThe most heavily affected sector is manufacturing, which accounts for approximately 23% of all reported cases,\r\nsignificantly outpacing other industries. The second most impacted sector is professional and scientific services,\r\nrepresenting around 18%. Wholesale trade ranks third, with about 10% of cases.\r\nIn the mid-range, several key sectors that form part of social infrastructure-healthcare, construction, retail,\r\neducation, and finance-each report similar levels of impact, averaging around 5%.\r\nAt the lower end, sectors such as services and primary industries show relatively fewer incidents, remaining below\r\n2% on average.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 3 of 27\n\nFigure 4. Sectors experiencing damage/impact.\r\nQilin ransomware attack flow\r\nIn 2025, Cisco Talos responded to multiple incidents related to Qilin ransomware. The overall attack flow is\r\nillustrated in Figure 5, and subsequent sections provide a detailed description of the tactics, techniques, and\r\nprocedures (TTPs) observed in each phase.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 4 of 27\n\nFigure 5. TTPs from VPN compromise to execution of Qilin ransomware.\r\nLatest Qilin TTPs\r\nInitial access\r\nTalos was unable to definitively identify a single, confirmed initial intrusion vector. However, in some cases, we\r\nassess with moderate confidence that attackers abused administrative credentials leaked on the dark web to gain\r\nVPN access, and may have also used Group Policy (AD GPO) changes enabling RDP to reach victim networks.\r\nIn the incident illustrated in Figure 6, Talos confirmed that credentials had been exposed on the dark web.\r\nApproximately two weeks later, numerous NTLM authentication attempts were made against the VPN, possibly\r\nusing the leaked credentials. The resulted in a successful intrusion. From the compromised VPN, the attackers\r\nperformed RDP connections to the domain controller and the initially breached host. While the activity is\r\ntemporally correlated with the previously observed credential exposure, there is insufficient evidence to establish\r\na definitive causal link between the two events.\r\nNotably, the VPN implicated in this case had no multi-factor authentication (MFA) configured, which would allow\r\nan attacker with credentials unfettered access.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 5 of 27\n\nFigure 6. Example case of initial intrusion via VPN.\r\nReconnaissance and discovery\r\nAfter gaining access to the victim’s network, the threat actor executed nltest.exe and net.exe to enumerate domain\r\ncontrollers and collect domain user information.\r\nnltest /dclist:\u003cDomain\u003e\r\nnet user \u003cUsername\u003e /domain\r\nIn addition, traces indicate that the adversary attempted to assess user privilege levels through execution of the\r\nwhoami command, enumerated active processes such as explorer.exe via the tasklist command, and utilized the\r\nnetscan tool for further reconnaissance.\r\nC:\\WINDOWS\\system32\\whoami.exe /priv\r\ntasklist /FI \"IMAGENAME eq explorer.exe\" /FO CSV /NH\r\nAs described in the “Qilin Ransomware” section below, execution of the ransomware also resulted in enumeration\r\nof hostnames, domain users, groups, and privileges.\r\nCredential access and exfiltration\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 6 of 27\n\nIn the cases Talos examined, we identified a password-protected folder containing a collection of tools, apparently\r\nintended for credential theft. Although the archive prevented full inspection of every file, its contents suggest use\r\nof mimikatz, several password recovery utilities published by NirSoft, and custom script files.\r\nFigure 7. Contents of the folder containing tools for credential harvesting.\r\nThe \"!light.bat batch\" file includes a reg add command that modifies the WDigest registry setting. By setting\r\n\"UseLogonCredential\" to 1, Windows is configured to retain plaintext logon credentials in memory at\r\nauthentication, a behavior that can be exploited by credential-dumping tools such as Mimikatz to extract user\r\npasswords.\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /f /\r\nAfter executing the reg add command, the batch file sequentially invoked netpass.exe, WebBrowserPassView.exe,\r\nBypassCredGuard.exe, SharpDecryptPwd, and ultimately Mimikatz. Within the script (see Figure 8),\r\nSharpDecryptPwd is configured to extract, redirect, and persist stored authentication data from multiple client\r\napplications — including WinSCP, Navicat, Xmanager, TeamViewer, FileZilla, Foxmail, TortoiseSVN, Google\r\nChrome, RDCMan, and SunLogin, thereby consolidating harvested credentials for subsequent use or exfiltration.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 7 of 27\n\nFigure 8. Credential collection from applications using SharpDecryptPwd.\r\nFollowing the execution of SharpDecryptPwd, !light.bat launched Mimikatz. (Figure 9).\r\nCommands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing\r\nWindows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database,\r\nrecovering credentials from previous logons, and harvesting credentials and configuration data related to RDP,\r\nSSH, and Citrix.\r\nFigure 9. Credential harvesting via Mimikatz.\r\npars.vbs formatted and consolidated the stolen data into a “result.txt” file, which was subsequently exfiltrated to\r\nan attacker-controlled SMTP server (Figure 10). The script specifies the windows-1251 character encoding\r\n(Cyrillic), which may suggest the attacker or operator is from Eastern Europe or a Russian-speaking region.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 8 of 27\n\nFigure 10. pars.vbs code sending stolen data to an external SMTP server.\r\nArtifacts of exfiltration\r\nOnce collected, WinRAR packaged the targeted data, and in some cases the archives were exfiltrated using open-source software. Below are the actual arguments used to run WinRAR.exe. The WinRAR command is configured\r\nto exclude the base folder and to create the archive without recursively processing subdirectories.\r\nC:\\Program Files\\WinRAR\\WinRAR.exe a -ep1 -scul -r0 -iext -imon1 --. Specify the target files and directories\r\nFurthermore, Talos found that the attackers used mspaint.exe, notepad.exe, and iexplore.exe to open and inspect\r\nfiles while searching through numerous files for sensitive information.\r\nFigure 11. Selection of information stolen by the attacker.\r\nIn recent trends, the open-source software Cyberduck — which enables file transfers to cloud servers — has been\r\nwidely abused in cases involving Qilin ransomware. By abusing legitimate cloud-based services for exfiltration,\r\nthe attacker can obfuscate their activities within trusted domains and legitimate web traffic. As shown in Figure\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 9 of 27\n\n12, the Cyberduck history file indicates that a Backblaze host was specified as the destination and that a custom\r\nsetting for split/multipart uploads was enabled to transfer large files.\r\nFigure 12. Excerpt of Cyberduck history file.\r\nPrivilege escalation and lateral movement\r\nUsing the stolen credentials described above, threat actor proceeds with privilege escalation and lateral movement.\r\nTalos has observed compromised accounts accessing multiple IP addresses and their network shares, as well as\r\nnumerous NTLM authentication attempts against many VPN accounts , possibly using the leaked credentials.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 10 of 27\n\nAdditionally, to enable remote access they modify firewall settings, execute commands to change RDP settings via\r\nthe registry, and perform related activities such as using rdpclip.exe and similar mechanisms.\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f\r\nThe following command adds a specific account designated by the attacker to the local administrators group. This\r\ngrants them full control over the system.\r\nC:\\Windows\\system32\\net1 localgroup administrators /add\r\nThey also run a command to create a network share named \"c\" that exposes the entire C: drive and assigns Full\r\nControl to the Everyone group, allowing unrestricted access and modification.\r\nnet share c=c:\\ /grant : everyone,full\r\nT1219: Remote Access Software\r\nThe attacker installed software that was different from the legitimately used Remote Monitoring and Management\r\n(RMM) tools; this occurred before the ransomware was executed. While Talos cannot definitively conclude that\r\nthe installed RMM was used for lateral movement, traces of multiple RMM tools were observed, including\r\nAnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Figure 13\r\nshows an excerpt of an actual ScreenConnect connection log, which indicates that ScreenConnect established a\r\nconnection to the command and control(C2) server on port 8880.\r\nFigure 13. ScreenConnect installation and connections to attacker server (excerpt).\r\nDefense evasion\r\nObfuscated Powershell\r\nFigure 14 and Figure 15 show two patterns of obfuscated PowerShell code, encoded using numeric encoding,\r\nintended to evade detection\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 11 of 27\n\nFigure 14. Obfuscated PowerShell Cmd No. 1.\r\nFigure 15. Obfuscated PowerShell Cmd No. 2.\r\nBelow is the decoded output of the above code.\r\n[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\r\ntry{\r\n[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed',\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 12 of 27\n\n}catch{}\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD\r\nExecuting these commands makes three configuration changes. First, disabling AMSI prevents interference with\r\nexecution of payloads such as batch files and malware. Second, disabling TLS certificate validation removes\r\nbarriers to contacting malicious domains or C2 servers. Finally, enabling Restricted Admin causes RDP\r\nauthentication to rely on NT hashes or Kerberos tickets rather than passwords. Although passwords are not\r\nretained, NT hashes remain on the system and can be abused by an attacker to impersonate the user.\r\n1. Disable AMSI\r\n2. Disable TLS certificate validation\r\n3. Enable Restricted Admin\r\nDisable EDR\r\nTalos observed traces of attempts to disable EDR using multiple methods. Broadly speaking, we have frequently\r\nobserved commands that directly execute the EDR’s \"uninstall.exe\" or attempt to stop services using the sc\r\ncommand. At the same time, attackers have also been observed running open-source tools such as dark-kill and\r\nHRSword. The commands below are traces of dark-kill usage. Instead of running in normal user mode, dark.sys is\r\nspecified as a driver loaded into the Windows kernel and the service is started under the name dark. The traces\r\nalso show that, as needed, attackers re-register a driver from a different path and finally remove the service to\r\nerase their tracks.\r\nsc create dark type= kernel binPath=dark.sys\r\nsc start dark\r\nsc create dark type= kernel binPath=C:\\Users\\\u003cuser\u003e\\Downloads\\DarkKill\\Debug\\dark.sys\r\nsc delete dark\r\nAdditionally, to execute \"HRSword.exe\", attackers attempt to run a batch file with administrator privileges by\r\nusing VBScript via mshta, specifying the runas option in ShellExecute. Because logs show that a shortcut file\r\nHRSword.lnk was created after 1. bat was executed, it is possible that HRSword.exe is being launched via that\r\n.lnk file.\r\nmshta vbscript:CreateObject(Shell.Application).ShellExecute(cmd.exe,/c C:\\Users\\xx\\xxx\\HRSword\\HRSWOR~1.BAT ::,\r\nImpact and inhibit recovery\r\nBefore Qilin ransomware is executed, Talos has observed cases in which remote access tools such as Cobalt Strike\r\nloader and SystemBC are run. Cobalt Strike was discovered on the compromised host earlier, but it is not clear\r\nwhether Cobalt Strike installed SystemBC.\r\nCobalt Strike Loader\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 13 of 27\n\nThe Cobalt Strike loader Talos examined decrypts the encrypted payload contained in the .bss section of the\r\nbinary shown in Figure 16, then deploys and executes the Cobalt Strike Beacon in memory.\r\nFigure 16. The encrypted payload contained in the .bss section.\r\nThe embedded encrypted payload is executed in memory following the flow shown in Figure 17. The\r\nCreateThreadpoolWait and SetThreadpoolWait APIs are Windows thread-pool APIs. Unlike the commonly used\r\nCreateThread API (which immediately creates a new thread and begins executing code at a specified address),\r\nthey wait for events or object state changes and then automatically run worker callbacks.\r\nIn this code, the decrypted_buf is registered as the callback function via the arguments to CreateThreadpoolWait,\r\ncreating a mechanism that will invoke this callback when the wait object becomes signaled. After that, execute\r\npermission is granted with VirtualProtect, and a MessageBoxA (shown in the figure and intended for anti-sandbox\r\npurposes) prompts for user interaction. When the user clicks OK, SetThreadpoolWait is called. Because EventA\r\nwas created with an initial signaled state (bInitialState = 1), the decrypted code already mapped into memory runs\r\nimmediately.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 14 of 27\n\nFigure 17. The main process of the Cobalt Strike loader.\r\nFigure 18. Anti-sandboxing using MessageBoxA API.\r\nFor decryption, a custom routine based on RC4 is implemented: the first 2,048 bytes are fully decrypted, and\r\nthereafter decryption is performed in 32-byte units in which only the first 24 bytes are decrypted. The remaining 8\r\nbytes stay encrypted, so this behavior differs from standard RC4.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 15 of 27\n\nFigure 19. The process of Custom RC4\r\nCobalt Strike Beacon\r\nThe Cobalt Strike Beacon deployed in memory is configured (from its config) as Cobalt Strike version 4.x, with\r\nMalleable C2 used to spoof HTTP headers. In this configuration the http_get_header and http_post_header include\r\n\"Host: ocsp.verisign.com\", effectively separating the visible host header from the actual destination to make the\r\ntraffic appear as OCSP or certificate distribution traffic. Communication is set to use HTTPS over TCP port 443 to\r\nthe Team Server (C2).\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 16 of 27\n\nFigure 20. Output of the Cobalt Strike config parser from 1768.py (excerpt)\r\nQilin Ransomware\r\nIn several cases, a variant of Qilin ransomware, known as \"Qilin.B\", was used.\r\nThis section describes its behavior. For more information, please refer to Halcyon’s analysis article published in\r\nOctober 2024.\r\nExecution method\r\nAttackers sometimes run only a single encryptor, but Talos has also observed cases where two encryptor are\r\ndeployed. In cases where two encryptor are executed, the first, encryptor_1.exe, was distributed across the\r\nenvironment using PsExec (see the command below). This command copies the local \u003cencryptor_1\u003e.exe to the\r\nremote \\\\IP address, elevates it to run with administrative privileges, and then launches it. The other,\r\n\"encryptor_2.exe\", is executed from a single system and targets multiple network shares.\r\ncmd /C [PsExec] -accepteula \\\\IP Address -c -f -h -d -i\r\nC:\\Users\\xxx\\\u003cencryptor_1\u003e.exe --password [PASSWORD] --spread --spread-process\r\nPowerShell command executed\r\nA PowerShell command is being executed to efficiently retrieve the hostnames of all computers from Active\r\nDirectory (AD).\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 17 of 27\n\npowershell -Command Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DN\r\nAnother PowerShell command observed is one that installs the Remote Server Administration Tools for AD (the\r\nRSAT-AD-PowerShell module). It runs PowerShell cmdlets related to Active Directory Domain Services (AD DS)\r\nand Active Directory Lightweight Directory Services (AD LDS). This enables enumeration of domain users,\r\ngroups, and privileges.\r\nPowershell -Command ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Ad\r\nNext, the command Get-WinEvent -ListLog * is used to enumerate all event logs on the system. Logs that contain\r\nrecords (where RecordCount is not 0) are filtered, and the .NET EventLogSession.GlobalSession.ClearLog()\r\nmethod is called to wipe them entirely.\r\npowershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogN\r\nFinally, the PowerShell script targeting hosts in virtualized environments is hard-coded.\r\nAs part of its PowerShell operation, it establishes a connection to the vCenter server, enumerates all datacenters\r\nand clusters within the vCenter environment, and disables HA and DRS in cluster configurations. (see Figure 21)\r\nFigure 21. Disable-ClusterServices Function\r\nIt then enumerates all ESXi hosts, changes the root password, and enables SSH access. Finally, it uploads an\r\narbitrary binary to the \"/tmp\" directory and executes it across all identified hosts. It makes the binary executable\r\nwith \"chmod +x\", sets \"/User/execInstalledOnly\" to 0 via the $esxiRights command (thereby allowing execution\r\nof unsigned binaries) , and then executes the payload on all hosts using the Process-ESXis function.\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 18 of 27\n\nFigure22 Process-ESXi Function and Process-ESXis Function (excerpt)\r\nFor lateral movement\r\nTo broaden the scope of file access and increase the impact when ransomware is executed, the fsutil command is\r\nalso run. This command performs operations on symbolic links; R2R means Remote to Remote (a network share\r\nto another network share), and R2L means Remote to Local (a network share to local). By executing these two\r\ncommands and enabling each respectively, attackers can achieve different effects. for example, in R2R, a symbolic\r\nlink on server A can be used to reference files on another server B; in R2L, if a shared symbolic link on server A\r\npoints to a file on the host, an attacker can access the host’s local file through that link. These commands may be\r\nexecuted using PsExec.\r\ncmd /C net use\r\ncmd /C fsutil behavior set SymlinkEvaluation R2R:1\r\ncmd /C fsutil behavior set SymlinkEvaluation R2L:1\r\nDelete backup\r\nThe ransomware changes the Volume Shadow Copy Service (VSS) startup type to Manual, and delete all shadow\r\ncopies (volume snapshots) maintained by VSS.\r\ncmd /C net start vss\r\ncmd /C wmic service where name='vss' call ChangeStartMode Manual\r\ncmd /C vssadmin.exe Delete Shadows /all /quiet\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 19 of 27\n\ncmd /C net stop vss\r\ncmd /C wmic service where name='vss' call ChangeStartMode Disabled\r\nRansom note\r\nThe ransom note shown in Figure 23 is created in each encrypted folder. The note primarily states that data has\r\nbeen compromised, includes a link to a leak site on a .onion address that requires a Tor connection, and provides a\r\nURL (specified by IP address) that can be accessed without Tor for victims who do not have a Tor environment. It\r\nalso lists the types of data included and warnings about the consequences of ignoring the demands.\r\nIn addition, the 'Credential' section states that a unique company ID is assigned as a file extension for each victim\r\ncompany, and that by using the domain URL shown in the note one can access the site with that unique login ID\r\nand password.\r\nFigure 23. Excerpt of Qilin ransom note.\r\nConfig\r\nThe config for Qilin Ransomware includes file-encryption settings, service and process stop lists, and a list of\r\nentity-specific accounts. There are eight items, four of which are as follows:\r\n\"extension_black_list\" contains file extensions that will not be encrypted.\r\n\"extension_white_list\" specifies the extensions that this ransomware will explicitly encrypt.\r\n\"filename_black_list\" lists filenames that will not be encrypted.\r\n\"directory_black_list\" lists directories that will not be encrypted.\r\nWe also observed two lists named \"white_symlink_dirs\" and \"white_symlink_subdirs\". In the Qilin ransomware\r\nsample we analyzed, white_symlink_dirs is empty, and only thing white_symlink_subdirs contains is the entry\r\n\"ClusterStorage\".\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 20 of 27\n\nClusterStorage refers to the directory name used by Windows Server Failover Cluster (Cluster Shared Volumes, or\r\nCSV). CSVs commonly host highly critical files for organizations such as Hyper-V virtual machines (VHDX) and\r\ndatabases. This shows the ransomware is intended to increase impact by targeting not only ordinary user\r\ndirectories but also virtualization and cluster infrastructure directly as hostages. Therefore, files in subdirectories\r\nof ClusterStorage are explicitly listed as targets to be encrypted. The fact that white_symlink_dirs is empty is\r\nlikely intended to avoid following symbolic links that could cause infinite loops or double-encryption.\r\n\"process_black_list\" and \"win_services_black_list\" specify processes and services to terminate, including those\r\nrelated to databases, backups, security, and remote management. Notably, as shown in Figure 24, this config also\r\nhad victim-environment-specific domain, username and password hardcoded. This indicates that the attackers\r\npreloaded reconnaissance information into the ransomware to facilitate privilege escalation and related activities.\r\nextension_black_list\r\n[\"themepack\", \"nls\", \"diapkg\", \"msi\", \"lnk\", \"exe\", \"scr\", \"bat\", \"drv\", \"rtp\", \"msp\", \"prf\", \"msc\", \"ico\", \"ke\r\n\"msstyles\", \"mod\", \"ps1\", \"ics\", \"hta\", \"bin\", \"cmd\", \"ani\", \"386\", \"lock\", \"cur\", \"idx\", \"sys\", \"com\", \"deskthe\r\nextension_white_list\r\n[\"mdf\", \"ldf\", \"bak\", \"vib\", \"vbk\", \"vbm\", \"vrb\", \"vmdk\", \"abk\", \"bkz\", \"sqb\", \"trn\", \"backup\", \"bkup\", \"old\",\r\nfilename_black_list\r\n[\"desktop.ini\", \"autorun.ini\", \"ntldr\", \"bootsect.bak\", \"thumbs.db\", \"boot.ini\", \"ntuser.dat\", \"iconcache.db\",\r\ndirectory_black_list\r\n[\"windows\", \"system volume information\", \"intel\", \"admin$\", \"ipc$\", \"sysvol\", \"netlogon\", \"$windows.~ws\", \"appl\r\nwhite_symlink_subdirs\r\n[\"ClusterStorage\"]\r\nprocess_black_list\r\n[\"vmms\", \"vmwp\", \"vmcompute\", \"agntsvc\", \"dbeng50\", \"dbsnmp\", \"encsvc\", \"excel\", \"firefox\", \"infopath\", \"isqlpl\r\nwin_services_black_list\r\n[\"vmms\", \"mepocs\", \"memtas\", \"veeam\", \"backup\", \"vss\", \"sql\", \"msexchange\", \"sophos\", \"msexchange\", \"msexchange\r\nAccounts\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 21 of 27\n\nFigure 24. Hardcoded victim-environment-specific domain, username and password.\r\nGenerating execution logs\r\nWhen running, it creates a QLOG folder in %TEMP% and multiple ThreadId({Number}).LOG files. They allow\r\nthe attacker to inspect detailed logs of the encryption process.\r\nFigure 25. Contents of ThreadId({Number}).LOG (excerpt).\r\nChange wallpaper setting\r\nThe ransomware creates a JPG image under %TEMP% to be used as the wallpaper, and modifies the following\r\nregistry values.\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop\\Wallpaper\r\n(Example)\r\nValue: C:\\%TEMP%ElSDJGep.jpg\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 22 of 27\n\nFigure 26. The wallpaper changed by the ransomware.\r\nPersistence\r\nAfter ransomware execution, the attacker achieves persistence through both task scheduling and registry\r\nmodification. First, a scheduled task is created with the name \"TVInstallRestore\", configured to run at logon using\r\nthe /SC ONLOGON argument. To disguise itself as a legitimate tool, the ransomware file is named\r\n\"TeamViewer_Host_Setup – \u003cencryptor_2\u003e.exe\", leveraging the TeamViewer brand (which had been installed as\r\nan RMM tool prior to compromise). Second, to ensure the ransomware executes upon every reboot, its executable\r\nis added as a value under the RUN registry key.\r\nThis combination of scheduled tasks and registry entries allows the ransomware to maintain persistence across\r\nsystem restarts and user logons.\r\nC:\\WINDOWS\\system32\\schtasks /Create /TN TVInstallRestore /TR \"C:\\-INSTALLERS\\TeamViewer_Host_Setup - \u003cencrypto\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nKey\r\n*random-alphabet in lowercase letters\r\nKey Value\r\nC:\\Users\\Administrator\\Desktop\\\u003cencryptor_2\u003e.exe --password [PASSWORD]--no-admin;\r\nAppendix\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 23 of 27\n\nFigure 27. Summary of post-compromise TTPs/tool-usage workflow across multiple cases.\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique / ID\r\nInitial Access Valid Accounts — T1078\r\nInitial Access External Remote Services — T1133\r\nCredential Access Brute Force / Password Spraying — T1110 / T1110.003\r\nCredential Access Credential Dumping — T1003\r\nDiscovery / Initial Access Domain Trust Discovery — T1482\r\nDiscovery Remote System Discovery — T1018\r\nDiscovery Account Discovery — Domain Accounts (T1087.002)\r\nDiscovery System Owner/User Discovery — T1033\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 24 of 27\n\nTactic Technique / ID\r\nDiscovery Process Discovery — T1057\r\nDiscovery / Permissions\r\nFile and Directory Permissions Modification — T1222\r\n(Windows: T1222.001)\r\nDiscovery / Network\r\nNetwork Service Discovery / Network Service Scanning —\r\nT1046 / T1018\r\nDiscovery / System Information System Information Discovery — T1082\r\nDiscovery / Execution\r\nCommand and Scripting Interpreter — PowerShell —\r\nT1059.001 / T1086\r\nExfiltration Exfiltration Over C2 Channel — T1048\r\nExfiltration Transfer Data to Cloud Account — T1537\r\nLateral Movement / Privilege Escalation /\r\nDefense Evasion\r\nDomain or Tenant Policy Modification — Group Policy\r\nModification (T1484.001)\r\nLateral Movement Remote Desktop Protocol (RDP) — T1021.001\r\nLateral Movement SMB/Windows Admin Shares — T1021.002\r\nResource / Ingress Ingress Tool Transfer — T1105\r\nDefense Evasion / Impair Defenses Disable or Modify Tools — T1562.001 (Impair Defenses)\r\nDefense Evasion Clear Windows Event Logs — T1070.001\r\nImpact / Inhibit Recovery Inhibit System Recovery — T1490\r\nImpact / Defense Evasion Service Stop — T1489\r\nImpact Command and Control — TA0011\r\nImpact Data Encrypted for Impact — T1486\r\nPersistence / Registry Modify Registry — T1112 (Modify Registry)\r\nPersistence Scheduled Task/Job — T1053\r\nPersistence / Boot or Logon Autostart Registry Run Keys / Startup Folder — T1547.001\r\nCoverage\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 25 of 27\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.　Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSnort SIDs for the threats are: 65446\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 26 of 27\n\nClamAV detections are also available for this threat:\r\nWin.Ransomware.Qilin-10044197-0\r\nWin.Trojan.Systembc-10058229-0\r\nWin.Loader.CobaltStrike-10058228-0\r\nWin.Dropper.Mimikatz-9778171-1\r\nIndicators of compromise (IOCs)\r\nThe IOCs can also be found in our GitHub repository here.\r\nSource: https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nhttps://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/"
	],
	"report_names": [
		"uncovering-qilin-attack-methods-exposed-through-multiple-cases"
	],
	"threat_actors": [],
	"ts_created_at": 1777429260,
	"ts_updated_at": 1777450961,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b61c9f1f78e75d95d7088fea052b7d465c6b29e.pdf",
		"text": "https://archive.orkl.eu/3b61c9f1f78e75d95d7088fea052b7d465c6b29e.txt",
		"img": "https://archive.orkl.eu/3b61c9f1f78e75d95d7088fea052b7d465c6b29e.jpg"
	}
}