S1242: Qilin
Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]
Analyst context for executives and security teams
Qilin matters because it is a ransomware-as-a-service family documented by ATT&CK as targeting Windows, Linux, and VMware ESXi environments, including variants written in Go and Rust. For leaders, the practical issue is not only endpoint encryption risk: the related ATT&CK behaviors point to credential access, discovery, lateral movement, remote execution, stealth, and file-transfer activity that can affect identity systems, server estates, virtualization hosts, and recovery operations.
Executive priority
Prioritize Qilin as an operational resilience and incident-readiness scenario, especially where ESXi, Windows servers, Linux systems, managed service access, or privileged administration paths support critical business services. The Water Galura relationship describes Qilin RaaS operations including payload generation, ransom negotiation, and publication of stolen data, so executive planning should cover both outage response and data-exposure decision-making. Security leaders should ask whether backup recoverability, privileged access controls, remote administration monitoring, and evidence retention are strong enough to support a ransomware investigation and recovery.
Technical view
ATT&CK provides no dedicated detection text for this software, so defenders should validate coverage through the related techniques. On Windows, confirm visibility for LSASS access, registry queries, WMI, PowerShell, command shell, scheduled tasks, DLL injection, SMB/admin share use, service/task masquerading, file deletion, process discovery, local/domain account discovery, and remote system discovery. On Linux and ESXi, confirm visibility for SSH use, system/process/network discovery, file and directory enumeration, file-transfer protocol activity, masqueraded resource names or locations, and deletion activity. Treat Qilin coverage as a behavior chain rather than a single malware-signature problem.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows, Linux, and ESXi where available
- Windows Security, PowerShell, WMI, Task Scheduler, service-control, registry, and LSASS access events
- EDR telemetry for process injection, suspicious file creation, masquerading, and file deletion
- SMB/admin share access logs and Windows authentication events
- SSH authentication and session logs for Linux and ESXi hosts
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on the malware name alone, because the official object does not provide detection guidance.
- Prioritize chained analytics: credential access or account discovery followed by remote execution, SMB or SSH lateral movement, discovery, file deletion, and ransomware-like file activity.
- Tune administrative-tool detections carefully because WMI, PowerShell, command shell, SSH, SMB, scheduled tasks, and service management have legitimate operational use.
- Validate ESXi visibility specifically; many organizations have weaker telemetry on hypervisors than on standard endpoints.
- Review blind spots in privileged account monitoring, remote management tooling, Linux logging, and file-transfer protocol monitoring.
Mitigation priorities
- Harden privileged access first: reduce standing admin rights, monitor privileged sessions, and protect credentials that could enable LSASS access or lateral movement.
- Restrict and monitor remote administration paths including SMB/admin shares, SSH, WMI, PowerShell, and scheduled task creation.
- Improve segmentation around critical servers, ESXi hosts, backup infrastructure, and identity systems.
- Ensure recoverable, protected backups and test restoration procedures for Windows, Linux, and virtualization workloads.
- Standardize logging and retention for endpoints, servers, ESXi, identity infrastructure, and network controls before an incident.
Analyst notes and limits
The strongest decision value is to use Qilin as a ransomware readiness test across Windows, Linux, and ESXi. ATT&CK associates the software with many techniques spanning discovery, execution, lateral movement, credential access, stealth, command-and-control, persistence, and privilege escalation, even though the malware object itself lists no tactics. The group relationships include Moonstone Sleet using Qilin and Water Galura operating Qilin RaaS; these relationships should inform threat-intelligence context, not automatic attribution in a local incident.
Official detection guidance is not provided in the supplied ATT&CK fields. This take does not claim active exploitation, local customer exposure, or guaranteed detection coverage. Control priority and detection quality must be validated against the organization’s actual platforms, logging depth, administrative practices, and incident history.
Qilin
Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.CitationHC3 Qilin Threat Profile JUN 2024 |
| Enterprise | T1082 | System Information Discovery | Qilin can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors.CitationTrend Micro Agenda Ransomware OCT 2025 |
| Enterprise | T1134 | Access Token Manipulation | |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | Qilin can create a mutex to ensure only one instance is running.CitationHalcyon Qilin.B OCT 2024 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Qilin can configure a Winlogon registry entry.CitationTrend Micro Agenda Ransomware AUG 2022 |
| Enterprise | T1529 | System Shutdown/Reboot | Qilin can initiate a reboot of the backup server to hinder recovery.CitationPicus Qilin MAR 2025 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Qilin can use WinSCP for the secure file transfer of the Linux ransomware binary to a targeted system.CitationTrend Micro Agenda Ransomware OCT 2025 |
| Enterprise | T1087.001 | Local Account Sub-technique | Qilin can list all local users found on a targeted system.CitationTrend Micro Agenda Ransomware AUG 2022 |
| Enterprise | T1489 | Service Stop | Qilin can terminate specific services on compromised hosts.CitationTrend Micro Agenda Ransomware AUG 2022CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Qilin has been delivered via malicious links in spearphishing emails.CitationSentinelOne Qilin NOV 2022CitationSophos Qilin MSP APR 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | Qilin can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1106 | Native API | Qilin can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery.CitationTrend Micro Agenda Ransomware AUG 2022CitationHalcyon Qilin.B OCT 2024 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Qilin has created a scheduled task named TVInstallRestore to mimic TeamViewer. CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1673 | Virtual Machine Discovery | Qilin can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCenter environments.CitationHalcyon Qilin.B OCT 2024CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Qilin can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.CitationPicus Qilin MAR 2025 |
| Enterprise | T1480 | Execution Guardrails | Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.CitationPicus Qilin MAR 2025CitationTrend Micro Agenda Ransomware OCT 2025 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Qilin has named its payload file TeamViewer_Host_Setup to disguise itself as a legitimate TeamViewer file.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1057 | Process Discovery | Qilin can define specific processes to be terminated or left alone at execution.CitationTrend Micro Agenda Ransomware AUG 2022CitationSentinelOne Qilin NOV 2022CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024CitationTrend Micro Agenda Ransomware OCT 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Qilin has pushed scheduled tasks via Group Policy Objects (GPOs) for execution.CitationBushidoToken Qilin RaaS JUN 2024CitationTrend Micro Agenda Ransomware AUG 2022 Qilin has also created a scheduled task named TVInstallRestore, configured to run at logon using the `/SC ONLOGON` argument.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1112 | Modify Registry | Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.CitationHalcyon Qilin.B OCT 2024CitationPicus Qilin MAR 2025 Qilin can also modify `HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper` to enable posting of ransom messages.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1135 | Network Share Discovery | Qilin has the ability to list network drives.CitationTrend Micro Agenda Ransomware AUG 2022CitationHalcyon Qilin.B OCT 2024 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Qilin has the ability to clear Windows Event Logs.CitationHalcyon Qilin.B OCT 2024CitationSophos Qilin MSP APR 2025 |
| Enterprise | T1007 | System Service Discovery | Qilin can identify specific services for termination or to be left running at execution.CitationTrend Micro Agenda Ransomware AUG 2022CitationSentinelOne Qilin NOV 2022CitationHC3 Qilin Threat Profile JUN 2024CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1570 | Lateral Tool Transfer | |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.CitationTrend Micro Agenda Ransomware AUG 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Qilin has run `cmd /C [PsExec] -accepteula \\IP Address -c -f -h -d -i C:\Users\xxx\ |
| Enterprise | T1012 | Query Registry | Qilin can check `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions` to determine if a machine is running in safe mode.CitationTrend Micro Agenda Ransomware AUG 2022 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Qilin can run PowerShell cmdlets to discover domain groups.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | Qilin can accept a command line argument identifying specific IPs.CitationTrend Micro Agenda Ransomware AUG 2022 |
| Enterprise | T1680 | Local Storage Discovery | Qilin has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares.CitationHalcyon Qilin.B OCT 2024 |
| Enterprise | T1222 | File and Directory Permissions Modification | Qilin can use symbolic links to redirect file paths for remote and local objects and can use `chmod +x` to make its payload binary executable.CitationPicus Qilin MAR 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1486 | Data Encrypted for Impact | Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.CitationTrend Micro Agenda Ransomware AUG 2022CitationSentinelOne Qilin NOV 2022CitationPicus Qilin MAR 2025CitationBushidoToken Qilin RaaS JUN 2024CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024CitationTrend Micro Agenda Ransomware OCT 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Qilin has been executed by luring victims into clicking links in spearphishing emails.CitationSentinelOne Qilin NOV 2022CitationSophos Qilin MSP APR 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.CitationSentinelOne Qilin NOV 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Qilin has created a RunOnce autostart entry at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe` pointing to a dropped copy of itself in the Public folder.CitationTrend Micro Agenda Ransomware AUG 2022CitationHalcyon Qilin.B OCT 2024CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Qilin has pushed a scheduled task via a Group Policy Object for payload execution.CitationTrend Micro Agenda Ransomware AUG 2022CitationBushidoToken Qilin RaaS JUN 2024 |
| Enterprise | T1021.004 | SSH Sub-technique | Qilin can enable SSH access on ESXi hosts.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1678 | Delay Execution | Qilin has the ability to delay execution.CitationTrend Micro Agenda Ransomware OCT 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Qilin has been delivered to victims through spearphishing emails with malicious attachments.CitationSentinelOne Qilin NOV 2022 |
| Enterprise | T1083 | File and Directory Discovery | Qilin can exclude specific directories and files from encryption.CitationTrend Micro Agenda Ransomware AUG 2022CitationTrend Micro Agenda Ransomware OCT 2025 |
| Enterprise | T1688 | Safe Mode Boot | Qilin can reboot targeted systems in safe mode to avoid detection.CitationTrend Micro Agenda Ransomware AUG 2022CitationBushidoToken Qilin RaaS JUN 2024 |
| Enterprise | T1685 | Disable or Modify Tools | Qilin can terminate antivirus-related processes and services.CitationTrend Micro Agenda Ransomware AUG 2022CitationSentinelOne Qilin NOV 2022CitationHalcyon Qilin.B OCT 2024CitationPicus Qilin MAR 2025 |
| Enterprise | T1018 | Remote System Discovery | Qilin can enumerate domain-connected hosts during its discovery phase.CitationPicus Qilin MAR 2025CitationSophos Qilin MSP APR 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Qilin has been delivered to victims through malicious email attachments.CitationSentinelOne Qilin NOV 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Qilin can use PowerShell cmdlets to enumerate domain users.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1490 | Inhibit System Recovery | Qilin can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters.CitationTrend Micro Agenda Ransomware AUG 2022CitationHalcyon Qilin.B OCT 2024CitationSophos Qilin MSP APR 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Qilin can delete itself from infected hosts after execution.CitationHalcyon Qilin.B OCT 2024CitationSophos Qilin MSP APR 2025 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Qilin can set the wallpaper on compromised hosts to display a ransom message in each encrypted folder.CitationSophos Qilin MSP APR 2025CitationTrend Micro Agenda Ransomware OCT 2025CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Qilin can use the Splashtop remote management service (SRManager.exe) to execute the Linux ransomware binary directly on Windows systems.CitationTrend Micro Agenda Ransomware OCT 2025 |
Groups, software, and campaigns
G1036: Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
G1050: Water Galura
Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 09bb6c248146… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Agenda Ransomware AUG 2022
Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
Open source URL -
[2]
SentinelOne Qilin NOV 2022
SentinelOne. (2022, November 30). Agenda (Qilin). Retrieved September 26, 2025.
Open source URL -
[3]
BushidoToken Qilin RaaS JUN 2024
Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
Open source URL -
[4]
Sophos Qilin MSP APR 2025
Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.
Open source URL -
[5]
Trend Micro Agenda Ransomware OCT 2025
Trend Micro. (2025, October 23). Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques. Retrieved March 26, 2026.
Open source URL -
[6]
Agenda
(Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Trend Micro Agenda Ransomware OCT 2025)
-
[7]
mitre-attack S1242Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.