Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1242: Qilin

Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]

EnterpriseS1242MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Qilin matters because it is a ransomware-as-a-service family documented by ATT&CK as targeting Windows, Linux, and VMware ESXi environments, including variants written in Go and Rust. For leaders, the practical issue is not only endpoint encryption risk: the related ATT&CK behaviors point to credential access, discovery, lateral movement, remote execution, stealth, and file-transfer activity that can affect identity systems, server estates, virtualization hosts, and recovery operations.

Executive priority

Prioritize Qilin as an operational resilience and incident-readiness scenario, especially where ESXi, Windows servers, Linux systems, managed service access, or privileged administration paths support critical business services. The Water Galura relationship describes Qilin RaaS operations including payload generation, ransom negotiation, and publication of stolen data, so executive planning should cover both outage response and data-exposure decision-making. Security leaders should ask whether backup recoverability, privileged access controls, remote administration monitoring, and evidence retention are strong enough to support a ransomware investigation and recovery.

Technical view

ATT&CK provides no dedicated detection text for this software, so defenders should validate coverage through the related techniques. On Windows, confirm visibility for LSASS access, registry queries, WMI, PowerShell, command shell, scheduled tasks, DLL injection, SMB/admin share use, service/task masquerading, file deletion, process discovery, local/domain account discovery, and remote system discovery. On Linux and ESXi, confirm visibility for SSH use, system/process/network discovery, file and directory enumeration, file-transfer protocol activity, masqueraded resource names or locations, and deletion activity. Treat Qilin coverage as a behavior chain rather than a single malware-signature problem.

Likely telemetry

  • Endpoint process creation and command-line telemetry on Windows, Linux, and ESXi where available
  • Windows Security, PowerShell, WMI, Task Scheduler, service-control, registry, and LSASS access events
  • EDR telemetry for process injection, suspicious file creation, masquerading, and file deletion
  • SMB/admin share access logs and Windows authentication events
  • SSH authentication and session logs for Linux and ESXi hosts

Detection direction

  • Map detections to the related ATT&CK techniques rather than relying on the malware name alone, because the official object does not provide detection guidance.
  • Prioritize chained analytics: credential access or account discovery followed by remote execution, SMB or SSH lateral movement, discovery, file deletion, and ransomware-like file activity.
  • Tune administrative-tool detections carefully because WMI, PowerShell, command shell, SSH, SMB, scheduled tasks, and service management have legitimate operational use.
  • Validate ESXi visibility specifically; many organizations have weaker telemetry on hypervisors than on standard endpoints.
  • Review blind spots in privileged account monitoring, remote management tooling, Linux logging, and file-transfer protocol monitoring.

Mitigation priorities

  • Harden privileged access first: reduce standing admin rights, monitor privileged sessions, and protect credentials that could enable LSASS access or lateral movement.
  • Restrict and monitor remote administration paths including SMB/admin shares, SSH, WMI, PowerShell, and scheduled task creation.
  • Improve segmentation around critical servers, ESXi hosts, backup infrastructure, and identity systems.
  • Ensure recoverable, protected backups and test restoration procedures for Windows, Linux, and virtualization workloads.
  • Standardize logging and retention for endpoints, servers, ESXi, identity infrastructure, and network controls before an incident.
Analyst notes and limits

The strongest decision value is to use Qilin as a ransomware readiness test across Windows, Linux, and ESXi. ATT&CK associates the software with many techniques spanning discovery, execution, lateral movement, credential access, stealth, command-and-control, persistence, and privilege escalation, even though the malware object itself lists no tactics. The group relationships include Moonstone Sleet using Qilin and Water Galura operating Qilin RaaS; these relationships should inform threat-intelligence context, not automatic attribution in a local incident.

Official detection guidance is not provided in the supplied ATT&CK fields. This take does not claim active exploitation, local customer exposure, or guaranteed detection coverage. Control priority and detection quality must be validated against the organization’s actual platforms, logging depth, administrative practices, and incident history.

Official MITRE ATT&CK definition

Qilin

Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

52 rows
Domain ID Name Relationship / procedure
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.CitationHC3 Qilin Threat Profile JUN 2024
Enterprise T1082 System Information Discovery

Qilin can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors.[5]
Enterprise T1134 Access Token Manipulation

Qilin can use an embedded Mimikatz module for token manipulation.CitationPicus Qilin MAR 2025
Enterprise T1480.002 Mutual Exclusion Sub-technique

Qilin can create a mutex to ensure only one instance is running.CitationHalcyon Qilin.B OCT 2024
Enterprise T1547.004 Winlogon Helper DLL Sub-technique

Qilin can configure a Winlogon registry entry.[1]
Enterprise T1529 System Shutdown/Reboot

Qilin can initiate a reboot of the backup server to hinder recovery.CitationPicus Qilin MAR 2025
Enterprise T1071.002 File Transfer Protocols Sub-technique

Qilin can use WinSCP for the secure file transfer of the Linux ransomware binary to a targeted system.[5]
Enterprise T1087.001 Local Account Sub-technique

Qilin can list all local users found on a targeted system.[1]
Enterprise T1489 Service Stop

Qilin can terminate specific services on compromised hosts.[1]CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1566.002 Spearphishing Link Sub-technique

Qilin has been delivered via malicious links in spearphishing emails.[2][4]
Enterprise T1047 Windows Management Instrumentation

Qilin can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1106 Native API

Qilin can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery.[1]CitationHalcyon Qilin.B OCT 2024
Enterprise T1036.004 Masquerade Task or Service Sub-technique

Qilin has created a scheduled task named TVInstallRestore to mimic TeamViewer. CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1673 Virtual Machine Discovery

Qilin can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCenter environments.CitationHalcyon Qilin.B OCT 2024CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1548.002 Bypass User Account Control Sub-technique

Qilin can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.CitationPicus Qilin MAR 2025
Enterprise T1480 Execution Guardrails

Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.CitationPicus Qilin MAR 2025[5]
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.CitationPicus Qilin MAR 2025CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Qilin has named its payload file TeamViewer_Host_Setup to disguise itself as a legitimate TeamViewer file.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1057 Process Discovery

Qilin can define specific processes to be terminated or left alone at execution.[1][2]CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024[5]CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1053.005 Scheduled Task Sub-technique

Qilin has pushed scheduled tasks via Group Policy Objects (GPOs) for execution.[3][1] Qilin has also created a scheduled task named TVInstallRestore, configured to run at logon using the `/SC ONLOGON` argument.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1112 Modify Registry

Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.CitationHalcyon Qilin.B OCT 2024CitationPicus Qilin MAR 2025 Qilin can also modify `HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper` to enable posting of ransom messages.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1135 Network Share Discovery

Qilin has the ability to list network drives.[1]CitationHalcyon Qilin.B OCT 2024
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Qilin has the ability to clear Windows Event Logs.CitationHalcyon Qilin.B OCT 2024[4]
Enterprise T1007 System Service Discovery

Qilin can identify specific services for termination or to be left running at execution.[1][2]CitationHC3 Qilin Threat Profile JUN 2024CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1570 Lateral Tool Transfer

Qilin has used PsExec to distribute a second encryptor, named encryptor_1.exe, across the targeted environment.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

Qilin has run `cmd /C [PsExec] -accepteula \\IP Address -c -f -h -d -i C:\Users\xxx\.exe --password [PASSWORD] --spread --spread-process` to execute its encryptor to target multiple network shares.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1012 Query Registry

Qilin can check `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions` to determine if a machine is running in safe mode.[1]
Enterprise T1069.002 Domain Groups Sub-technique

Qilin can run PowerShell cmdlets to discover domain groups.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1016 System Network Configuration Discovery

Qilin can accept a command line argument identifying specific IPs.[1]
Enterprise T1680 Local Storage Discovery

Qilin has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares.CitationHalcyon Qilin.B OCT 2024
Enterprise T1222 File and Directory Permissions Modification

Qilin can use symbolic links to redirect file paths for remote and local objects and can use `chmod +x` to make its payload binary executable.CitationPicus Qilin MAR 2025CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1486 Data Encrypted for Impact

Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.[1][2]CitationPicus Qilin MAR 2025[3]CitationHalcyon Qilin.B OCT 2024CitationHC3 Qilin Threat Profile JUN 2024[5]CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1204.001 Malicious Link Sub-technique

Qilin has been executed by luring victims into clicking links in spearphishing emails.[2][4]
Enterprise T1190 Exploit Public-Facing Application

Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.[2]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Qilin has created a RunOnce autostart entry at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe` pointing to a dropped copy of itself in the Public folder.[1]CitationHalcyon Qilin.B OCT 2024CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1484.001 Group Policy Modification Sub-technique

Qilin has pushed a scheduled task via a Group Policy Object for payload execution.[1][3]
Enterprise T1021.004 SSH Sub-technique

Qilin can enable SSH access on ESXi hosts.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1003.001 LSASS Memory Sub-technique

Qilin can employ an embedded Mimikatz module to dump LSASS memory.CitationPicus Qilin MAR 2025
Enterprise T1678 Delay Execution

Qilin has the ability to delay execution.[5]
Enterprise T1204.002 Malicious File Sub-technique

Qilin has been delivered to victims through spearphishing emails with malicious attachments.[2]
Enterprise T1083 File and Directory Discovery

Qilin can exclude specific directories and files from encryption.[1][5]
Enterprise T1688 Safe Mode Boot

Qilin can reboot targeted systems in safe mode to avoid detection.[1][3]
Enterprise T1685 Disable or Modify Tools

Qilin can terminate antivirus-related processes and services.[1][2]CitationHalcyon Qilin.B OCT 2024CitationPicus Qilin MAR 2025
Enterprise T1018 Remote System Discovery

Qilin can enumerate domain-connected hosts during its discovery phase.CitationPicus Qilin MAR 2025[4]CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Qilin has been delivered to victims through malicious email attachments.[2]
Enterprise T1087.002 Domain Account Sub-technique

Qilin can use PowerShell cmdlets to enumerate domain users.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1490 Inhibit System Recovery

Qilin can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters.[1]CitationHalcyon Qilin.B OCT 2024[4]CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1070.004 File Deletion Sub-technique

Qilin can delete itself from infected hosts after execution.CitationHalcyon Qilin.B OCT 2024[4]
Enterprise T1491.001 Internal Defacement Sub-technique

Qilin can set the wallpaper on compromised hosts to display a ransom message in each encrypted folder.[4][5]CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1059.001 PowerShell Sub-technique

Qilin has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.[3]CitationPicus Qilin MAR 2025 Qilin has also used PowerShell for discovery in vCenter and Active Directory environments.CitationCisco Talos Qilin Ransomware OCT 2025
Enterprise T1219.002 Remote Desktop Software Sub-technique

Qilin can use the Splashtop remote management service (SRManager.exe) to execute the Linux ransomware binary directly on Windows systems.[5]
Associated objects

Groups, software, and campaigns

Group Enterprise

G1036: Moonstone Sleet

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]

Group Enterprise

G1050: Water Galura

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1134: Access Token Manipulation Enterprise uses · Technique T1480.002: Mutual Exclusion Enterprise uses · Technique T1547.004: Winlogon Helper DLL Enterprise uses · Group G1036: Moonstone Sleet Enterprise uses · Technique T1529: System Shutdown/Reboot Enterprise uses · Technique T1071.002: File Transfer Protocols Enterprise uses · Technique T1087.001: Local Account Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1566.002: Spearphishing Link Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1673: Virtual Machine Discovery Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1480: Execution Guardrails Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1685.005: Clear Windows Event Logs Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
09bb6c248146b4fd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 09bb6c248146…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Agenda Ransomware AUG 2022

    Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.

    Open source URL
  2. [2]
    SentinelOne Qilin NOV 2022

    SentinelOne. (2022, November 30). Agenda (Qilin). Retrieved September 26, 2025.

    Open source URL
  3. [3]
    BushidoToken Qilin RaaS JUN 2024

    Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.

    Open source URL
  4. [4]
    Sophos Qilin MSP APR 2025

    Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.

    Open source URL
  5. [5]
    Trend Micro Agenda Ransomware OCT 2025

    Trend Micro. (2025, October 23). Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques. Retrieved March 26, 2026.

    Open source URL
  6. [6]
    Agenda

    (Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Trend Micro Agenda Ransomware OCT 2025)

  7. [7]
    mitre-attack S1242
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use