Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates it the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid. Qilin maintains variants that are written in both Golang and Rust programming languages. The ransomware operation can target both Windows and Linux variants. Qilin operates as a ransomware-as-a-service (RaaS) and affiliates earn 80% of a payment of ransom demands of less than $3 million and 85% of ransom payments over $3 million.
The Qilin affiliate panel offers extensive customization options, allowing attackers to tailor each ransomware deployment to their specific victim. Affiliates can create and edit blog posts that expose companies refusing to pay, manage team accounts by adding nicknames and credentials, and access dedicated support for the ransomware. Operators can also configure technical parameters such as directories and files to skip, processes to terminate, encryption modes, and virtual machines to exclude from shutdown providing a highly flexible attack framework.
In addition to these technical features, Qilin introduced a “Call Lawyer” button within its panel a unique tactic designed to escalate psychological pressure during negotiations. This feature brings a purported legal advisor into discussions, aiming to intimidate victims by suggesting potential regulatory or legal consequences, to increasing the likelihood of ransom payment.
Modern ransomware variants are increasingly incorporating advanced techniques to strengthen encryption and accelerate performance.
Recent developments include the use of Chrome Extension Stealers for credential harvesting, paired with significant encryption enhancements that make decryption nearly impossible without the attacker’s key. These improvements leverage AES-256-CTR, a highly secure implementation of the Advanced Encryption Standard using a 256-bit key and Counter mode for robust file protection.
To further harden security, Optimal Asymmetric Encryption Padding (OAEP) is applied, reducing susceptibility to certain cryptographic attacks. Systems with AES-NI capabilities on x86 architectures benefit from accelerated encryption and decryption processes, improving efficiency during large-scale operations. For secure and high-speed streamed communications, many threat actors are also adopting ChaCha20, a modern cipher known for its speed and resilience.
In August 2024, security researchers with Sophos reported that the Qilin group targeted a victim via compromised credentials and the dwell time in the environment was 18 days. The operators edited the domain policy to introduce a logon-based Group Policy Object (GPO) containing two items: A PowerShell script, IPScanner.ps1, and a batch script, logon.bat.
The combination of the two scripts resulted in harvesting of credentials saved in Chrome on machines connected to the network. This activity indicates that Qilin is likely changing tactics to include credential harvesting.
In October 2024, Halcyon security researchers reported a new and updated version of the Qilin ransomware variant, dubbed “Qilin.B”. Qilin.B is written in the Rust programming language. According to the research, Qilin.B supports AES-256-CTR encryption for systems with Advanced Encryption Standard New Instructions (AES-NI) capabilities. Qilin.B uses RSA-4096 with Optimal Asymmetric Encryption Padding (OAEP) to safeguard encryption keys.
In January 2025, Blackpoint’s APG team identified Qilin using a legitimate signed executable named, upd.exe, which sideloaded a malicious DLL, avupdate.dll. The DLL was responsible for decoding and loading a customized version of the EDR killing tool, EDRSandblast.
In 2025, Qilin was reported to rely on several bullet-proof-hosting (BPH) infrastructures. Rogue BPH services enable threat actors to host content with minimal oversight. These are designed to be resilient to abuse complaints and law enforcement intervention. These factors highlight why BPH services are an attractive option for a major ransomware operation like Qilin.
Qilin has been attributed with launching the WikiLeaksV2 website, where the group publishes information about their activities. This site contains header ads for BEARHOST Servers, one of the largest BPH providers (AKA Underground and Voodoo Servers). Other Services the group has been linked to include:
- Cat Technologies Co. Limited
- Red Bytes LLC
- IPX-FZCO
- Chang Way Technologies Co. Limited
Additionally, in Q3 2025 DragonForce Ransomware operation announced a working partnership with both LockBit and Qilin Ransomware. This alliance could aid in restoring LockBit’s reputation among affiliates and increase Qilin’s activity.
This type of cooperative, cartel-style partnership is similar to a partnership between Maze and LockBit in 2020, a time when double extortion was growing.
Features the operation maintains – such as spam tools and PR support – and their longer standing operation likely makes Qilin an attractive operation for more sophisticated financially motivated threat groups. It is very likely that Qilin activity will continue to be reported over the next 3-6 months.
In 2025, Qilin ransomware executed several high-profile attacks across different regions, demanding multimillion-dollar ransoms. Key incidents include:
- February 2025 – Cleveland Municipal Court (United States) Qilin caused weeks of operational disruption and demanded $4 million. The court refused to pay.
- March 2025 – Malaysia Airports Holdings Berhad (Malaysia)Attack disrupted critical airport systems. Qilin demanded $10 million and claimed to have stolen 2 TB of data. Officials confirmed they did not pay.
- June 2025 – Ciudad Autónoma de Melilla (Spain) Qilin demanded approximately $2.12 million and alleged theft of 4–5 TB of sensitive data. Authorities declined the ransom.
