Qilin

Qilin is a ransomware-as-a-service (RaaS) cybercrime operation, also known as Agenda, Qirin, Gold Feather, and Water Galura. The operation emerged in 2022, initially launched as Agenda in August 2022 and rebranded to Qilin by September 2022. Multiple sources in the content describe it as a Russian-speaking or Russia-based ransomware group. Qilin is one of the most active ransomware groups in the reporting period, including being described as the highest-volume operation in a 24-month leak-site dataset with 1,690 victims over 731 days, averaging 2.3 leak posts per day; the most prolific group in Q1 2026 with 353 attack claims; the most active group targeting organizations in Asia in 2025; and estimated by Rapid7 to have earned $193 million between July 2025 and March 2026. Qilin operates an affiliate-based model and maintains a proprietary data leak site. It conducts double-extortion attacks, stealing data and encrypting systems, and threatens to publish stolen data even after payment. The group has also been described as shifting back toward encryption as a primary pressure mechanism. Its ransomware is Rust-based and highly customizable, with support for Windows and ESXi, and reporting also describes Linux ELF64 encryptors for Linux, FreeBSD, and VMware ESXi. The malware supports multiple encryption modes, configurable file extensions, process and service termination, VM shutdown, and snapshot deletion. On ESXi, it enumerates and force-stops virtual machines, removes snapshots, encrypts targeted files, and drops ransom notes with Tor negotiation links and victim-specific credentials. Reported ransom demands ranged from $25,000 to millions of dollars. Reported tactics and tradecraft in the content include phishing emails with malicious links for initial access, lateral movement after compromise, data exfiltration, use of SmokeLoader and NETXLOADER in a November 2024 campaign, and acquisition of initial access from actors associated with the ZipLine phishing campaign. Talos incident response reported previously unreported Qilin tools, TTPs, and a new data exfiltration method. The content also states Qilin may terminate server-specific processes, reboot systems into normal mode, and place ransom notes in each infected directory. One source says Qilin offered affiliates in-house legal consultations to pressure victims. The group targets organizations across sectors and geographies. The content specifically mentions impacts in healthcare, emergency services, manufacturing, financial services, government and court systems, and other business sectors. Named or claimed victims/incidents in the content include Synnovis in the UK healthcare sector; Court Services Victoria; Asahi in Japan; Inotiv; Mindpath College Health in the United States; Hikari Seiko in Japan; Yanfeng Automotive Interiors; and a U.S. financial advisory firm. The content also notes links between Qilin-enabled activity and the Fox Tempest malware-signing service, and states that Scattered Spider/Octo Tempest added Qilin to its ransomware toolkit in 2024 and has partnered with Qilin in some operations. Known aliases and related names in the content include Agenda, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qilin Ransomware Group, Qirin, Gold Feather, and Water Galura.