STAC4365

STAC4365 is an affiliate group of the Qilin ransomware operation. It has been reported to rely on an adversary-in-the-middle (AitM) phishing kit to steal credentials. Qilin is a ransomware-as-a-service (RaaS) operation, also known as Agenda, Gold Feather, Phantom Mantis, and Water Galura, that was first observed in July 2022 and uses double extortion involving file encryption and data theft. Qilin affiliates have been observed gaining initial access via phishing and social engineering, valid credentials, external remote services, and exploitation of public-facing applications, and the malware can target Windows and Linux/ESXi environments. The broader Qilin operation has used Golang and Rust ransomware variants, including the Rust-based Qilin.B variant, and has been associated with credential harvesting, domain policy/GPO modification, EDR bypass and kill techniques including BYOVD and EDRSandblast, log clearing, shadow copy deletion, and lateral movement with tools such as PsExec. Microsoft tracks the group behind Qilin’s operation, management, and leadership as Storm-1934. The provided content identifies STAC4365 specifically as a Qilin affiliate subgroup using AitM phishing for credential theft.