The ransomware group known as Qilin (also called Agenda, Gold Feather, and Water Galura) has dramatically escalated its operations throughout 2025, solidifying its status as one of the most prolific ransomware-as-a-service (RaaS) providers. Since the start of the year, the group has consistently claimed over 40 victims per month, with the single exception of January. This alarming trend culminated in a high of 100 postings on its data leak site in June and continued with significant victim counts of 84 in both August and September 2025. This surge in activity underscores the maturity and scale of the Qilin operation, which has been active since approximately July 2022.
The geographical reach and preferred targets of the Qilin group show a clear focus on developed nations and specific high-value industries. Data compiled by Cisco Talos identifies the U.S., Canada, the U.K., France, and Germany as the most heavily affected countries. Industry-wise, the attacks have been sharply focused, with the manufacturing sector accounting for the largest share of victims at 23%, followed by professional and scientific services at 18%, and wholesale trade at 10%. This concentration suggests a strategic approach to selecting organizations with substantial resources and a low tolerance for operational downtime.
The initial stage of a Qilin attack often leverages compromised information to gain a foothold in the target network. Affiliates likely secure initial access by using leaked administrative credentials sourced from the dark web, connecting via a virtual private network (VPN) interface. Following this initial breach, attackers utilize Remote Desktop Protocol (RDP) connections to move toward the domain controller and the successfully compromised endpoint. This quick and direct method of entry allows them to bypass traditional perimeter defenses and swiftly begin their internal reconnaissance.
Once inside, the attackers move into a phase of detailed system reconnaissance and network mapping to understand the full scope of the infrastructure. They employ various tools to facilitate credential harvesting, including Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd. These tools are used to extract credentials from various applications and system functions, with Mimikatz specifically targeting sensitive data like cached passwords from previous logons and configuration details related to RDP, SSH, and Citrix. The harvested data is then rapidly exfiltrated, often to an external SMTP server using a Visual Basic Script to avoid detection.
The final stages of the attack involve persistence and maintaining covert control. The threat actors have been observed using legitimate, common Windows executables such as mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information, adding a layer of obfuscation to their malicious activity. Furthermore, they use a legitimate file transfer tool called Cyberduck to upload stolen files to a remote server. The stolen credentials are also exploited for privilege escalation and lateral movement, leading to the installation of multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Chrome Remote Desktop, and ScreenConnect, securing persistent access to the compromised network.
Reference:
