Threat Group Profile
qilin
โ Active โ last 30 days
Victim claims
330
First seen
Mar 2026
Last activity
10 Jul 2026
Tracked since
โ
Group overview
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion โ demanding payment for a decryptor, as well as for the non-release of stolen data.
Preferred targets
Business Services ยท 62
Manufacturing ยท 43
Consumer Services ยท 33
Construction ยท 31
Healthcare ยท 25
Technology ยท 18
Most targeted countries
US ยท 124
GB ยท 28
DE ยท 19
CA ยท 16
AU ยท 13
FR ยท 10
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Exploit Public-Facing Application
Phishing
Phishing: Spearphishing via Service
Execution
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Unix Shell
System Services
System Services: Service Execution
Persistence
Boot or Logon Initialization Scripts
Scheduled Task/Job
Scheduled Task/Job: Scheduled Task
Account Manipulation: SSH Authorized Keys
Create Account
Boot or Logon Autostart Execution
Privilege Escalation
Exploitation for Privilege Escalation
Defense Evasion
Obfuscated Files or Information
Masquerading: Invalid Code Signature
Access Token Manipulation: Parent PID Spoofing
Exploitation for Defense Evasion
Execution Guardrails
Virtualization/Sandbox Evasion: System Checks
Subvert Trust Controls: Code Signing
Disable or Modify Tools
Credential Access
OS Credential Dumping: LSASS Memory
Network Sniffing
Brute Force: Password Cracking
Credentials from Web Browsers
Discovery
Query Registry
Network Service Discovery
System Information Discovery
System Location Discovery
Lateral Movement
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: SSH
Lateral Tool Transfer