RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
Qilin
Ransomware-as-a-Service  •  Double Extortion  •  Cross-Platform (Go / Rust)
Critical Threat Fully Operational RaaS
First Observed
Jul 2022
As "Agenda"; rebranded ~late 2022
Total Victims (DLS) LIVE
958+
As of May 2026
Countries Targeted LIVE
72+
Via ransomware.live
Peak Market Share
24%
U.S. SLTT incidents, Q2 2025
Affiliate Split
80 / 85%
Under / over $3M ransom
LE Disruptions
Zero
No takedowns, no sanctions
Lineage
Standalone
No confirmed predecessor group
01

Executive Summary and Group Overview

Qilin (also tracked as Agenda) is a Russian-language ransomware-as-a-service (RaaS) operation first observed in July 2022. Originally named Agenda, the group rebranded around late 2022 under the Qilin name visible on its Tor-hosted data leak site. The operation has been continuously active through May 2026 and is now assessed as one of the highest-volume enterprise ransomware actors globally. In Q2 2025, Qilin surpassed RansomHub as the leading ransomware threat to U.S. state, local, tribal, and territorial (SLTT) organizations, accounting for 24% of reported incidents. The group claimed approximately 958 victims in 2025 and 72 in April 2025 alone.

The group operates a dual-language (Go/Rust) payload capable of targeting Windows and Linux/VMware ESXi environments. Qilin employs standard double extortion, threatens regulatory and media escalation, and has demonstrated novel credential-harvesting techniques including GPO-deployed Chrome data theft across entire victim domains. Its most consequential publicly documented incident is the June 2024 ransomware attack on UK pathology provider Synnovis, which disrupted seven London NHS hospitals, cancelled thousands of procedures, and contributed as a factor in at least one patient death.

AttributeDetail
Primary aliasQilin
Secondary aliasAgenda (original name; same operation, confirmed)
Vendor designationsSentinelOne: "Agenda (aka Qilin)"; Group-IB: "Qilin Ransomware"; Check Point: "Qilin (Agenda)"; KELA: "Qilin ransomware group"; Blackpoint Cyber: "Qilin (AKA Agenda)"; Darktrace: "Qilin RaaS operator"; FortiGuard Labs: "Qilin Ransomware" (formal threat actor page)
CrowdStrike designationNot confirmed in open-source reporting as of May 2026
Mandiant / Secureworks designationsNot confirmed in open-source reporting as of May 2026
Operational modelRansomware-as-a-Service
Extortion mechanicDouble extortion (encryption + data leak threat); elements of triple extortion (regulatory/media escalation) documented
Assessed jurisdictionRussia / CIS (CREDIBLE)
LE disruption statusNone confirmed as of May 2026
OFAC sanctions statusNone as of May 2026
Overall Assessment: Qilin is a maturing, high-volume RaaS operation with demonstrated capability against critical infrastructure and healthcare. Its cross-platform payload, active development cycle, novel credential-harvesting techniques, and willingness to attack NHS-level targets position it as a tier-1 threat through at least the near term. The absence of any law enforcement action or sanctions to date increases its operational risk to potential victims.
Visual Reference: Branding and Mythology

The group's name and branding draw on the qilin (Chinese: 麒麟), a mythological creature from East Asian traditions regarded as an omen of sage rulers and benevolent prosperity. The ransomware operators selected the name deliberately -- a creature associated with ancient power and good fortune, repurposed as threat branding.

02

Lineage and Organizational Heritage

Emergence

Agenda ransomware was first publicly analyzed in July-August 2022, with early victims reported in Indonesia and Saudi Arabia. The group began operating its dedicated data leak site under the "Qilin" brand around late 2022. Most contemporary vendor reporting treats the Agenda and Qilin names as referring to the same underlying operation. [1] [2] [4]

A forum profile operating under the handle "Haise" joined the RAMP cybercrime forum on May 29, 2022 and advertised Qilin on February 13, 2023. This is the clearest open-source data point linking a specific operator alias to the group's founding period. [12] Note: A July 2025 Telegram channel claiming to be Europol offered a $50,000 bounty for information on Qilin administrators "Haise" and "XORacle" -- Europol confirmed this channel was a scam and no such bounty exists. The aliases themselves appear in prior legitimate forum tracking and are treated as credible at the handle level.

Predecessor and Rebrand Assessment
Confirmed: Agenda = Qilin (same operation)
Credible: Russian-language criminal ecosystem origin
Analyst Inference: Personnel may have prior criminal histories; unconfirmed

Open-source and vendor analysis consistently presents Qilin/Agenda as a standalone operation, not a rebranded or direct successor to any prior named group such as Conti, Hive, or REvil. No multi-source evidence of code forking from a specific predecessor has been confirmed. Some features (multi-threaded encryption, service killing, safe-mode rebooting) mirror common patterns across the Russian-language RaaS ecosystem but do not establish lineage. [4] [11] [5]

Confidence that Qilin is a direct code fork of a specific prior group: LOW. Confidence that the group's operators have familiarity with Russian-language RaaS tradecraft: HIGH.

Evidentiary Pillars: Origin Assessment
Pillar 1 — Confirmed
Russian-Language Operations
Qilin recruits affiliates on Russian-language criminal forums. Operator communications are in Russian. Multiple vendors (KELA, Group-IB, Blackpoint Cyber) explicitly characterize it as a Russian-origin group. [12] [11] [5]
Pillar 2 — Confirmed
CIS Exclusion Behavior
No documented CIS-region victims in any open-source database. Binaries are reported to include locale/language checks consistent with CIS avoidance. Absence of CIS targeting across three-plus years of activity is consistent with safe-harbor operation. [13] [5]
Pillar 3 — Credible
Forum Advertisement Record
Handle "Haise" joined RAMP forum May 29, 2022 and posted Qilin advertisement February 13, 2023. This is single-source but consistent with the group's documented emergence timeline. [12]
Pillar 4 — Analyst Inference
No Named Personnel Confirmation
No public indictment, arrest, or doxxing has confirmed real identities of Qilin operators or affiliates. The RAMP handle "Haise" and reference to "XORacle" in a fraudulent Europol post are the only named aliases in open reporting. Personnel lineage to prior groups remains unconfirmed. [5] [8]
Vendor Designation Disambiguation

Qilin has no confirmed parent-organization designation comparable to Wizard Spider (CrowdStrike) or Gold Ulrick (Secureworks) for Conti. Vendors that have published formal designations for Qilin itself include SentinelOne, Group-IB, Check Point, KELA, Blackpoint Cyber, Darktrace, and FortiGuard Labs. CrowdStrike, Mandiant, and Secureworks have not confirmed public group-specific designations for Qilin as of May 2026, though detailed profiles may exist behind paywalls. [4] [11] [10] [12] [5]

03

Operational Model

RaaS Structure

Qilin operates as a Ransomware-as-a-Service platform. Core operators maintain the payload, affiliate panel, negotiation infrastructure, and data leak site. Affiliates conduct intrusions, exfiltration, and encryption, then share revenue with the platform. [9] [10] [11] [12] [5]

Affiliate recruitment occurs on Russian-language cybercrime forums. The platform is assessed as affiliate-friendly: Blackpoint Cyber reports affiliates retain 80% of ransoms below $3 million and 85% for ransoms above $3 million, with the core team retaining the remainder. This split is at the high end of documented RaaS norms. [5]

In Q2 2024, Microsoft (Threat Intelligence) attributed Octo Tempest / Scattered Spider as a Qilin affiliate, representing a significant escalation: Scattered Spider brings sophisticated social engineering and cloud environment capabilities to Qilin's payload. [Credible - Microsoft attribution; no corroborating independent confirmation in open sources as of research date]

Extortion Mechanics
  • Double extortion (standard): Data exfiltrated prior to encryption creates two independent leverage points. All Qilin incidents involve both components. [2] [10] [4] [11] [12] [5]
  • Triple extortion (documented, not systematic): Qilin has threatened to contact customers, regulators, and media to amplify reputational damage. Not documented as a formalized "phase" but present in multiple incident accounts. [6] [14]
  • Teaser-to-full-dump progression: DLS publications begin with sample data, escalating to full dataset publication if negotiations fail. Claimed exfiltration volumes include 550 GB (The Big Issue parent company) and 400 GB (Synnovis). [6] [B1]
  • Countdown timers: DLS posts include deadlines that, when missed, trigger ransom increases or accelerated publication. [6]
Negotiation Behavior

Negotiations are conducted through a Tor-hosted victim negotiation portal, accessed via a unique URL in the ransom note. Initial demands for large enterprise targets reach into the millions. Negotiators and incident responders report reductions of 30-50% or more during active negotiations, though hard statistics are sparse. Qilin communication is professional and coercive, emphasizing data control leverage. [13] [14] [5]

Some affiliate-dependent variation in victim communication has been documented, with TOX/email handles appearing in ransom notes alongside Tor portal references depending on the affiliate. [5] [13]

04

Technical Capabilities

Payload Evolution
GenerationLanguagePlatformsPeriodNotes
Agenda v1Go (Golang)Windows2022Initial release; per-victim config, service killing
Agenda/Qilin v2Go (Golang)Windows, Linux/ESXi2022-2023Cross-platform expansion; ESXi targeting added
Qilin RustRustWindows, Linux/ESXi2023-presentFull Rust rewrite; improved evasion, speed, cross-platform capability

No public universal decryptor exists for any Qilin/Agenda variant as of May 2026. The No More Ransom portal does not list a Qilin decryptor. Case-by-case recovery via backup restoration or operational mistake exploitation is documented but not indicative of a cryptographic flaw. [7] [4] [13]

Initial Access Vectors
VectorConfidenceNotes
Phishing / malicious attachmentsCONFIRMED (multi-source)Broadly documented across Qilin affiliate campaigns [3] [5] [14]
Compromised VPN / RDP credentials (no MFA)CONFIRMED (multi-source)Dominant vector per Sophos incident response (July 2024) [14] [5]
CVE-2024-21762 (FortiOS SSL VPN RCE)CONFIRMEDCVSS 9.6; actively exploited by Qilin affiliates per CIS-ISG reporting [CIS1]
CVE-2024-55591 (FortiOS auth bypass)CONFIRMEDExploited alongside CVE-2024-21762 [CIS1]
CVE-2025-31324 (SAP NetWeaver Visual Composer RCE)CREDIBLECVSS 10.0; Qilin-linked actors exploited this vulnerability weeks before public disclosure per OP Innovate investigation [OP1]
Backup service and web application vulnerabilitiesCREDIBLE (multi-source)ESXi management interfaces frequently cited [5] [3] [14]
NETXLOADER (loader delivery)CONFIRMEDTrend Micro (Nov 2024): .NET loader protected with .NET Reactor 6, JIT hooking, deployed with SmokeLoader to stage Qilin payload [TM1] [5]
Notable Technique: Chrome Credential Harvesting via GPO (August 2024)
Distinctive TTP: In a July 2024 incident analyzed by Sophos, Qilin affiliates deployed a GPO-based PowerShell script on the victim's domain controller that harvested credentials stored in Google Chrome across all domain-connected machines at logon. Because the GPO applied domain-wide, every device a user logged into during the compromise period was subject to credential collection. This technique extends Qilin's data theft capability far beyond the target organization's own systems -- enabling downstream attacks against financial accounts, cloud services, and third-party platforms. [S1]
Post-Exploitation Kill Chain
PhaseObserved Tools / Techniques
PersistenceAdditional admin account creation, web shells, RDP/VPN config modification [13] [14] [5]
Lateral MovementStolen credentials, RDP, PsExec, WMIC, domain GPO for ransomware push [5] [13] [14]
Privilege EscalationDomain controller access; Kerberoasting likely (ANALYST INFERENCE from toolset pattern)
Defense EvasionSecurity tool disabling, backup and database service termination, Windows Safe Mode reboot before encryption [4] [13] [5]
C2 / Remote AccessCobalt Strike, commercial RMM tools, built-in OS utilities (PowerShell, PsExec) [13] [14] [5]
ExfiltrationVolume-based (hundreds of GB claimed per incident); specific tools affiliate-dependent
EncryptionHybrid symmetric/asymmetric (AES or ChaCha20 + RSA); multi-threaded; partial encryption for large files; per-victim configuration [4] [11] [13]
ESXi targetingLinux variant terminates VMs before encrypting virtual disk files; esxcli use documented [4] [11] [5]
CIS Exclusion Behavior
Credible -- medium confidence; inferred from absence and binary analysis

Qilin is assessed to exclude CIS-region targets. Binary analysis documents locale and language checks (Russian keyboard/language settings). No CIS-region organization has been publicly documented as a Qilin victim across three-plus years of operation. This pattern is consistent with Russian-language RaaS operating norms and the safe-harbor dynamic observed across the broader ecosystem. Direct sample-level CIS exclusion code is less consistently described in public write-ups than the behavioral pattern warrants. [13] [5]

05

Financial Infrastructure

Payment Model

Qilin demands ransoms in Bitcoin, the dominant cryptocurrency in its observed ransom notes. Per-incident unique Bitcoin addresses are used, directing funds to victim-specific wallets before aggregation. Some affiliate flexibility in accepting alternative cryptocurrencies has been suggested in incident reporting but is not systematically documented. [13] [5]

On-Chain Forensics: Intelligence Gap
Intelligence Gap: As of May 2026, no dedicated public blockchain forensics report from TRM Labs, Chainalysis, or Elliptic specifically profiling Qilin's wallet infrastructure or laundering flows has been identified. Unlike older groups (Conti, Ryuk), Qilin has not yet been the subject of a major public on-chain attribution campaign. This gap likely reflects (1) that investigations are ongoing in private threat intelligence channels, and (2) that Qilin's relatively shorter operational history has not yet generated the on-chain density required for public-facing attribution at the wallet cluster level. No OFAC-designated wallets tied to Qilin have been published.
Assessed Laundering Methodology
1
Collection via Per-Victim Wallets
Unique Bitcoin addresses per incident. Ransom payment directed to affiliate-controlled or platform-assigned wallet before split. [ANALYST INFERENCE from standard RaaS mechanics and general Qilin reporting]
2
Layering via Intermediate Wallets and Peeling Chains
Consistent with observed Russian-language RaaS laundering patterns. Funds moved through multiple intermediate addresses before reaching aggregation points. [CREDIBLE -- inferred from ecosystem norms; Qilin-specific chain not publicly documented]
3
Mixer / High-Risk Exchange Use
Russian-language RaaS operations commonly use mixers, tumblers, and loosely regulated or sanctions-adjacent exchanges. Qilin-specific mixer use is not confirmed in open-source reporting; application of ecosystem pattern is ANALYST INFERENCE. Adaptation to mixer takedowns (Tornado Cash, Sinbad) has been noted in general reporting on the ecosystem. [5] [13]
4
OTC Broker / Fiat Conversion
Final-stage conversion to fiat via OTC brokers operating in CIS jurisdictions is consistent with the broader ecosystem. No Qilin-specific OTC broker has been named in open-source reporting. [ANALYST INFERENCE]
Revenue Estimates

No aggregate revenue figure for Qilin has been confirmed in open-source reporting. Given documented victim volume (~958 in 2025), enterprise targeting profile, and typical RaaS ransom magnitudes in the hundreds of thousands to millions of dollars, Qilin is assessed in the upper tier of contemporary RaaS operations by revenue generation. This is an ANALYST INFERENCE based on volume and targeting profile, not a confirmed figure.

06

Victim Profile and Targeting

2025 Claimed Victims
~958
Approx. 30% more than Akira (717) in 2025
April 2025 (Peak Month)
72
Group-IB; #1 globally that month
Q2 2025 SLTT Share
24%
Up from 9% in Q1 2025 (MS-ISAC)
U.S. SLTT Incidents
29
Dec 2023 to Jun 30, 2025 (MS-ISAC)
Sector Targeting
SectorAssessed PriorityNotes
Healthcare / MedicalHIGH -- primary targetMultiple hospital and health system incidents in 2024-2026; Synnovis attack most consequential [3] [7] [5]
EducationHIGHUniversities and K-12 documented [2] [5] [1]
Manufacturing / IndustrialHIGHIncluding industrial supply chains [11] [5] [1] [2]
Media / PublishingMODERATE-HIGHThe Big Issue parent, Lee Enterprises [6] [8]
Local Government / Public ServicesMODERATE-HIGHSLTT incidents rising sharply in 2025 [7] [5] [3]
Real Estate / ConstructionMODERATEDocumented in early reporting [1] [2]
Technology / Financial / TelecomMODERATEExpanded targeting in 2025 per Trend Micro [TM1]
Geographic Distribution

Qilin targets organizations across North America, Europe, and Latin America, with consistent reporting of U.S. dominance. SOCRadar specifically identifies the U.S., Brazil, and Argentina as primary target countries. UK-based organizations have been disproportionately represented in high-profile incidents (Synnovis, The Big Issue parent). No CIS-region victims documented. [2] [3] [6] [7] [8]

Notable Named Victims
VictimSectorDateImpact
Synnovis (UK)Healthcare / PathologyJune 3, 2024400 GB leaked; 7 London NHS hospitals affected; 10,000+ appointments/procedures cancelled; 300M+ patient interactions exposed; patient death cited as contributing factor; no ransom paid; 18-month investigation concluded Nov 2025 [B1] [B2] [B3]
Lee Enterprises (US)Media / PublishingFebruary 3, 2025350 GB claimed; 39,779 individuals notified; 72 newspapers disrupted; SEC material impact filing; Social Security numbers among compromised data [8] [LE1]
The Big Issue parent (UK)Media / Publishing2024550 GB claimed; confidential files leaked on DLS [6]
Multiple unnamed hospitals / health systemsHealthcare2024-2026Rust-based attacks; multiple healthcare advisories issued [3] [7]
Synnovis significance: The June 2024 Synnovis attack is the most consequential publicly documented Qilin incident. It disrupted pathology services for King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust, among others. Blood transfusion and testing services were severely degraded. A coroner cited the attack as a contributing factor in a patient death at King's College Hospital. Synnovis did not pay the ransom. The 18-month forensic investigation reflects the complexity of the breach scope across NHS supply-chain data.
Victim Selection Model

Qilin demonstrates positive selection for targets where operational disruption and data exposure create maximum leverage: critical infrastructure with low tolerance for downtime (healthcare), time-sensitive services (media/publishing), and organizations managing sensitive personal or financial data. The RaaS model creates heterogeneity in targeting -- more capable affiliates pursue enterprise targets while less sophisticated affiliates may target smaller organizations as collateral.

Negative selection (CIS avoidance) is consistent with documented binary behavior and the absence of any CIS victim across the group's operational history.

07

Law Enforcement and Regulatory Response

Arrests and Indictments
Confirmed: Zero public arrests or indictments as of May 2026

No U.S., UK, EU, or other public indictment has named any individual as a member of Qilin. No arrest attributable to Qilin operations has been publicly announced. This is an assessed intelligence gap, not proof that investigations are absent. [5] [13] [8]

Sanctions
Confirmed: No OFAC designations as of May 2026

Neither "Qilin" nor "Agenda" appears in OFAC's Specially Designated Nationals list. No Qilin-linked wallet has been OFAC-designated in open-source data. This gap could change rapidly given the group's healthcare targeting profile and NHS-level impact. [13] [5]

Infrastructure Seizures

Qilin's Tor-hosted data leak site and negotiation portal remain operational as of May 2026. No large-scale seizure of Qilin's core infrastructure has been publicly announced. Isolated sinkholing of affiliate-used C2 nodes is possible but not documented under the Qilin name. [5]

Advisories and Government Actions
BodyActionDateNotes
MS-ISAC / CIS-ISGThreat intelligence report: Qilin top SLTT threatQ2 2025Documented 29 U.S. SLTT incidents Dec 2023 to Jun 2025; 24% market share Q2 2025 [CIS1]
ECUCERT (Ecuador)Technical advisory AL-2024-162024Internal workings, configuration analysis, mitigation recommendations [13]
FBI / CISAJoint advisory referencing NETXLOADER / Qilin affiliate activity2025Referenced in Blackpoint Cyber / Trend Micro reporting; dedicated #StopRansomware advisory for Qilin not confirmed in public CISA portal as of research date [5] [TM1]
UK NHS / NCSCSectoral alerts following Synnovis incident2024Patching, network segmentation, offline backup guidance issued to NHS supply chain [B1] [B2]
Healthcare ISACs (various)Sectoral alerts2024-2026Qilin cited as top healthcare threat in multiple H-ISAC and MS-ISAC communications [7] [3]
Decryptor Availability

No public universal decryptor for any Qilin or Agenda variant is available through the No More Ransom portal or any publicly disclosed vendor release as of May 2026. Recovery in documented incidents has relied on unaffected backups or, in isolated cases, operational mistakes by affiliates. No systemic cryptographic flaw has been publicly identified. [7] [4] [13]

08

Attribution and State Nexus

Jurisdiction Assessment
Credible: Russia / CIS-based criminal operation

Qilin is consistently assessed as a Russian-language, likely Russia-based or CIS-based criminal group. Supporting indicators: Russian-language forum recruitment and operator communications; CIS exclusion behavior across three-plus years of operation; SOCRadar, KELA, and Group-IB all formally characterize origin as Russian; Ecuador's ECUCERT advisory characterizes it as Russian-origin. [13] [12] [5]

Named Individuals

The only named aliases associated with Qilin leadership in open-source reporting are "Haise" (RAMP forum, documented joining May 2022, Qilin advertisement February 2023) and "XORacle" (referenced only in the July 2025 fake Europol Telegram post). Europol confirmed the Telegram channel was not genuine. Neither alias has been attributed to a real-world identity in any public law enforcement action.

Confidence that "Haise" is a legitimate Qilin operator alias: CREDIBLE (documented forum record predating the fake Europol post). Confidence that real identity is known to open sources: LOW / NOT CONFIRMED.

State Nexus Assessment
Confirmed: No evidence of Russian state direction, tasking, or formal nexus
Analyst Inference: De facto safe harbor consistent with Russian cybercrime ecosystem norms

No leaked communications, indictments, or credible technical reporting ties Qilin to FSB, SVR, GRU, or any other Russian state service. No evidence of overt intelligence collection on behalf of a state actor. No state-directed targeting has been documented.

The combination of CIS avoidance, Russian-language operation, and absence of domestic prosecution is consistent with a de facto safe harbor -- the expectation of non-prosecution in exchange for avoiding CIS targets -- that characterizes the broader Russian cybercrime ecosystem. This is an analytic inference about ecosystem dynamics, not a documented agreement. [5] [13] [12]

Scattered Spider Affiliate Assessment
Credible -- Microsoft attribution; not independently corroborated in open sources

Microsoft Threat Intelligence (mid-2024) reported that Octo Tempest, also known as Scattered Spider (CrowdStrike), had become a Qilin affiliate. Scattered Spider is a financially motivated, English-language threat group known for sophisticated social engineering, SIM-swapping, and cloud environment exploitation. Its adoption of Qilin as a payload represents a convergence of Western social engineering capability with Russian-language RaaS infrastructure. This affiliation does not indicate a state nexus but does materially expand the attacker population capable of deploying Qilin.

09

Trajectory Assessment

Operational Stability Indicators
  • Continuous operation since July 2022 with no prolonged disappearance or disruption. [1] [3] [4] [11]
  • No leaked internal communications, affiliate disputes, or visible internal fragmentation analogous to Conti's May 2022 collapse. [4] [12] [5]
  • Active payload development cycle: Go to Rust transition, NETXLOADER integration, Chrome credential GPO technique all represent non-trivial development investment. [TM1] [S1] [4]
  • Affiliate pool expansion: Scattered Spider adoption as an affiliate in 2024 demonstrates the group's attractiveness to sophisticated Western actors. [Microsoft]
Volume and Capability Trajectory
PeriodSignalConfidence
2022-2023Emergence and initial victim accumulation; Go-based payloads; moderate volumeCONFIRMED
2024Rust payload deployment; Linux/ESXi targeting matured; Chrome GPO credential theft novel technique; Synnovis (NHS) attack largest impact incident; Scattered Spider affiliate affiliationCONFIRMED
2025 (H1)Became #1 ransomware by SLTT incident count; 72 victims in April alone; replaced RansomHub at top position; NETXLOADER / SmokeLoader integration documentedCONFIRMED
2025 (H2)Continued high-volume healthcare and public sector targetingCREDIBLE
2026 (Q1-Q2)Continued operation; active as of research date; no disruption signalsCONFIRMED (operational); specific victim data CREDIBLE
Connected Group Cluster
RelationshipNatureAnchor ConfidenceExtension Confidence
Agenda = QilinSame operation, naming convergenceCONFIRMED (multi-vendor consensus; code, DLS, TTP continuity)N/A -- same entity
Scattered Spider as affiliateAffiliate affiliationCREDIBLE (Microsoft Threat Intel)Not independently corroborated in open sources
NETXLOADER ecosystemLoader/IAB relationshipCONFIRMED (Trend Micro)Broader loader network relationships not individually confirmed
Shared affiliates with Akira / LockBitAffiliate overlap claimsLOW-CREDIBLE (single-source, TTP overlap)Not confirmed; affiliate identity is not directly established in open sources
Direct rebrand of prior named groupNot assessedLOW -- no evidenceN/A

No major vendor characterizes Qilin as a direct extension or rebrand of a prior named top-tier group. Mandiant and Recorded Future have not published a formal cluster assessment connecting Qilin to a specific parent organization as of May 2026 open-source research. [4] [11] [5] [1] [12]

Rebranding Risk Assessment

Current signals do not suggest imminent rebranding. Qilin is at peak operational visibility and volume -- conditions that historically precede rebranding are present (law enforcement attention, SLTT-level advisories) but have not yet materialized into the infrastructure seizure or key arrest that typically triggers rebrand decisions. If law enforcement action targets Qilin in 2026, a rebrand within 60-90 days would be consistent with precedent from other Russian-language RaaS operations. [ANALYST INFERENCE]

Key Intelligence Gaps
  • Real identities, locations, and organizational hierarchy of core operators and leading affiliates.
  • Dedicated on-chain wallet attribution from TRM Labs, Chainalysis, or Elliptic.
  • Any non-public law enforcement investigations or coordinated actions not yet disclosed.
  • Precise ransom demand distributions, negotiation reduction rates, and aggregate revenue figures.
  • Scope of any additional CVE exploitation chains beyond FortiOS and SAP NetWeaver vulnerabilities currently documented.

Recent Reporting LIVE

Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…
--

Sources

Vendor Intelligence Reports
[1]
[5]
[10]
Check Point (ES). Qilin Ransomware.
[11]
Group-IB. Qilin Ransomware.
Government and Regulatory Advisories
[13]
ECUCERT (Ecuador). AL-2024-16: Ransomware Qilin Advisory. 2024.
[CIS1]
Center for Internet Security / MS-ISAC. Qilin: Top Ransomware Threat to SLTTs in Q2 2025.
Incident Reporting -- Synnovis / NHS
Incident Reporting -- Lee Enterprises
Incident Reporting -- The Big Issue
Technical Analysis