Executive Summary and Group Overview
Qilin (also tracked as Agenda) is a Russian-language ransomware-as-a-service (RaaS) operation first observed in July 2022. Originally named Agenda, the group rebranded around late 2022 under the Qilin name visible on its Tor-hosted data leak site. The operation has been continuously active through May 2026 and is now assessed as one of the highest-volume enterprise ransomware actors globally. In Q2 2025, Qilin surpassed RansomHub as the leading ransomware threat to U.S. state, local, tribal, and territorial (SLTT) organizations, accounting for 24% of reported incidents. The group claimed approximately 958 victims in 2025 and 72 in April 2025 alone.
The group operates a dual-language (Go/Rust) payload capable of targeting Windows and Linux/VMware ESXi environments. Qilin employs standard double extortion, threatens regulatory and media escalation, and has demonstrated novel credential-harvesting techniques including GPO-deployed Chrome data theft across entire victim domains. Its most consequential publicly documented incident is the June 2024 ransomware attack on UK pathology provider Synnovis, which disrupted seven London NHS hospitals, cancelled thousands of procedures, and contributed as a factor in at least one patient death.
| Attribute | Detail |
|---|---|
| Primary alias | Qilin |
| Secondary alias | Agenda (original name; same operation, confirmed) |
| Vendor designations | SentinelOne: "Agenda (aka Qilin)"; Group-IB: "Qilin Ransomware"; Check Point: "Qilin (Agenda)"; KELA: "Qilin ransomware group"; Blackpoint Cyber: "Qilin (AKA Agenda)"; Darktrace: "Qilin RaaS operator"; FortiGuard Labs: "Qilin Ransomware" (formal threat actor page) |
| CrowdStrike designation | Not confirmed in open-source reporting as of May 2026 |
| Mandiant / Secureworks designations | Not confirmed in open-source reporting as of May 2026 |
| Operational model | Ransomware-as-a-Service |
| Extortion mechanic | Double extortion (encryption + data leak threat); elements of triple extortion (regulatory/media escalation) documented |
| Assessed jurisdiction | Russia / CIS (CREDIBLE) |
| LE disruption status | None confirmed as of May 2026 |
| OFAC sanctions status | None as of May 2026 |
The group's name and branding draw on the qilin (Chinese: 麒麟), a mythological creature from East Asian traditions regarded as an omen of sage rulers and benevolent prosperity. The ransomware operators selected the name deliberately -- a creature associated with ancient power and good fortune, repurposed as threat branding.
Lineage and Organizational Heritage
Agenda ransomware was first publicly analyzed in July-August 2022, with early victims reported in Indonesia and Saudi Arabia. The group began operating its dedicated data leak site under the "Qilin" brand around late 2022. Most contemporary vendor reporting treats the Agenda and Qilin names as referring to the same underlying operation. [1] [2] [4]
A forum profile operating under the handle "Haise" joined the RAMP cybercrime forum on May 29, 2022 and advertised Qilin on February 13, 2023. This is the clearest open-source data point linking a specific operator alias to the group's founding period. [12] Note: A July 2025 Telegram channel claiming to be Europol offered a $50,000 bounty for information on Qilin administrators "Haise" and "XORacle" -- Europol confirmed this channel was a scam and no such bounty exists. The aliases themselves appear in prior legitimate forum tracking and are treated as credible at the handle level.
Open-source and vendor analysis consistently presents Qilin/Agenda as a standalone operation, not a rebranded or direct successor to any prior named group such as Conti, Hive, or REvil. No multi-source evidence of code forking from a specific predecessor has been confirmed. Some features (multi-threaded encryption, service killing, safe-mode rebooting) mirror common patterns across the Russian-language RaaS ecosystem but do not establish lineage. [4] [11] [5]
Confidence that Qilin is a direct code fork of a specific prior group: LOW. Confidence that the group's operators have familiarity with Russian-language RaaS tradecraft: HIGH.
Qilin has no confirmed parent-organization designation comparable to Wizard Spider (CrowdStrike) or Gold Ulrick (Secureworks) for Conti. Vendors that have published formal designations for Qilin itself include SentinelOne, Group-IB, Check Point, KELA, Blackpoint Cyber, Darktrace, and FortiGuard Labs. CrowdStrike, Mandiant, and Secureworks have not confirmed public group-specific designations for Qilin as of May 2026, though detailed profiles may exist behind paywalls. [4] [11] [10] [12] [5]
Operational Model
Qilin operates as a Ransomware-as-a-Service platform. Core operators maintain the payload, affiliate panel, negotiation infrastructure, and data leak site. Affiliates conduct intrusions, exfiltration, and encryption, then share revenue with the platform. [9] [10] [11] [12] [5]
Affiliate recruitment occurs on Russian-language cybercrime forums. The platform is assessed as affiliate-friendly: Blackpoint Cyber reports affiliates retain 80% of ransoms below $3 million and 85% for ransoms above $3 million, with the core team retaining the remainder. This split is at the high end of documented RaaS norms. [5]
In Q2 2024, Microsoft (Threat Intelligence) attributed Octo Tempest / Scattered Spider as a Qilin affiliate, representing a significant escalation: Scattered Spider brings sophisticated social engineering and cloud environment capabilities to Qilin's payload. [Credible - Microsoft attribution; no corroborating independent confirmation in open sources as of research date]
- Double extortion (standard): Data exfiltrated prior to encryption creates two independent leverage points. All Qilin incidents involve both components. [2] [10] [4] [11] [12] [5]
- Triple extortion (documented, not systematic): Qilin has threatened to contact customers, regulators, and media to amplify reputational damage. Not documented as a formalized "phase" but present in multiple incident accounts. [6] [14]
- Teaser-to-full-dump progression: DLS publications begin with sample data, escalating to full dataset publication if negotiations fail. Claimed exfiltration volumes include 550 GB (The Big Issue parent company) and 400 GB (Synnovis). [6] [B1]
- Countdown timers: DLS posts include deadlines that, when missed, trigger ransom increases or accelerated publication. [6]
Negotiations are conducted through a Tor-hosted victim negotiation portal, accessed via a unique URL in the ransom note. Initial demands for large enterprise targets reach into the millions. Negotiators and incident responders report reductions of 30-50% or more during active negotiations, though hard statistics are sparse. Qilin communication is professional and coercive, emphasizing data control leverage. [13] [14] [5]
Some affiliate-dependent variation in victim communication has been documented, with TOX/email handles appearing in ransom notes alongside Tor portal references depending on the affiliate. [5] [13]
Technical Capabilities
| Generation | Language | Platforms | Period | Notes |
|---|---|---|---|---|
| Agenda v1 | Go (Golang) | Windows | 2022 | Initial release; per-victim config, service killing |
| Agenda/Qilin v2 | Go (Golang) | Windows, Linux/ESXi | 2022-2023 | Cross-platform expansion; ESXi targeting added |
| Qilin Rust | Rust | Windows, Linux/ESXi | 2023-present | Full Rust rewrite; improved evasion, speed, cross-platform capability |
No public universal decryptor exists for any Qilin/Agenda variant as of May 2026. The No More Ransom portal does not list a Qilin decryptor. Case-by-case recovery via backup restoration or operational mistake exploitation is documented but not indicative of a cryptographic flaw. [7] [4] [13]
| Vector | Confidence | Notes |
|---|---|---|
| Phishing / malicious attachments | CONFIRMED (multi-source) | Broadly documented across Qilin affiliate campaigns [3] [5] [14] |
| Compromised VPN / RDP credentials (no MFA) | CONFIRMED (multi-source) | Dominant vector per Sophos incident response (July 2024) [14] [5] |
| CVE-2024-21762 (FortiOS SSL VPN RCE) | CONFIRMED | CVSS 9.6; actively exploited by Qilin affiliates per CIS-ISG reporting [CIS1] |
| CVE-2024-55591 (FortiOS auth bypass) | CONFIRMED | Exploited alongside CVE-2024-21762 [CIS1] |
| CVE-2025-31324 (SAP NetWeaver Visual Composer RCE) | CREDIBLE | CVSS 10.0; Qilin-linked actors exploited this vulnerability weeks before public disclosure per OP Innovate investigation [OP1] |
| Backup service and web application vulnerabilities | CREDIBLE (multi-source) | ESXi management interfaces frequently cited [5] [3] [14] |
| NETXLOADER (loader delivery) | CONFIRMED | Trend Micro (Nov 2024): .NET loader protected with .NET Reactor 6, JIT hooking, deployed with SmokeLoader to stage Qilin payload [TM1] [5] |
| Phase | Observed Tools / Techniques |
|---|---|
| Persistence | Additional admin account creation, web shells, RDP/VPN config modification [13] [14] [5] |
| Lateral Movement | Stolen credentials, RDP, PsExec, WMIC, domain GPO for ransomware push [5] [13] [14] |
| Privilege Escalation | Domain controller access; Kerberoasting likely (ANALYST INFERENCE from toolset pattern) |
| Defense Evasion | Security tool disabling, backup and database service termination, Windows Safe Mode reboot before encryption [4] [13] [5] |
| C2 / Remote Access | Cobalt Strike, commercial RMM tools, built-in OS utilities (PowerShell, PsExec) [13] [14] [5] |
| Exfiltration | Volume-based (hundreds of GB claimed per incident); specific tools affiliate-dependent |
| Encryption | Hybrid symmetric/asymmetric (AES or ChaCha20 + RSA); multi-threaded; partial encryption for large files; per-victim configuration [4] [11] [13] |
| ESXi targeting | Linux variant terminates VMs before encrypting virtual disk files; esxcli use documented [4] [11] [5] |
Qilin is assessed to exclude CIS-region targets. Binary analysis documents locale and language checks (Russian keyboard/language settings). No CIS-region organization has been publicly documented as a Qilin victim across three-plus years of operation. This pattern is consistent with Russian-language RaaS operating norms and the safe-harbor dynamic observed across the broader ecosystem. Direct sample-level CIS exclusion code is less consistently described in public write-ups than the behavioral pattern warrants. [13] [5]
Financial Infrastructure
Qilin demands ransoms in Bitcoin, the dominant cryptocurrency in its observed ransom notes. Per-incident unique Bitcoin addresses are used, directing funds to victim-specific wallets before aggregation. Some affiliate flexibility in accepting alternative cryptocurrencies has been suggested in incident reporting but is not systematically documented. [13] [5]
No aggregate revenue figure for Qilin has been confirmed in open-source reporting. Given documented victim volume (~958 in 2025), enterprise targeting profile, and typical RaaS ransom magnitudes in the hundreds of thousands to millions of dollars, Qilin is assessed in the upper tier of contemporary RaaS operations by revenue generation. This is an ANALYST INFERENCE based on volume and targeting profile, not a confirmed figure.
Victim Profile and Targeting
| Sector | Assessed Priority | Notes |
|---|---|---|
| Healthcare / Medical | HIGH -- primary target | Multiple hospital and health system incidents in 2024-2026; Synnovis attack most consequential [3] [7] [5] |
| Education | HIGH | Universities and K-12 documented [2] [5] [1] |
| Manufacturing / Industrial | HIGH | Including industrial supply chains [11] [5] [1] [2] |
| Media / Publishing | MODERATE-HIGH | The Big Issue parent, Lee Enterprises [6] [8] |
| Local Government / Public Services | MODERATE-HIGH | SLTT incidents rising sharply in 2025 [7] [5] [3] |
| Real Estate / Construction | MODERATE | Documented in early reporting [1] [2] |
| Technology / Financial / Telecom | MODERATE | Expanded targeting in 2025 per Trend Micro [TM1] |
Qilin targets organizations across North America, Europe, and Latin America, with consistent reporting of U.S. dominance. SOCRadar specifically identifies the U.S., Brazil, and Argentina as primary target countries. UK-based organizations have been disproportionately represented in high-profile incidents (Synnovis, The Big Issue parent). No CIS-region victims documented. [2] [3] [6] [7] [8]
| Victim | Sector | Date | Impact |
|---|---|---|---|
| Synnovis (UK) | Healthcare / Pathology | June 3, 2024 | 400 GB leaked; 7 London NHS hospitals affected; 10,000+ appointments/procedures cancelled; 300M+ patient interactions exposed; patient death cited as contributing factor; no ransom paid; 18-month investigation concluded Nov 2025 [B1] [B2] [B3] |
| Lee Enterprises (US) | Media / Publishing | February 3, 2025 | 350 GB claimed; 39,779 individuals notified; 72 newspapers disrupted; SEC material impact filing; Social Security numbers among compromised data [8] [LE1] |
| The Big Issue parent (UK) | Media / Publishing | 2024 | 550 GB claimed; confidential files leaked on DLS [6] |
| Multiple unnamed hospitals / health systems | Healthcare | 2024-2026 | Rust-based attacks; multiple healthcare advisories issued [3] [7] |
Qilin demonstrates positive selection for targets where operational disruption and data exposure create maximum leverage: critical infrastructure with low tolerance for downtime (healthcare), time-sensitive services (media/publishing), and organizations managing sensitive personal or financial data. The RaaS model creates heterogeneity in targeting -- more capable affiliates pursue enterprise targets while less sophisticated affiliates may target smaller organizations as collateral.
Negative selection (CIS avoidance) is consistent with documented binary behavior and the absence of any CIS victim across the group's operational history.
Law Enforcement and Regulatory Response
No U.S., UK, EU, or other public indictment has named any individual as a member of Qilin. No arrest attributable to Qilin operations has been publicly announced. This is an assessed intelligence gap, not proof that investigations are absent. [5] [13] [8]
Neither "Qilin" nor "Agenda" appears in OFAC's Specially Designated Nationals list. No Qilin-linked wallet has been OFAC-designated in open-source data. This gap could change rapidly given the group's healthcare targeting profile and NHS-level impact. [13] [5]
Qilin's Tor-hosted data leak site and negotiation portal remain operational as of May 2026. No large-scale seizure of Qilin's core infrastructure has been publicly announced. Isolated sinkholing of affiliate-used C2 nodes is possible but not documented under the Qilin name. [5]
| Body | Action | Date | Notes |
|---|---|---|---|
| MS-ISAC / CIS-ISG | Threat intelligence report: Qilin top SLTT threat | Q2 2025 | Documented 29 U.S. SLTT incidents Dec 2023 to Jun 2025; 24% market share Q2 2025 [CIS1] |
| ECUCERT (Ecuador) | Technical advisory AL-2024-16 | 2024 | Internal workings, configuration analysis, mitigation recommendations [13] |
| FBI / CISA | Joint advisory referencing NETXLOADER / Qilin affiliate activity | 2025 | Referenced in Blackpoint Cyber / Trend Micro reporting; dedicated #StopRansomware advisory for Qilin not confirmed in public CISA portal as of research date [5] [TM1] |
| UK NHS / NCSC | Sectoral alerts following Synnovis incident | 2024 | Patching, network segmentation, offline backup guidance issued to NHS supply chain [B1] [B2] |
| Healthcare ISACs (various) | Sectoral alerts | 2024-2026 | Qilin cited as top healthcare threat in multiple H-ISAC and MS-ISAC communications [7] [3] |
No public universal decryptor for any Qilin or Agenda variant is available through the No More Ransom portal or any publicly disclosed vendor release as of May 2026. Recovery in documented incidents has relied on unaffected backups or, in isolated cases, operational mistakes by affiliates. No systemic cryptographic flaw has been publicly identified. [7] [4] [13]
Attribution and State Nexus
Qilin is consistently assessed as a Russian-language, likely Russia-based or CIS-based criminal group. Supporting indicators: Russian-language forum recruitment and operator communications; CIS exclusion behavior across three-plus years of operation; SOCRadar, KELA, and Group-IB all formally characterize origin as Russian; Ecuador's ECUCERT advisory characterizes it as Russian-origin. [13] [12] [5]
The only named aliases associated with Qilin leadership in open-source reporting are "Haise" (RAMP forum, documented joining May 2022, Qilin advertisement February 2023) and "XORacle" (referenced only in the July 2025 fake Europol Telegram post). Europol confirmed the Telegram channel was not genuine. Neither alias has been attributed to a real-world identity in any public law enforcement action.
Confidence that "Haise" is a legitimate Qilin operator alias: CREDIBLE (documented forum record predating the fake Europol post). Confidence that real identity is known to open sources: LOW / NOT CONFIRMED.
No leaked communications, indictments, or credible technical reporting ties Qilin to FSB, SVR, GRU, or any other Russian state service. No evidence of overt intelligence collection on behalf of a state actor. No state-directed targeting has been documented.
The combination of CIS avoidance, Russian-language operation, and absence of domestic prosecution is consistent with a de facto safe harbor -- the expectation of non-prosecution in exchange for avoiding CIS targets -- that characterizes the broader Russian cybercrime ecosystem. This is an analytic inference about ecosystem dynamics, not a documented agreement. [5] [13] [12]
Microsoft Threat Intelligence (mid-2024) reported that Octo Tempest, also known as Scattered Spider (CrowdStrike), had become a Qilin affiliate. Scattered Spider is a financially motivated, English-language threat group known for sophisticated social engineering, SIM-swapping, and cloud environment exploitation. Its adoption of Qilin as a payload represents a convergence of Western social engineering capability with Russian-language RaaS infrastructure. This affiliation does not indicate a state nexus but does materially expand the attacker population capable of deploying Qilin.
Trajectory Assessment
- Continuous operation since July 2022 with no prolonged disappearance or disruption. [1] [3] [4] [11]
- No leaked internal communications, affiliate disputes, or visible internal fragmentation analogous to Conti's May 2022 collapse. [4] [12] [5]
- Active payload development cycle: Go to Rust transition, NETXLOADER integration, Chrome credential GPO technique all represent non-trivial development investment. [TM1] [S1] [4]
- Affiliate pool expansion: Scattered Spider adoption as an affiliate in 2024 demonstrates the group's attractiveness to sophisticated Western actors. [Microsoft]
| Period | Signal | Confidence |
|---|---|---|
| 2022-2023 | Emergence and initial victim accumulation; Go-based payloads; moderate volume | CONFIRMED |
| 2024 | Rust payload deployment; Linux/ESXi targeting matured; Chrome GPO credential theft novel technique; Synnovis (NHS) attack largest impact incident; Scattered Spider affiliate affiliation | CONFIRMED |
| 2025 (H1) | Became #1 ransomware by SLTT incident count; 72 victims in April alone; replaced RansomHub at top position; NETXLOADER / SmokeLoader integration documented | CONFIRMED |
| 2025 (H2) | Continued high-volume healthcare and public sector targeting | CREDIBLE |
| 2026 (Q1-Q2) | Continued operation; active as of research date; no disruption signals | CONFIRMED (operational); specific victim data CREDIBLE |
| Relationship | Nature | Anchor Confidence | Extension Confidence |
|---|---|---|---|
| Agenda = Qilin | Same operation, naming convergence | CONFIRMED (multi-vendor consensus; code, DLS, TTP continuity) | N/A -- same entity |
| Scattered Spider as affiliate | Affiliate affiliation | CREDIBLE (Microsoft Threat Intel) | Not independently corroborated in open sources |
| NETXLOADER ecosystem | Loader/IAB relationship | CONFIRMED (Trend Micro) | Broader loader network relationships not individually confirmed |
| Shared affiliates with Akira / LockBit | Affiliate overlap claims | LOW-CREDIBLE (single-source, TTP overlap) | Not confirmed; affiliate identity is not directly established in open sources |
| Direct rebrand of prior named group | Not assessed | LOW -- no evidence | N/A |
No major vendor characterizes Qilin as a direct extension or rebrand of a prior named top-tier group. Mandiant and Recorded Future have not published a formal cluster assessment connecting Qilin to a specific parent organization as of May 2026 open-source research. [4] [11] [5] [1] [12]
Current signals do not suggest imminent rebranding. Qilin is at peak operational visibility and volume -- conditions that historically precede rebranding are present (law enforcement attention, SLTT-level advisories) but have not yet materialized into the infrastructure seizure or key arrest that typically triggers rebrand decisions. If law enforcement action targets Qilin in 2026, a rebrand within 60-90 days would be consistent with precedent from other Russian-language RaaS operations. [ANALYST INFERENCE]
- Real identities, locations, and organizational hierarchy of core operators and leading affiliates.
- Dedicated on-chain wallet attribution from TRM Labs, Chainalysis, or Elliptic.
- Any non-public law enforcement investigations or coordinated actions not yet disclosed.
- Precise ransom demand distributions, negotiation reduction rates, and aggregate revenue figures.
- Scope of any additional CVE exploitation chains beyond FortiOS and SAP NetWeaver vulnerabilities currently documented.
Recent Reporting LIVE
Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.