3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Qilin

Qilin

ID: d8e6782eec741fcceb6c308149d08a9d
Crimeware Ransomware
Threat types: Ransomware, RaaS, Intrusion, DDoS Attack
Russia ARG, CAN, CHL, CHN, ECU, FRA, DEU, IND, ISR, JPN, MYS, MEX, ESP, TWN, TUR, GBR, USA
Updated: 2026-03-22
Created: 2026-01-27
Progress: 94% Completeness: 96% Freshness: 90%
Operation zone: Argentina, Canada, Chile, China, Ecuador, France, Germany, India, Israel, Japan, Malaysia, Mexico, Spain, Taiwan, Turkey, United Kingdom, United States
Aliases Limited alias preview
Agenda Qilin Crypt Qi********** Qi***********
Qi************** Qi******** Qi*********
Showing 2 of 7 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Qilin (aka Agenda) is a ransomware-as-a-service (RaaS) ecosystem active since 2022, associated in public reporting with double extortion, leak-site pressure, and cross-platform targeting (Windows and Linux/VMware ESXi). Affiliate tradecraft varies, but repeated reporting highlights phishing/exposed services/valid accounts for entry, remote tooling/RMM abuse for staging, lateral movement via admin channels, backup targeting and recovery inhibition, and encryption impact.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2024-06-18 — Phishing/spearphishing for initial access is described as a common vector for Qilin/Agenda campaigns. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-06-18 — Use of exposed applications/interfaces (e.g., Citrix) is described as an initial access path. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-06-18 — Abuse of remote desktop (RDP) and exposed access services implies valid-account and remote-access risk where credentials are compromised. · ref
T1219 Remote Access Tools TA0011
  • 2025-10-23 — Use/abuse of legitimate remote management and remote access tools for deployment and execution is described in casework. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-10-23 — Casework describes staged deployment using file transfer and remote execution tooling (tool transfer into environment as part of deployment). · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2024-06-18 — Propagation via PsExec is described, consistent with admin-share based lateral movement. · ref
T1021.004 SSH TA0008
  • 2024-06-18 — Propagation via SecureShell (SSH) is described, consistent with cross-platform lateral movement risk (Linux/ESXi contexts). · ref
T1003 OS Credential Dumping TA0006
  • 2025-10-23 — Casework emphasizes credential acquisition and targeted theft of backup credentials to compromise recovery capabilities. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-10-26 — Double extortion implies exfiltration of collected data prior to encryption/publication; exfil mechanisms vary by affiliate. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-06-18 — Encryption is the core impact mechanism; Qilin supports multiple encryption modes controlled by the operator. · ref
T1490 Inhibit System Recovery TA0040
  • 2025-10-23 — Casework describes disabling recovery options and systematically compromising backup infrastructure prior to ransomware execution. · ref
T1562.001 Disable or Modify Tools TA0005
  • 2025-10-23 — Defense evasion is described, including techniques consistent with neutralizing endpoint defenses (including BYOVD in some cases). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-05T19:27:41+00:00

QILIN (AKA AGENDA) — RaaS / Double-Extortion

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Ransomware / RaaS (Double-Extortion) — Origin: INFERENCE: Russian-speaking underground ecosystem (confidence: medium-high)

Author: iQBlack CTI Team



Executive Summary

Qilin (also widely reported under its earlier name “Agenda”) is a ransomware-as-a-service (RaaS) operation active since mid-2022 and repeatedly described in public reporting as a high-throughput affiliate platform combining data theft with encryption (“double extortion”). The group operates an extortion ecosystem that includes victim negotiation, leak-site publication pressure, and a mature affiliate program where the core operators reportedly take a percentage of ransom proceeds (commonly cited as ~15–20%).

From a defender’s perspective, Qilin’s distinguishing risk is not a single “novel” exploit chain but an increasingly professionalized operating model: affiliates leverage common entry vectors (phishing, exposed remote services, credential abuse) and then rely on fast lateral movement, tool-assisted deployment (including remote monitoring/management tools), and recovery inhibition prior to encryption. Public reporting highlights cross-platform capability (Windows + Linux/ESXi) and repeated use of legitimate administrative tooling to reduce friction and blend into enterprise operations.

Operational sophistication appears uneven across incidents (typical of RaaS). Some campaigns show advanced tradecraft (backup targeting, defense evasion techniques such as BYOVD, proxying, and multi-tool orchestration), while others resemble “opportunistic big-game hunting.” This variability is a key analytic point: Qilin should be modeled as an ecosystem with a shared payload/platform but heterogeneous affiliate behaviors.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Qilin (aka Agenda)

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Qilin (aka Agenda) RaaS

Operating assumption: Affiliate-driven initial access; consistent mid-chain behaviors (remote tooling misuse, lateral movement, recovery inhibition, exfil staging). Use these hunts as ransomware-grade controls regardless of affiliate identity.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-05T19:30:19+00:00

IOC Appendix — Qilin (aka Agenda)

Classification: Unclassified / OSINT — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-05T19:30:42+00:00

OSINT Library — Qilin (aka Agenda)


2024-06-18 — U.S. HHS / HC3 — “Threat Profile: Qilin, aka Agenda Ransomware (TLP:CLEAR)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/22
Address Verification SOCMINT
Jab********************* Restricted Not integrated
TOX****************************************************************************** Restricted Not integrated
Address Verification SOCMINT
qi***@exploit.im Restricted Not integrated
Address Verification SOCMINT
ozs*********************************************************** Restricted Not integrated
wlh*********************************************************** Restricted Not integrated
uge*********************************************************** Restricted Not integrated
6d4*********************************************************** Restricted Not integrated
vn2*********************************************************** Restricted Not integrated
p2z*********************************************************** Restricted Not integrated
ytd*********************************************************** Restricted Not integrated
22o*********************************************************** Restricted Not integrated
z2r*********************************************************** Restricted Not integrated
dji*********************************************************** Restricted Not integrated
zlu*********************************************************** Restricted Not integrated
ifj*********************************************************** Restricted Not integrated
nj5*********************************************************** Restricted Not integrated
o37*********************************************************** Restricted Not integrated
ppd*********************************************************** Restricted Not integrated
nmm*********************************************************** Restricted Not integrated
kbs*********************************************************** Restricted Not integrated
ijz*********************************************************** Restricted Not integrated
ji5*********************************************************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–10 of 10 images
onion website Free Preview
onion website
onion website Free Preview
onion website
onion website Free Preview
onion website
Banner Free Preview
Banner
Banner Free Preview
Banner
Banner Free Preview
Banner
Banner Free Preview
Banner
Logo Free Preview
Logo
Logo Free Preview
Logo
Propaganda Free Preview
Propaganda
Showing 4 of 10 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.