Rectifyq📃Title: Uncovering Qilin attack methods exposed through multiple cases
📅Date: 2025-10-26
🔗References:
Description
The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools like Cyberduck for data exfiltration and leverage notepad.exe and mspaint.exe to view sensitive information. The attack flow includes initial VPN access, reconnaissance, credential theft, lateral movement, and ransomware deployment. Two encryptors are often used: one spread via PsExec and another targeting network shares. The ransomware encrypts files, deletes backups, and leaves ransom notes. Persistence is achieved through scheduled tasks and registry modifications.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Cisco-Talos-Intelligence-Group
- target-information=“United States”
- target-information=“Canada”
- target-information=“France”
- target-information=“Germany”
- target-information=“United Kingdom”
- ransomware=“Qilin”
- target-information=“Malaysia”
- malpedia=“Cobalt Strike”
- malpedia=“MimiKatz”
- malpedia=“Qilin”
- malpedia=“SystemBC”
- mitre-attack-pattern=[‘T1033’, ‘T1003’, ‘T1133’, ‘T1489’, ‘T1087.002’, ‘T1082’, ‘T1053’, ‘T1021.002’, ‘T1112’, ‘T1484.001’, ‘T1070.001’, ‘T1222’, ‘T1482’, ‘T1057’, ‘T1059.001’, ‘T1547.001’, ‘T1048’, ‘T1110’, ‘T1562.001’, ‘T1078’, ‘T1486’, ‘T1537’, ‘T1018’, ‘T1046’, ‘T1105’, ‘T1021.001’, ‘T1490’, ‘T1110.003’, ‘T1086’, ‘T1222.001’]
MISP event uuid: d08b6f26-7bc7-409b-89a8-a342ba542772
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 86.106.85.36, 'IOC-description:CC=RO ASN=AS35505 pronet solutii it srl'
sha256, dd29138bf369863c33402a3fc995458ab5fc015a13a9378022131ab31d940c9f, 'No sample in VT\r\nLast check:04/11/2025'
ip-dst, 85.239.34.91, 'IOC-description:CC=MD ASN=AS200019 alexhost srl'
domain, holapor67.top, ''
domain, regsvchst.com, ''
email-src, mimikatz@anti.pm, ''
email-src, mimikatzlogs@anti.pm, ''
Full IOCs available in Rectifyq's MISP```