Rectifyq📃Title: Uncovering Qilin attack methods exposed through multiple cases
📅Date: 2025-10-26
🔗References:
Description
The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools like Cyberduck for data exfiltration and leverage notepad.exe and mspaint.exe to view sensitive information. The attack flow includes initial VPN access, reconnaissance, credential theft, lateral movement, and ransomware deployment. Two encryptors are often used: one spread via PsExec and another targeting network shares. The ransomware encrypts files, deletes backups, and leaves ransom notes. Persistence is achieved through scheduled tasks and registry modifications.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer= Cisco-Talos-Intelligence-Group
- target-information=“United States”
- target-information=“Canada”
- target-information=“France”
- target-information=“Germany”
- target-information=“United Kingdom”
- ransomware=“Qilin”
- target-information=“Malaysia”
- malpedia=“Cobalt Strike”
- malpedia=“MimiKatz”
- malpedia=“Qilin”
- malpedia=“SystemBC”
- mitre-attack-pattern=[‘T1033’, ‘T1003’, ‘T1133’, ‘T1489’, ‘T1087.002’, ‘T1082’, ‘T1053’, ‘T1021.002’, ‘T1112’, ‘T1484.001’, ‘T1070.001’, ‘T1222’, ‘T1482’, ‘T1057’, ‘T1059.001’, ‘T1547.001’, ‘T1048’, ‘T1110’, ‘T1562.001’, ‘T1078’, ‘T1486’, ‘T1537’, ‘T1018’, ‘T1046’, ‘T1105’, ‘T1021.001’, ‘T1490’, ‘T1110.003’, ‘T1086’, ‘T1222.001’]
MISP event uuid: d08b6f26-7bc7-409b-89a8-a342ba542772
Indicator of Compromise (IoCs)
type,value,comment
md5, 0f73b467ff03f9224c024f4eb3aecedb, 'IOC-title:Nrv2x\nIOC-description:MD5 of e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e'
md5, 1bbca013922b156ad135a5f1d892441c, 'IOC-title:nUFS_html\nIOC-description:MD5 of 38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18'
md5, 227f14f4c3aa35b9fb279f52c73b2e1e, 'IOC-title:Win.Ransomware.Qilin-10044197-0\nIOC-description:MD5 of 8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d'
md5, 2984c4a0ae4fdc553b1b512024d86794, 'IOC-description:MD5 of a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591'
md5, 719ba3d7051173982919d1e4e9e9a0ec, 'IOC-title:compromised_site_redirector_fromcharcode\nIOC-description:MD5 of d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616'
md5, bb8bdb3e8c92e97e2f63626bc3b254c4, 'IOC-title:HackTool:Win32/Mimikatz.D\nIOC-description:MD5 of 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9'
md5, 58bb9dab4e9b3aa2fd1e7a7b17d2eeb1, ''
md5, 59c3334d184159008cd45355b436d9a8, ''
md5, 1c0cb55d3a8d544ab0bd7d81d2985089, ''
md5, e2c059083926ec2c219cebcfa4a49453, ''
ip-dst, 86.106.85.36, 'IOC-description:CC=RO ASN=AS35505 pronet solutii it srl'
sha256, dd29138bf369863c33402a3fc995458ab5fc015a13a9378022131ab31d940c9f, 'No sample in VT\r\nLast check:04/11/2025'
ip-dst, 85.239.34.91, 'IOC-description:CC=MD ASN=AS200019 alexhost srl'
domain, holapor67.top, ''
domain, regsvchst.com, ''
email-src, mimikatz@anti.pm, ''
email-src, mimikatzlogs@anti.pm, ''
Full IOCs available in Rectifyq’s MISP