Threat Actor Profile

Qilin

Aliases
  • Agenda
Origin
Russia
Active Since
2022-07-01
Motivation
Financial gain, Extortion
Cause
Cybercriminal
Recent Activity

Qilin remains one of the most active ransomware groups in 2026. Recent reporting links Qilin ransomware deployment to exploitation of Check Point CVE-2026-50751, a critical VPN authentication-bypass vulnerability. Check Point also ranked Qilin as the top ransomware operation in Q1 2026 by listed victims.

Primary Targets
  • Manufacturing organizations
  • Professional services organizations
  • Healthcare organizations
  • Construction organizations
  • Finance organizations
  • Education organizations
  • Insurance organizations
  • Professional scientific and technical services organizations
Target Locations
  • United States
  • France
  • Canada
  • South Korea
  • Spain
  • United Kingdom
Target Sectors
  • Manufacturing
  • Professional Services
  • Healthcare
  • Construction
  • Finance
  • Education
  • Insurance
  • Technology
Vulnerabilities

CVE-2026-50751

Techniques
  • Ransomware-as-a-service

  • Affiliate-led intrusions

  • Double extortion

  • Data theft

  • Threats to publish stolen data

  • Windows targeting

  • Linux targeting

  • VMware ESXi targeting

  • AES encryption

  • RSA encryption

  • Customizable payloads

  • Customizable ransom notes

  • VPN authentication-bypass exploitation

Malware Tools
  • Go-based ransomware variants
  • Rust-based ransomware variants
Bitsight Contextualized Intelligence
  • Qilin is a ransomware malware that targets various platforms, including Windows systems.

  • Qilin encrypts the data of business users using a combination of AES and RSA algorithms.

  • Qilin ransom demands range from $50,000 to $800,000 in order to decrypt files.

  • Qilin ransomware is written in programming languages such as Go and Rust.

  • Qilin has been used in targeted attacks against organizations in healthcare, education, finance, insurance, manufacturing, and professional scientific and technical services.

  • Qilin ransomware is customizable, allowing attackers to tailor payloads and ransom notes for each victim.

  • Qilin ransomware was initially observed in July 2022 under the name Agenda.

  • Qilin operates on a Ransomware-as-a-Service model.

  • Qilin core developers provide malicious software and infrastructure to affiliates in exchange for a percentage of attack profits.

  • Despite the Chinese name, Qilin is linked to Russian-speaking cybercriminals.

  • Qilin affiliates have been recruited on Russian-language forums.

  • Qilin notably excludes Commonwealth of Independent States countries from its targets.

  • Qilin includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments.

  • Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware.

  • Qilin affiliates have targeted multiple entities worldwide, with the majority of victims in the United States, France, Canada, and the United Kingdom.

  • Qilin primarily targets the manufacturing, technology, financial services, and healthcare sectors.

Defensive Takeaways
  • Prioritize patching of internet-facing and remote access systems

  • Harden VPN and external remote services

  • Enforce multifactor authentication for remote access and privileged accounts

  • Maintain offline or immutable backups and regularly test restoration

  • Monitor for backup deletion, recovery inhibition, and abnormal encryption activity

  • Segment critical systems, including virtualization and ESXi environments

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo