Also known as: Agenda, Qilin Ransomware Group, Water Galura
Profile generated with AI assistance — review before citing.
Data Encrypted for Impact
Encrypt victim data to disrupt availability, typically for ransom.
Inhibit System Recovery
Delete backups, shadow copies, or recovery partitions to prevent restoration.
Service Stop
Stop critical services to disrupt operations or aid in data destruction.
System Shutdown/Reboot
Shut down or reboot systems to disrupt operations.
Valid Accounts
Use legitimate credentials to authenticate and gain access.
Exploit Public-Facing Application
Exploit vulnerabilities in internet-facing applications to gain access.
Phishing
Send deceptive messages to trick victims into executing malicious content.
External Remote Services
Abuse remote services like VPNs or RDP to gain access to the network.
Obfuscated Files or Information
Encrypt, encode, or obfuscate payloads and data to evade detection.
System Binary Proxy Execution
Use signed system binaries to proxy execution of malicious content.
Masquerading
Disguise malicious artifacts by manipulating names or locations to appear legitimate.
Malware used by Qilin.
Malware used by Qilin.
Legitimate tool used by Qilin.
Legitimate tool used by Qilin.
Malware used by Qilin.
Legitimate tool used by Qilin.
Malware used by Qilin.
Malware used by Qilin.
Malware used by Qilin.
Malware used by Qilin.
Malware used by Qilin.
Enhanced variant of Qilin ransomware with improved encryption and evasion capabilities
Legitimate cloud storage synchronization tool abused for data exfiltration
Legitimate Active Directory reconnaissance tool used for network enumeration
SOCKS5 proxy and RAT used by Qilin affiliates for command and control and maintaining persistent access
Remote Desktop Protocol used for lateral movement and remote access
Used for script execution, enumeration, and deployment of payloads
Exploitation of vulnerabilities in VPN appliances for initial access
Windows Background Intelligent Transfer Service tool used for data exfiltration
Legitimate remote desktop software abused for maintaining access and conducting operations
Legitimate remote monitoring and management (RMM) tool abused by Qilin affiliates for persistent access and lateral movement
Tool used to establish persistence and exfiltration channels
Legitimate file transfer tool abused for data exfiltration
Rust-based ransomware payload with customizable encryption routines and ESXi support
Earlier Golang-based ransomware variant used before Rust transition
| Type | Value |
|---|---|
| domain | qilinleaks[[.]]com |
| hash | 5d56c4d8c097d4d1e8f6d3e4c2b1a8f9e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2 |
| hash | a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2 |
| domain | agendaleaks[[.]]com |
| url | hxxp[://]qilinrnsmx[[.]]onion |
| domain | cloudflariz[.]com |
| domain | bloglake7[.]cfd |
| domain | mxbook17[.]cfd |
| domain | mxblog77[.]cfd |
| domain | rv-tool[.]net |
| url | easyupload[.]io |
| hash | e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 |
| hash | 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6 |
| hash | d3af11d6bb6382717bf7b6a3aceada24f42f49a9489811a66505e03dd76fd1af |
| hash | aeddd8240c09777a84bb24b5be98e9f5465dc7638bec41fb67bbc209c3960ae1 |
| hash | 3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633 |
| ip | 194[.]165[.]16[.]13 |
| ip | 93[.]115[.]25[.]139 |
| Domain / Host | Status |
|---|---|
qilinleaks[.]comKnown Qilin ransomware leak site domain | offline |
agendaleaks[.]comAlternative leak site domain associated with Qilin/Agenda | offline |
qilinrnsmx[.]onionTor-based negotiation portal (defanged) | active |
cloudflariz[.]com | offline |
bloglake7[.]cfd | offline |
mxbook17[.]cfd | offline |
mxblog77[.]cfd | offline |
rv-tool[.]net | unknown |
easyupload[.]io | unknown |
Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.
Qilin Ransomware Analysis - CISA Alert
https://www.cisa.gov/news-events/cybersecurity-advisories
Qilin Ransomware: What You Need to Know - Sophos
https://news.sophos.com/en-us/2023/08/17/qilin-ransomware/
Agenda/Qilin Ransomware Technical Analysis - Trend Micro
https://www.trendmicro.com/en_us/research/22/h/agenda-ransomware.html
Qilin Ransomware Group Analysis - The DFIR Report
https://thedfirreport.com/
MITRE ATT&CK: Ransomware Techniques
https://attack.mitre.org/techniques/T1486/
FBI Flash Alert: Qilin Ransomware
https://www.ic3.gov/Home/IndustryAlerts
Qilin Ransomware: Synnovis Cyberattack Analysis
https://www.ncsc.gov.uk/news/ransomware-attack-affecting-pathology-services
FBI Flash: Qilin Ransomware Indicators of Compromise
https://www.ic3.gov/Media/News/2024/240229.pdf
Group-IB: Qilin Ransomware Deep Dive
https://www.group-ib.com/blog/qilin-ransomware/
Halcyon: Qilin Ransomware Profile
https://www.halcyon.ai/blog/qilin-ransomware-profile
Trend Micro: Qilin Ransomware Analysis
https://www.trendmicro.com/en_us/research/24/f/qilin-ransomware-analysis.html
Qilin Ransomware Group Analysis - Trend Micro
https://www.trendmicro.com/en_us/research/24/e/qilin-ransomware.html
Synnovis Ransomware Attack - NHS England Statement
https://www.england.nhs.uk/2024/06/nhs-england-statement-on-synnovis-ransomware-incident/
Qilin Ransomware Group Targeted Healthcare and Critical Infrastructure Sectors
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
Sophos: The Qilin Ransomware Group - An Overview
https://news.sophos.com/en-us/2024/07/18/the-qilin-ransomware-group/
Trend Micro: Qilin Ransomware Analysis
https://www.trendmicro.com/en_us/research/23/g/qilin-ransomware-arsenal.html
Qilin Ransomware Attack Analysis - Halcyon
https://www.halcyon.ai/blog/qilin-ransomware
NHS Ransomware Attack: What We Know - National Cyber Security Centre
https://www.ncsc.gov.uk/news/ncsc-supporting-synnovis-ransomware-incident
Qilin Ransomware: Affiliates Continue to Dominate the Threat Landscape
https://www.trendmicro.com/en_us/research/24/c/qilin-ransomware.html
Halcyon: The Qilin Ransomware Threat
https://www.halcyon.ai/blog/the-qilin-ransomware-threat
Qilin ransomware escalates rapidly in 2025, targeting critical sectors with 700 attacks
https://industrialcyber.co/ransomware/qilin-ransomware-escalates-rapidly-in-2025-targeting-critical-sectors-with-700-attacks-amid-ransomhub-shutdown/
Qilin: Top Ransomware Threat to SLTTs in Q2 2025
https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html
Qilin ransomware surges into 2026
https://blog.barracuda.com/2026/01/15/qilin-ransomware-surges-into-2026
Uncovering Qilin attack methods exposed through multiple cases - Cisco Talos
https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
Qilin Ransomware Explained - Qualys
https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses
Qilin Ransomware Technical Deep Dive - Halcyon
https://www.halcyon.ai/blog/qilin-ransomware-technical-deep-dive
Sophos X-Ops Analysis of Qilin Ransomware
https://news.sophos.com/en-us/2024/11/19/qilin-affiliates-use-veeam-backup-platform-for-data-exfiltration/
Qilin Ransomware Gang Exploiting Chrome Vulnerability to Steal Credentials
https://thehackernews.com/2024/12/qilin-ransomware-gang-exploiting-chrome.html
Qilin Ransomware Group Intensifies Attacks on Healthcare
https://www.hhs.gov/sites/default/files/qilin-analyst-note.pdf
Qilin Ransomware Group Surges to Top Spot in Q1 2025
https://www.trendmicro.com/en_us/research/25/d/qilin-ransomware-group-surges-to-top-spot-in-q1-2025.html
Qilin Ransomware Analysis and Recovery Guide
https://www.sophos.com/en-us/content/qilin-ransomware
Qilin Ransomware: Affiliate Program Leaves No Backup Behind
https://www.trendmicro.com/en_us/research/24/k/qilin-ransomware-affiliate-program.html
Qilin Ransomware Gang Claims Largest Number of Victims in 2025
https://thehackernews.com/2025/01/qilin-ransomware-gang-claims-largest.html
Qilin Ransomware: The Rise of a Russian Cybercrime Powerhouse
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-qilin