November 10, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
FormBook Malware – Active IOCs
November 6, 2025Multiple NVIDIA Products Vulnerabilities
November 6, 2025FormBook Malware – Active IOCs
November 6, 2025Multiple NVIDIA Products Vulnerabilities
November 6, 2025
Severity
High
Analysis Summary
Qilin ransomware, formerly known as Agenda, is a Russian-speaking ransomware-as-a-service (RaaS) operation that surfaced in July 2022. The group is known for its high adaptability and affiliate-based model, allowing threat actors to customize payloads and target Windows, Linux, and ESXi systems. Qilin employs a double extortion strategy, combining file encryption with data exfiltration to coerce victims into paying ransoms.
Initial access is typically obtained through phishing campaigns, compromised VPN/RDP credentials, or the exploitation of public-facing applications, notably Veeam Backup & Replication vulnerability (CVE-2023-27532). Affiliates have also been observed abusing managed service provider (MSP) tools such as ScreenConnect for remote access. Once inside a network, Qilin operators use living-off-the-land techniques and legitimate administrative utilities for reconnaissance and lateral movement, alongside tools like Mimikatz, NirSoft password recovery utilities, and custom scripts for credential theft. They often disable event logs, boot systems in Safe Mode, and use PsExec or WinRM for propagation, while deploying dual encryptors for widespread data encryption. Reports also indicate EDR evasion through bring-your-own-vulnerable-driver (BYOVD) methods.
Recently in November 2025, Qilin claimed responsibility for breaching Habib Bank AG Zurich (HBZ), alleging the theft of 2.6 TB of sensitive data encompassing internal, financial, and customer records such as emails, KYC files, deposits, transactions, and employee data. Although this claim remains under verification, the tradecraft aligns with Qilin’s established TTPs, indicating a credible and high-risk cybercrime operation.
Moreover, between 2024 and 2025, Qilin executed several high-profile operations, most notably the attack on Synnovis, a UK-based healthcare provider that disrupted NHS hospitals and allegedly compromised up to 300 million patient records. Other victims span the healthcare, manufacturing, education, government, financial, and technology sectors across regions including the UK, U.S., France, Brazil, Germany, Japan, Australia, and the UAE.
Qilin remains a financially motivated and globally active threat to critical infrastructure and essential services.
Impact
- Exposure of Sensitive Information
- Operational Disruption
- Financial Loss
- Reputational Damage
Indicators of Compromise
IP
31.41.244.100
188.119.66.189
85.209.11.49
MD5
- d0a711e4a51891ddf00f704d508b1ef2
- b2398a81b5467f75f476a107027b3259
- d852832aebf8ab08bc73fd9a6a4fe570
- a768244ca664349a6d1af84a712083c0
- d28ee8d86658494c853567c0a1ff1de4
- c171fc6e3e21b8d306ed52fcb1599a1e
- 7d6a7ac4bffe01cad43ca75ab61492fe
- 6c4862ba34891a83d565292b22b3a13b
- 047778e9486920b29c79a4f0d696ae73
- 03f7f6b384e35a90e484f924c7667d0c
SHA-256
- cd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f
- 15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67
- 5f0253f959d65c45a11b7436301ee5a851266614f811c753231d684eb5083782
- e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
- aa3b586de44d9e6fff9b8f2390fbc282c3b2d38696fb589c165480dcc1d3634e
- 8518d0342196772a9e34447484ac5f4944d649f8aa96d36e9e6d47db3f041a78
- a7afb82fa8bbc1a66318146dcca2c06e29fdba4c72359948fd0f162744904928
- 94d4955e49a0b1e062e8c0fcec3767136de928fd24e77cf84ff404e356cc7d24
- 53895523bf8d64b4f8f10d0b38972ceaaed52d9c0486b34ad7cb53b5af017ac4
- 03daa40fcebe17d8585141bf2679028ec241ac8c68afe95047d6e4fc7230ac20
SHA1
- d9ea05933353d1f32b18696877a3396140022f03
- 13ca66d08c04e5be77582f5dd4ab6ca28563b6d9
- 83253908587f4cd2215f193df872348a2fa44fe9
- 39300863bcaad71e5d4efc9a1cae118440aa778f
- 4684aa8ab09a70d0e25139286e1178c02b15920b
- f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3
- 05bf016c137230bfdc6eaae95b75a56aff76799d
- bdf33e2ba85f35ea86fb016620371fe80855fe68
- 16b776ff80f08105b362f9bc76c73a21c51664c2
- 1399e63d4662076eeed3b4498c2f958c611a4387
URL
- http://185.141.216.127/tr.e
- https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-CaptchaContinue-Latest-27-L-1.html
- https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-CaptchaContinue-Latest-J-KL-3.html
- https://chatgptitalia.net/
Remediation
- Implement multi-factor authentication (MFA) for all remote access channels (VPN, RDP, admin portals) to prevent credential-based compromise.
- Patch and update all systems promptly, especially public-facing applications like Veeam Backup & Replication and remote management tools.
- Restrict RDP and VPN access to trusted IPs and enforce network segmentation to limit lateral movement.
- Monitor and alert on suspicious PowerShell, PsExec, and WinRM activity indicative of living-off-the-land tactics.
- Disable or restrict administrative tools such as Mimikatz, NirSoft utilities, and other credential dumping tools.
- Harden EDR and AV solutions against tampering and ensure logging cannot be easily disabled.
- Regularly review privileged accounts and apply the principle of least privilege to minimize attacker access scope.
- Deploy network-based intrusion detection systems (IDS/IPS) to identify abnormal data exfiltration or encryption behavior.
- Conduct phishing awareness training for employees to reduce initial access through social engineering.
- Implement offline and immutable backups and routinely test restoration procedures to ensure data recoverability.
- Monitor for exfiltration attempts to external or unknown domains, especially large outbound data transfers.
- Isolate critical assets and ensure secure configurations for servers running Windows, Linux, or ESXi.
- Perform regular threat hunting to detect Qilin-related indicators of compromise (IOCs) or behaviors early.
- Establish an incident response plan with defined playbooks for ransomware and data breach scenarios.