Qilin: A Look Inside a Modern Ransomware Operation

WRAVEN has released a new threat analysis report on Qilin (formerly known as Agenda) — a ransomware-as-a-service (RaaS) operation that’s quickly become one of the most active and capable in the world.

Qilin runs on a double-extortion model, encrypting systems and stealing data for leverage. Since emerging in 2022, it has evolved into a professionalized cybercrime platform offering affiliates custom malware, data-hosting, leak-site infrastructure, and negotiation tools.

Our report outlines how Qilin:

• Targets Windows, Linux, and VMware ESXi systems using payloads built in Golang and Rust.

• Leverages vulnerabilities like CVE-2024-21762 (Fortinet FortiOS) and CVE-2023-27532 (Veeam Backup).

• Uses legitimate tools such as AnyDesk, Rclone, and Cobalt Strike for persistence, exfiltration, and control.

• Has been linked to significant attacks across the U.S., including the Saginaw Chippewa Indian Tribe of Michiganbreach in October 2025.

The findings also trace Qilin’s growth after absorbing affiliates from other dissolved groups, showing how its operations have scaled through underground recruitment and modular tooling.

This report is part of WRAVEN’s ongoing research into emerging ransomware ecosystems and their impact on regional and critical infrastructure targets.

Read the Full Report

For the complete analysis, including indicators of compromise, ATT&CK mappings, and operational insights, read the full publication here:

👉 wraven.org/blog/QilinReport.pdf