Qilin, a ransomware-as-a-service operation active since mid-2022, has claimed dozens of victims monthly through 2025 and reached a peak of postings in June. Industry tracking cited that the group accounted for 84 victims each in August and September 2025 in independent tallies.
Data compiled by Cisco Talos identified the U.S., Canada, the U.K., France and Germany among the most impacted countries and found the attacks focused on manufacturing, professional and scientific services, and wholesale trade. Talos reported that initial access often involved leaked administrative credentials used via VPN interfaces followed by RDP connections to domain controllers and other endpoints, then network discovery and reconnaissance.
Talos detailed extensive credential-harvesting activity and use of tooling to collect secrets from browsers and applications, including WebBrowserPassView.exe, BypassCredGuard.exe and SharpDecryptPwd, alongside Mimikatz and custom scripts that exfiltrated data to external SMTP servers. The researchers said commands run via Mimikatz targeted saved browser passwords, previous logon credentials and configuration data for RDP, SSH and Citrix, and that attackers also cleared event logs and enabled elevated privileges to aid persistence.
Analysts observed operators abusing legitimate remote management and file-transfer tools to obscure malicious activity. The use of Cyberduck, AnyDesk, ScreenConnect and other RMM platforms featured in casework, and Trend Micro researchers reported a sophisticated campaign that deployed a Linux ransomware binary on Windows hosts while leveraging a bring-your-own vulnerable driver (BYOVD) technique to bypass defenses and run the payload via Splashtop services, noting the attackers also targeted Veeam backup infrastructure in order to undermine recovery.
To evade detection and hinder recovery, the attack chains included PowerShell commands to disable AMSI, disable TLS certificate validation and enable Restricted Admin, as well as tools intended to terminate security software. The intrusions culminated in file encryption and the removal of forensic artifacts, including wiping Windows event logs and deleting shadow copies managed by VSS. Researchers also documented use of a vulnerable driver named “eskle.sys” as part of BYOVD operations and cross-platform additions such as Nutanix AHV detection to expand targeting.
Talos noted it could not definitively conclude whether some deployed remote-monitoring programs were used for lateral movement in every case. The threat actors additionally used spear-phishing and fake CAPTCHA pages hosted on Cloudflare R2 to deliver credential-stealing components in select attacks.