Uncovering qilin attack methods exposed through multiple cases

Intel Name: Uncovering qilin attack methods exposed through multiple cases

Date of Scan: October 27, 2025

Impact: High

Summary:
In the latter half of 2025, the Qilin ransomware group has continued leaking victim data at over 40 cases per month, ranking among the most active global threat actors. Manufacturing remains the hardest-hit sector, followed by professional, scientific, and wholesale trade industries. Scripts used in attacks contain character encodings suggesting origins in Eastern Europe or a Russian-speaking region. Investigators identified the open-source tool Cyberduck as a key method for data exfiltration, commonly abused in Qilin incidents. Logs also revealed use of notepad.exe and mspaint.exe to access sensitive data, with two encryptors—encryptor_1.exe spreading via PsExec and encryptor_2.exe targeting shared drives.

More Details