CyberSecurity news

FlagThis - #qilin

Jacob Santos@feeds.trendmicro.com //

Agenda Ransomware Utilizes SmokeLoader NETXLOADER Loaders - The Agenda ransomware group (Qilin) is incorporating SmokeLoader and NETXLOADER in campaigns targeting healthcare, technology, financial services, and telecommunications sectors in multiple countries.
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.

The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts.

Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide.

Recommended read:
References :
  • Virus Bulletin: Trend Micro researchers discovered that the Agenda ransomware group added SmokeLoader & NETXLOADER to its recent campaigns. Targets include healthcare, technology, financial services & telecommunications sectors in the US, the Netherlands, Brazil, India & the Philippines.
  • securityonline.info: Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
  • www.trendmicro.com: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • cyble.com: Cyble stated that Qilin gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April.
  • redpiranha.net: Red Piranha stated that the threat group Qilin has been active for over one year or for multiple years and Qilin also Tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.
gallagherseanm@Sophos News //

Qilin Ransomware Attacks via Compromised MSP - Phishing attacks targeting MSPs' ScreenConnect logins led to customer compromises via Qilin ransomware, highlighting the impact of compromised MSP credentials.
A recent cyberattack has exploited vulnerabilities in Managed Service Providers (MSPs) through a sophisticated phishing campaign, leading to the deployment of Qilin ransomware across multiple customer environments. The attackers, identified as affiliates of the STAC4365 threat cluster, targeted MSPs by mimicking the login page of ScreenConnect, a widely used Remote Monitoring and Management (RMM) tool. The attackers used spear-phishing emails directed at MSP administrators, disguising them as authentication alerts from ScreenConnect.

These emails directed recipients to counterfeit domains closely resembling the legitimate ScreenConnect login page, cloud.screenconnect[.]com.ms for example. Using an adversary-in-the-middle (AITM) attack framework, credentials and time-based one-time passwords (TOTP) required for multi-factor authentication (MFA) were intercepted. With these credentials, the attackers gained super administrator access to the legitimate ScreenConnect portal, enabling them to deploy malicious ScreenConnect instances across customer environments and ultimately launch Qilin ransomware. The attack highlights the risks for MSP and their customer base.

Recommended read:
References :
  • Sophos News: Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
  • securityonline.info: Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
  • Cyber Security News: Qilin Operators Use Mimic ScreenConnect Login Page to Deliver Ransomware and Gain Admin Access
  • Cyber Security News: Qilin Operators Mimic ScreenConnect Login Page to Deliver Ransomware & Gain Admin Access
  • gbhackers.com: Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access
Sergiu Gatlan@BleepingComputer //

North Korean Moonstone Sleet Deploys Qilin Ransomware - North Korean actor Moonstone Sleet deploys Qilin ransomware in limited attacks, using fake companies and trojanized software to target organizations worldwide.
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.

Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.

Recommended read:
References :
  • gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
  • The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
  • BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
  • Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
  • securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
  • www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.
Titiksha Srivastav@The420.in //

Qilin Ransomware Claims Attack on Lee Enterprises. - Lee Enterprises, a major American media company, confirms a ransomware attack disrupting operations across 75 publications, with the Qilin gang claiming responsibility and alleging the theft of 350GB of sensitive data.
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
  • www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
  • The420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
  • securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
  • CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
  • www.cysecurity.news: reports on Ransomware
  • Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
  • Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
  • Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
  • The420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
  • Kim Zetter: Reports Qilin claims attack on Lee Enterprises
  • BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
  • BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
  • DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
  • securityaffairs.com: Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.
  • www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.

Posts

Blogs

Research Tools