The Qilin ransomware group, active since mid-2022 and also known as Agenda, Gold Feather, and Water Galura, has escalated its operations significantly in 2025, averaging over 40 victims monthly and peaking at 100 in June. This ransomware-as-a-service (RaaS) group targets primarily manufacturing, professional and scientific services, and wholesale trade sectors. Initial access is typically gained through leaked administrative credentials found on the dark web, exploited via VPN interfaces and RDP connections to domain controllers and endpoints. The attackers conduct thorough system reconnaissance and network discovery, employing tools such as Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to harvest credentials from browsers, previous logons, and remote access configurations. They exfiltrate stolen data using Visual Basic Scripts to external SMTP servers. The group abuses legitimate tools like mspaint.exe, notepad.exe, iexplore.exe, and Cyberduck to inspect and transfer sensitive files stealthily. Privilege escalation and lateral movement are facilitated by installing multiple Remote Monitoring and Management (RMM) tools, including AnyDesk, Chrome Remote Desktop, and ScreenConnect. To evade detection, PowerShell commands disable AMSI and TLS certificate validation, while tools like dark-kill and HRSword terminate security software. Persistent access is maintained through Cobalt Strike and SystemBC. The ransomware payload encrypts files, deletes shadow copies, and wipes event logs to hinder recovery and forensic analysis. Notably, Qilin employs a Linux ransomware variant executed on Windows systems using BYOVD techniques, leveraging a vulnerable driver (eskle.sys) to disable security solutions and evade detection. The attackers also target Veeam backup infrastructure by harvesting credentials from backup databases, undermining disaster recovery. Initial infection vectors include spear-phishing and fake CAPTCHA pages hosted on Cloudflare R2, delivering information stealers. The attack chain includes deploying SOCKS proxy DLLs, abusing ScreenConnect for command execution, using PuTTY for SSH lateral movement, and obfuscating C2 traffic with the COROXY backdoor. The Linux ransomware binary supports cross-platform attacks, including hyperconverged infrastructure platforms like Nutanix AHV, demonstrating adaptability beyond traditional VMware environments. The combination of legitimate tool abuse, advanced credential harvesting, and cross-platform ransomware deployment marks Qilin as a sophisticated and evolving threat.

For European organizations, the Qilin ransomware threat poses severe risks to confidentiality, integrity, and availability. The targeted sectors—manufacturing, professional/scientific services, and wholesale trade—are critical to European economies, and disruption could lead to significant operational downtime and financial losses. The group's ability to compromise backup infrastructures like Veeam severely undermines recovery efforts, increasing ransom payment likelihood and prolonging outages. The cross-platform nature of the ransomware threatens both Windows and Linux systems, including virtualized environments common in European enterprises. Credential harvesting and lateral movement techniques increase the risk of widespread network compromise, potentially exposing sensitive intellectual property and personal data subject to GDPR regulations. The use of legitimate IT tools complicates detection and response, increasing the chance of prolonged undetected presence. Countries with high adoption of targeted sectors and advanced IT infrastructure, such as the UK, France, and Germany, face heightened exposure. The threat also raises concerns about supply chain and disaster recovery security, necessitating urgent attention to backup and credential management practices.

European organizations should implement a multi-layered defense strategy tailored to Qilin's attack methods. First, enforce strict credential hygiene by regularly auditing and rotating administrative credentials, especially those accessible via VPN and RDP, and monitor for leaked credentials on dark web sources. Deploy network segmentation to limit lateral movement and restrict RMM tool installations to authorized personnel only, with continuous monitoring of their usage. Harden backup infrastructures by isolating backup servers, enforcing multi-factor authentication, and regularly testing backup restoration processes to ensure resilience against ransomware targeting. Employ advanced endpoint detection and response (EDR) solutions capable of detecting legitimate tool abuse and anomalous PowerShell activity, including AMSI bypass attempts. Monitor for unusual network scanning, SOCKS proxy deployments, and C2 traffic obfuscation techniques like COROXY. Disable or tightly control vulnerable drivers to prevent BYOVD exploitation, and maintain up-to-date patching of all systems, including hyperconverged infrastructure platforms such as Nutanix AHV. Conduct targeted phishing awareness training focusing on spear-phishing and fake CAPTCHA page tactics. Finally, implement robust logging and centralized event monitoring to detect event log clearing and shadow copy deletions promptly, enabling rapid incident response.