Qilin
Ransomware-as-a-Service operation (Russia-linked, assessed) · Financial — ransomware and extortion
Tactics, Techniques & Procedures (TTPs)
- Multi-vendor VPN authentication bypass exploitation — simultaneous targeting across Check Point, Palo Alto, Fortinet, and F5
- CVE-2026-50751 (Check Point IKEv1 auth bypass) exploited as zero-day for 37 days before any patch existed
- Sliver C2 framework for persistent access and lateral movement
- Rclone data exfiltration to attacker-controlled cloud storage before encryption
- Tox protocol for operator communications
- Cross-platform ransomware deployment — Windows, Linux, ESXi, and Nutanix environments
- Double-extortion model: data exfiltration followed by encryption
Known Targets
Analyst Notes
Qilin affiliates conducted a coordinated multi-vendor VPN perimeter exploitation campaign in May–June 2026, systematically targeting authentication bypass vulnerabilities across four enterprise VPN platforms simultaneously. The Check Point exploitation window (7 May–4 June 2026) — 37 days with no patch available — represents one of the longest recent zero-day exploitation periods against enterprise security infrastructure. Infrastructure hosted across Kaupo Cloud HK, Shock Hosting, and Vultr. A disgruntled Qilin affiliate founded The Gentlemen ransomware operation in mid-2025 following a commission dispute, demonstrating the volatility of RaaS affiliate relationships. The group has previously targeted UK NHS-adjacent healthcare organisations.
Also Known As