TL;DR
Qilin — aka Agenda ransomware — has quietly become the most active ransomware operation on the planet in 2026. Running a Rust- and Go-powered, platform-agnostic payload, the group has logged over 700 confirmed attacks across healthcare, manufacturing, critical infrastructure, and even European political parties. Their latest evolution is a BYOVD (Bring Your Own Vulnerable Driver) EDR-killer capable of silencing more than 300 endpoint security drivers across virtually every major vendor. With RansomHub's implosion in early 2026 leaving a massive affiliate vacuum, Qilin has hoovered up the talent, the tooling, and the ambition — and shows no sign of slowing down.
Background: From Mythology to Mayhem
The name Qilin (麒麟) refers to a chimeric creature in Chinese and East Asian mythology — benevolent, rare, and heralding both good fortune and the fall of corrupt regimes. The irony is not subtle. Despite the Chinese-sounding moniker, every credible attribution points the group toward Russia. The U.S. Department of Health and Human Services' threat profile (TLP:CLEAR) places the operator base in Russian-speaking cybercriminal ecosystems, consistent with its Ransomware-as-a-Service (RaaS) affiliate model and its preferential targeting of Western healthcare and critical infrastructure.
Qilin first surfaced in June 2022 under the internal name "Agenda," when a Go-based encryptor was first observed in the wild after attackers exploited a VPN account and moved laterally via RDP to a Microsoft SCCM server. By October 2022, its first formally named victim appeared on a dedicated leak site (DLS). The shift from Go to a Rust-based variant was confirmed by April 2023, signaling a maturing engineering team focused on evasion and cross-platform portability.
The group operated in relative obscurity until May 2024, when it became globally newsworthy by demanding $50 million from Synnovis, a pathology services firm serving major NHS London hospitals. The attack exfiltrated 400 GB of patient data and disrupted over 3,000 hospital appointments and surgical procedures — a watershed moment that put Qilin on every CISO's threat radar.
Technical and Strategic Analysis
The Architecture: Go + Rust, Windows + Linux + ESXi
Qilin's dual-language architecture is not accidental. The Go-based initial implants provide rapid tooling iteration, ease of cross-compilation, and a lighter forensic signature than compiled C++ toolchains. The Rust-based encryptors deliver near-native performance, memory safety that frustrates dynamic analysis, and critically — native Linux and VMware ESXi support.
This dual-OS capability is a strategic differentiator. Organizations that segment their Windows endpoints from their virtualization layer often discover — too late — that Qilin's Linux/ESXi arm arrived separately, having traversed that segmentation boundary via legitimate hypervisor management credentials. A single Qilin intrusion can simultaneously freeze Windows workstations, encrypt NAS shares, and halt every VM on a vSphere cluster.
The Dwell Time Doctrine: 6 Days of Silence
Talos Intelligence's analysis of multiple Qilin intrusions in Japan and globally reveals a consistent behavioral signature: ransomware deployment occurs approximately six days after initial compromise. This is not sloppiness — it is a deliberate operational doctrine.
During those six days, Qilin affiliates are executing a precise multi-phase playbook:
1. Initial Access: Stolen credentials — harvested from dark web markets, phishing campaigns, or InfoStealer outputs — are used to authenticate to VPN concentrators and remote access platforms. The group does not primarily exploit unpatched CVEs for entry; they buy or steal the keys to the front door.
2. Reconnaissance and Discovery: After gaining a foothold, the affiliate inventories the environment: domain controllers, backup systems, cloud connectors, and security tooling. SCCM and Active Directory are primary targets for lateral movement pathways.
3. Credential Harvest at Scale: A particularly notable Qilin capability, documented in the HHS threat profile, is automated browser credential harvesting. A custom PowerShell/batch script is deployed group-policy-wide to extract saved credentials from Chrome, Edge, and Firefox on every domain-joined workstation simultaneously. The harvested credential dump is exfiltrated before encryption begins — ensuring that even post-recovery, the victim's passwords are in attacker hands.
4. EDR Suppression (BYOVD Stage): This is the group's most technically sophisticated evolution. Talos researchers Takahiro Takeda and Holger Unterbrink documented a malicious DLL named msimg32.dll deployed via DLL side-loading. The loader implements:
- Neutralization of user-mode API hooks installed by EDR agents
- Suppression of Event Tracing for Windows (ETW) logs (blinding SIEM pipelines)
- Obfuscated control flow to defeat sandbox behavioral analysis
- In-memory decryption and execution of the primary EDR killer payload
The EDR killer then loads two vulnerable drivers:
- rwdrv.sys — a renamed copy of ThrottleStop.sys, a legitimate Intel overclocking utility driver. It grants kernel-mode read/write access to physical memory, acting as a hardware abstraction layer for the attack chain.
- hlpdrv.sys — the termination engine, used to kill processes associated with over 300 EDR drivers from virtually every major security vendor.
The same driver pair (rwdrv.sys + hlpdrv.sys) has been observed in intrusions attributed to Akira and Makop ransomware, suggesting either shared tooling through a common BYOVD toolkit marketplace, or active collaboration between affiliate networks.
5. Data Exfiltration: Before a single file is encrypted, all high-value data — databases, document repositories, email archives, backup catalogs — is exfiltrated. This ensures Qilin retains leverage even if the victim successfully restores from backup.
6. Mass Encryption: The final stage. VMware ESXi-targeted attacks use a purpose-built ELF binary. Windows encryption uses the Rust-based payload. Ransom notes are dropped. The DLS clock starts ticking.
The Post-RansomHub Vacuum
The implosion of RansomHub in early 2026 — following internal affiliate disputes, law enforcement pressure, and infrastructure seizures — created the largest vacuum in the RaaS ecosystem since LockBit's partial disruption in 2024. Qilin was the primary beneficiary.
RansomHub affiliates, experienced operators with established victim-access networks and IAB (Initial Access Broker) relationships, migrated en masse toward Qilin's infrastructure. The result: a dramatic acceleration in attack tempo. From a mid-tier actor executing dozens of attacks per quarter in 2024, Qilin has scaled to an operation that saw 62 new victims claimed in a single 24-hour period (per PurpleOps telemetry, late April 2026), across sectors spanning US healthcare, European manufacturing, APAC financial services, and government agencies.
Q1 2026 data confirms Qilin's dominance in healthcare: the group was responsible for more confirmed healthcare ransomware attacks than any other actor during that period, with four confirmed incidents in the US and Germany alone (Comparitech Healthcare Ransomware Roundup, Q1 2026).
Target Profile Expansion: Political Organizations
March 2026 brought a notable target evolution. Qilin claimed responsibility for an attack on Die Linke, the German left-wing political party, stealing data and threatening public disclosure. The party confirmed the incident the following day, taking systems offline and filing criminal complaints.
Political organizations represent a logical expansion for a financially motivated double-extortion actor. They hold sensitive personal data on members, donors, and internal communications. They face intense reputational pressure from leaks. They often lack enterprise-grade security teams. And critically — they operate under strict data protection regulations (GDPR in Europe) that make breach notification obligations especially costly.
This is not Qilin pivoting to state-sponsored espionage. It is a financially motivated actor recognizing that political targets are simply soft, high-pressure victims — ideal for the double-extortion lever.
Indicators of Compromise (IOCs)
The following IOCs are derived from Cisco Talos, CybelAngel, and HHS TLP:CLEAR reporting. Treat as directional — Qilin affiliates rotate infrastructure aggressively.
Malicious DLL:
msimg32.dll(BYOVD loader, DLL side-loading vector) — SHA256 hashes available in Talos advisory- Deployment path: typically alongside a legitimate Microsoft binary in
C:\ProgramData\or%TEMP%\
Vulnerable Drivers (BYOVD):
rwdrv.sys— renamedThrottleStop.sys(Intel overclocking driver); malicious drops often signed with stolen/expired certshlpdrv.sys— Qilin EDR killer driver; no legitimate use case
Registry Artifacts:
HKLM\SYSTEM\CurrentControlSet\Services\rwdrv— BYOVD driver registrationHKLM\SYSTEM\CurrentControlSet\Services\hlpdrv— EDR killer service
Ransom Note Filenames:
READ-ME-GROUNDHOG-XXXXXXXX.txt(Windows variant)README-RECOVER-[RANSOM_ID].txt(Linux/ESXi variant)- Encrypted file extensions vary by victim; Qilin uses custom per-victim extension suffixes
Behavioral TTPs (MITRE ATT&CK):
| Tactic | Technique ID | Description |
|--------|-------------|-------------|
| Initial Access | T1078 | Valid Accounts (stolen credentials) |
| Initial Access | T1133 | External Remote Services (VPN abuse) |
| Execution | T1055 | Process Injection (BYOVD loader) |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Defense Evasion | T1070.001 | Clear Windows Event Logs (ETW suppression) |
| Defense Evasion | T1574.002 | DLL Side-Loading (msimg32.dll) |
| Credential Access | T1555.003 | Credentials from Web Browsers (Chrome/Edge/Firefox harvest) |
| Lateral Movement | T1021.002 | Remote Services: SMB/Admin Shares |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1048 | Exfiltration over Alternative Protocol |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1490 | Inhibit System Recovery (VSS deletion) |
Network Indicators:
- Qilin uses legitimate cloud services for C2 staging (file-sharing platforms, cloud storage APIs)
- TOR-based negotiation portals; leak site hosted on
.onioninfrastructure - No stable C2 IPs — infrastructure rotates per affiliate campaign
Lyrie Take
Qilin's trajectory illustrates a structural reality of the 2026 threat landscape: the RaaS ecosystem is consolidating. As law enforcement dismantles top-tier operations and infrastructure seizures make smaller shops untenable, talent and tooling flow upward to the survivors — and Qilin is currently the primary survivor.
Three elements make Qilin particularly dangerous from a detection engineering standpoint:
1. The BYOVD EDR-killer problem is systemic. The rwdrv.sys + hlpdrv.sys combination is not unique to Qilin — it is a shared toolkit circulating across the affiliate ecosystem (confirmed also in Akira and Makop campaigns). This means organizations cannot treat BYOVD as a Qilin-specific IOC; it is a generic RaaS capability. The correct defense is not signature-based detection of specific drivers but blocking driver installation from untrusted signers via WDAC (Windows Defender Application Control) policies and monitoring for unsigned or revoked driver loads at the kernel layer.
2. The six-day dwell time is a detection window, not a comfort zone. Six days is enough time to find them — if you're looking. The tell-tale signs are there: VPN authentication from unusual geographies, lateral movement from a service account that doesn't normally traverse segments, mass GPO deployment of PowerShell scripts, and elevated LSASS reads. Most organizations miss these because their SIEM rules are tuned for known-bad hashes, not behavioral anomalies. Behavioral detection is non-optional against this adversary.
3. Browser credential harvest at GPO scale is a persistence multiplier. Even a victim that recovers perfectly from encryption faces months of downstream credential-stuffing risk if they don't treat the Qilin breach as a full credential compromise event. Every domain user's saved browser credentials should be treated as compromised post-incident and rotated accordingly — including credentials to external SaaS platforms, cloud consoles, and financial services that employees stored in their browser.
Lyrie's autonomous monitoring pipeline tracks Qilin DLS additions in real time and correlates them against client industry, geography, and technology stack indicators to provide early warning for organizations in the blast radius of active campaigns.
Defender Playbook
Immediate Priority (patch/configure now):
- [ ] Enforce MFA on all VPN, RDP, and remote access without exception — stolen credentials cannot become a breach without a second factor
- [ ] Deploy WDAC / Windows Defender Application Control policies to block untrusted kernel driver installation — this is the single most effective control against BYOVD attacks
- [ ] Enable Driver Block Rules from the Microsoft Vulnerable Driver Blocklist and include
ThrottleStop.syshash variants - [ ] Disable the Print Spooler service on non-print servers (common lateral movement vector)
- [ ] Harden VMware ESXi management interfaces — disable direct host access, require vCenter-only management, enforce SSH key authentication
Detection Engineering:
- [ ] Alert on ETW provider unregistration events — Qilin's loader explicitly suppresses ETW before executing its EDR killer
- [ ] Create behavioral rules for mass GPO-deployed PowerShell scripts reading from browser credential paths (
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data) - [ ] Monitor for DLL side-loading patterns — specifically
msimg32.dllappearing in unexpected directories alongside legitimate Microsoft binaries - [ ] Alert on kernel driver load events for unsigned or recently signed drivers (Windows Security log event ID 7045 + Sysmon Event ID 6)
- [ ] Track SCCM and AD lateral movement — Qilin's initial playbook follows the SCCM pivot path documented in its very first 2022 case
Post-Incident (if compromised):
- [ ] Treat ALL saved browser credentials across ALL domain-joined endpoints as compromised — force rotation across every service
- [ ] Review all GPO modifications for the preceding 30 days
- [ ] Engage a forensic partner for ESXi image analysis — Qilin Linux payloads leave artifacts in
/tmpand VM snapshot directories - [ ] Contact HHS (if healthcare) and relevant data protection authorities immediately — Qilin attacks almost universally meet breach notification thresholds
- [ ] Do not pay the ransom without engaging law enforcement — FBI and CISA maintain decryption capability for certain Qilin variants and can advise on sanctions compliance
Sources
1. Cisco Talos Intelligence — Qilin EDR Killer / BYOVD Analysis (Takeda & Unterbrink, 2026): blog.talosintelligence.com
2. The Hacker News — Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools (April 2026): thehackernews.com
3. CybelAngel — Qilin Ransomware: Attack Methods and 2026 Status: cybelangel.com
4. TechJacks Solutions / SCC Intel — Qilin Ransomware Group Dominance and Emerging Threats: Q2 2026 Trend Intelligence: techjacksolutions.com
5. Comparitech — Healthcare Ransomware Roundup: Q1 2026: comparitech.com
6. ReliaQuest — Ransomware and Cyber Extortion in Q1 2026: reliaquest.com
7. U.S. Department of Health and Human Services — Qilin Threat Profile TLP:CLEAR: hhs.gov
8. BleepingComputer — Die Linke German Political Party Confirms Data Stolen by Qilin Ransomware (March 2026)
9. CISA Alert — Qilin Ransomware Advisory (2026): cisa.gov
10. PurpleOps Ransomware Activity Tracker 2026: purple-ops.io
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.