"The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022."
"In the next phase, the attackers conducted system reconnaissance and network discovery actions to map the infrastructure, and executed tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to facilitate credential harvesting from various applications and exfiltrate the data to an external SMTP server using a Visual Basic Script. "Commands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome's SQLite database, recovering credentials from previous logons, and harvesting credentials and configuration data related to RDP, SSH, and Citrix," Talos said."
Qilin (aka Agenda, Gold Feather, Water Galura) has consistently claimed more than 40 victims most months in 2025, peaking at 100 leak-site postings in June and 84 victims in both August and September. Major targets include the U.S., Canada, the U.K., France, and Germany, with primary impacts on manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%). Affiliates likely reuse leaked administrative credentials for VPN access, then perform RDP to domain controllers and endpoints. The actors conduct reconnaissance, run credential-harvesting tools (Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd), and exfiltrate data via SMTP using a Visual Basic Script, while leveraging legitimate apps like mspaint.exe, notepad.exe, iexplore.exe, and Cyberduck for inspection and transfer.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]