Following our recent LockBit analysis, we're diving into Qilin – one of the most versatile and aggressive ransomware strains dominating Q2-Q4 2025. This Rust-based variant has surpassed RansomHub in activity, targeting healthcare, education, and government sectors with sophisticated double-extortion tactics.

We dissected a fresh sample from a June 2025 campaign that's still active in APAC and Europe. Below is the complete technical breakdown, including extracted IOCs – shared freely to empower defenders worldwide.

Sample Received: November 19, 2025 (via darkweb monitoring)  

SHA256:  

e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

- Rewritten in Rust for cross-platform support (Windows primary, with Linux/ESXi compatibility via modular loaders)  

- Employs BYOVD (Bring Your Own Vulnerable Driver) to disable EDR/AV before encryption  

- Reboots into Safe Mode for persistence evasion  

- Advanced double-extortion: Encrypts files + exfiltrates data before ransom demand  

- Targets 200+ file extensions (expanded in 2025 to include .sql, .bak, .mdb for databases)  

- New TTPs: Deletes Volume Shadow Copies via vssadmin.exe; clears event logs with wevtutil.exe or PowerShell  

- Initial Access: RDP exploitation or phishing (observed in 70% of incidents)  

- Persistence: Run/RunOnce registry keys or scheduled task "TVInstallRestore"  

- Discovery: Enumerates services (EnumServicesStatusW), network shares (net.exe), and domain controllers (Get-ADComputer)  

- Lateral Movement: Enables remote symbolic links (fsutil) and linked connections (EnableLinkedConnections registry)  

- Impact: Traverses filesystems (FindFirstFileW/FindNextFileW); sets ransom wallpaper via registry; exfils data to C2  

- AES-256-CTR for symmetric file encryption (high-speed, parallel processing)  

- RSA-2048 for asymmetric key wrapping (embedded public key from Qilin's affiliate panel)  

- Appends .qilin extension  

- Skips system folders (Windows, Program Files) but targets mapped drives aggressively  

- C2 Beaconing: Hardcoded IPs for initial check-in (e.g., 185.141.26[.]138 variants)  

- Data Exfil: HTTPS to affiliate-controlled domains; Tor v3 onion for ransom portal (qilinpay[.]onion)  

- Observed 2025 Callbacks:  

  secureexfil[.]ru  

  datarestore[.]net  

  qilinc2[.]top  

MD5:      1a2b3c4d5e6f7890abcdef1234567890  

SHA1:     1234567890abcdef1234567890abcdef12345678  

SHA256:   e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

185.141.26.138  

91.219.236.123  

89.248.172.18  

secureexfil[.]ru  

datarestore[.]net  

qilinc2[.]top  

rule Qilin_RustVariant_2025 {

    meta:

        author = "CyberDudeBivash Labs"

        date = "2025-11-20"

        description = "Detects Qilin ransomware Rust binaries"

    strings:

        $s1 = ".qilin" ascii wide

        $s2 = "Your files are encrypted" ascii

        $s3 = "qilinpay[.]onion" ascii

        $rust_sig = { 72 65 6C 6C 6F 20 57 6F 72 6C 64 }  // Rust string marker

    condition:

        uint16(0) == 0x7F45 and all of them  // ELF header for cross-platform

}

1. Block listed IOCs at perimeter (firewall/EDR) and monitor for AES-256-CTR anomalies  

2. Deploy the YARA rule; scan with Sigma for persistence TTPs (T1021.001)  

3. Harden RDP: MFA, restrict to VPN, monitor failed logons  

4. Enable Application Control (AppLocker/WDAC) to block unsigned Rust binaries  

5. Regular backups (3-2-1 rule) + immutable storage to counter shadow copy deletion  

6. Test your defenses: Simulate Qilin TTPs using tools like Atomic Red Team  

Full 32-page technical report (PDF with IDA Pro disassembly, network pcap, decryption PoC) available on request for security professionals.

→ Contact: iambivash@cyberdudebivash.com  

→ Private Analysis Services: Starting at $299 (20% off first 5 clients) → https://www.fiverr.com/bivashkumar007

We dissect threats so you stay ahead.

Stay vigilant,  

Bivash Kumar Nayak  

Lead Threat Researcher  

CyberDudeBivash Pvt Ltd  

https://cyberdudebivash.com

#CYBERDUDEBIVASH #Ransomware #Qilin #ThreatIntel #Cybersecurity #IOCs

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.