Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Qilin campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Qilin ransomware operation is running a persistent multi-victim campaign that has hit more than 700 organizations across 62 countries, making the extortion threat broad and ongoing. Its leak-site activity has averaged more than 40 cases per month, showing a steady operational cadence that increases publication risk. The hardest-hit sectors include manufacturing, technology, financial services, and healthcare. The campaign also reaches critical infrastructure targets, raising the stakes for disruption and data exposure.

Related Happenings

2025 Ransomware victim growth and sector concentration

Target Trend
First: 23.12.2025 15:00 Last: 23.12.2025 15:00 Sources 1

About this happening: Ransomware activity stayed elevated in **2025**, with **7,902 victims** listed across **306 active groups**, signaling sustained pressure on enterprise targets. The largest concen...

Open Happening

Qilin Korean Leaks campaign targeting South Korean financial-sector organizations

Campaign
First: 26.11.2025 16:31 Last: 26.11.2025 16:31 Sources 1

About this happening: **Qilin** ran **Korean Leaks**, a **multi-wave** extortion campaign that hit **South Korean financial organizations** across **September-October 2025**. The operation spread throu...

Open Happening

Q3 2025 ransomware cases shift toward compromised VPN credentials

Target Trend
First: 19.11.2025 11:40 Last: 19.11.2025 11:40 Sources 1

About this happening: **Ransomware surged in Q3 2025**, and **compromised VPN credentials** became the most common initial-access route, increasing exposure across remote-access environments. **Three g...

Open Happening

Q3 2025 ransomware victim disclosures remained elevated across monitored leak sites

Target Trend
First: 14.11.2025 12:37 Last: 14.11.2025 12:37 Sources 1

About this happening: Ransomware victim disclosures remained **elevated in Q3 2025**, with **1,592 new victims** posted across **more than 85 leak sites**. The average of **535 disclosures per month**...

Open Happening

Timeline

  1. 27.10.2025 17:18 1 articles · 7mo ago

    Qilin cross-platform Windows ransomware campaign disclosed

    Initial Disclosure

    Trend Micro said Qilin, also tracked as Agenda, deployed a Linux-based ransomware binary on Windows hosts by abusing AnyDesk, ATERA Networks’ remote monitoring and management (RMM) platform, ScreenConnect, WinSCP, and Splashtop Remote, while targeting Veeam backup infrastructure to harvest credentials before ransomware deployment. The intrusion chain also used fake Google CAPTCHA pages hosted on Cloudflare R2 storage infrastructure to deliver an infostealer that collected authentication tokens, browser cookies, and stored credentials, enabling MFA bypass and lateral movement with legitimate user sessions. Cisco Talos said Qilin was posting more than 40 leak-site cases per month, with a peak of 100 cases in June 2025 and a similar level in August, and Trend Micro said the operation had affected more than 700 organizations across 62 countries since January, especially in manufacturing, technology, financial services, and healthcare.

    Show sources
    Open in new tab