Find notable cyber news and cases, enriched with sources, timelines, and signals.

Qilin campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

Qilin remains a dominant ransomware-as-a-service (RaaS) campaign as the market reconsolidates after disruptions to LockBit and RansomHub. Check Point says Qilin holds around 16% market share, and Sophos X-Ops CTU data shows 1,496 victims listed on its leak site over the last 12 months from July 2026. The group still uses double extortion and keeps up a steady victimization cadence, while The Gentlemen briefly overtook Qilin in June 2026 with 115 victims versus 78. Qilin also targeted a Check Point Remote Access VPN and Mobile Access vulnerability, affecting one customer, and the broader ransomware market remains volatile and competitive.

Related Happenings

Qilin consolidates into dominant RaaS position as ransomware market reconcentrates

Threat Actor Meta
H score39 First: 03.07.2026 16:00 Last: 03.07.2026 16:00 Sources 1

How related: The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub.

About this happening: **Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...

The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth

Threat Actor Meta
H score26 First: 10.06.2026 17:03 Last: 10.06.2026 17:03 Sources 1

About this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...

Scattered Spider SMS phishing and SIM-swap crypto theft campaign

Campaign
H score53 First: 20.04.2026 16:33 Last: 20.04.2026 16:33 Sources 1

About this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...

Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case

Law Enforcement
H score35 First: 24.03.2026 15:06 Last: 24.03.2026 15:06 Sources 1

About this happening: The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...

The Gentlemen RaaS split exposed by hastalamuerte

Threat Actor Meta
H score25 First: 19.03.2026 18:00 Last: 19.03.2026 18:00 Sources 1

About this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...

Timeline

  1. 03.07.2026 16:00 1 articles · 6d ago

    Qilin grows ransomware market share and victim listings

    Campaign Scope Update

    Check Point said Qilin now holds around 16% of the cybercriminal market share, and Sophos X-Ops CTU data showed 1,496 victims listed on Qilin's data leak site over the last 12 months from July 2026. Comparitech data also said The Gentlemen briefly knocked Qilin off the top spot in June 2026, with The Gentlemen at 115 victims and Qilin at 78, underscoring continued consolidation and competition across the ransomware market.

    Show sources
  2. 27.10.2025 17:18 1 articles · 8mo ago

    Qilin cross-platform Windows ransomware campaign disclosed

    Initial Disclosure

    Trend Micro said Qilin, also tracked as Agenda, deployed a Linux-based ransomware binary on Windows hosts by abusing AnyDesk, ATERA Networks’ remote monitoring and management (RMM) platform, ScreenConnect, WinSCP, and Splashtop Remote, while targeting Veeam backup infrastructure to harvest credentials before ransomware deployment. The intrusion chain also used fake Google CAPTCHA pages hosted on Cloudflare R2 storage infrastructure to deliver an infostealer that collected authentication tokens, browser cookies, and stored credentials, enabling MFA bypass and lateral movement with legitimate user sessions. Cisco Talos said Qilin was posting more than 40 leak-site cases per month, with a peak of 100 cases in June 2025 and a similar level in August, and Trend Micro said the operation had affected more than 700 organizations across 62 countries since January, especially in manufacturing, technology, financial services, and healthcare.

    Show sources