Back to Blog

Dark Web Most Wanted: Qilin

DarkWebSonar Research Team
August 29, 2025
8 min read
Last updated: June 19, 2026
ransomware dark-web-most-wanted threat-actor

Qilin has logged 1,666 victim postings across ~90 countries since October 2024, with 50% of targets in the United States and Manufacturing & Construction at 25%. DarkWebSonar telemetry shows October 2025 and April–June 2026 batch surges.

Threat Actor Icon

The last time we wrote about Qilin was in August 2025. At that point, DarkWebSonar had tracked 442 victim postings for the year and ranked the group among the most active ransomware operators on leak sites. Ten months later, that snapshot looks dated. Qilin did not plateau after the mid-2025 surge; it kept publishing victims at scale and remains operationally active on Tor as of June 2026.

What stands out in the updated telemetry is less a single headline number than the shape of the activity. Qilin's leak-site output arrives in compressed batch spikes rather than a steady drip, its victim map is US-heavy but genuinely global, and manufacturing targets appear far more often than in comparable ransomware datasets. Together, those patterns place Qilin among the highest-priority RaaS operators for continuous leak-site monitoring, not a group that peaked and faded after last summer's coverage.

Key findings from DarkWebSonar telemetry (October 2024–June 2026):

  • 1,666 ransomware victim postings observed (up from 442 at the time of our August 2025 profile); 100% categorized as ransomware.
  • 50% of named victims in the United States; ~90 countries targeted overall.
  • Top industries: Manufacturing & Construction (25%), Healthcare & Pharma (8%), Technology & Telecom (7%).
  • Largest single-day batch: 41 victims posted October 14, 2025; recent surge: 77 postings in 30 days (May–June 2026).

Qilin (also tracked historically as Agenda) operates a mature Ransomware-as-a-Service model with Go and Rust encryptors, affiliate revenue splits favoring operators (80–85% per open-source reporting), and double-extortion leak-site infrastructure on Tor. Public reporting documents affiliate support features including legal-pressure negotiation tooling. DarkWebSonar observed Qilin gaining visibility through high-impact victim postings, including the August 2025 Nissan design-studio breach and healthcare-critical incidents such as the Synnovis pathology-provider attack affecting London hospitals (corroborated in open-source reporting).

We treat leak-site listings as intelligence signals rather than standalone proof of every operational detail. That means separating what the actor claims from what can be corroborated through victim statements, data exposure, and follow-on reporting.

By the Numbers (DarkWebSonar Telemetry)

DarkWebSonar monitors Qilin's Tor-based data leak site continuously. The 1,666 victim postings below reflect what the group chooses to publish; posting volume is a useful proxy for extortion activity and affiliate output, though it undercounts victims who pay quietly or are never listed on the site.

  • Total victim postings (Oct 2024–Jun 2026): 1,666 across ~90 countries; United States victims represent 50% of named targets
  • Recent momentum: 77 of 1,666 postings landed in the last 30 days; 307 in the last 90 days
  • DarkWebSonar risk score: 95 / 100 (High)
  • Activity classification: Spiked, meaning recent 30-day posting volume significantly exceeds the group's established baseline cadence
  • Primary network: Tor (99.8% of incidents)

Posting cadence and year-week analysis

When DarkWebSonar telemetry is aggregated by ISO year-week, Qilin's activity divides into three observable phases:

  1. Emergence (Oct 2024–Q1 2025): Steady ramp from first observed activity on October 4, 2024, with periodic multi-victim days as affiliates scaled.
  2. 2025 acceleration (Q2–Q4 2025): Sustained weekly output climbing through mid-year, culminating in the 2025-W42 batch (100 postings in one ISO week, driven by 41 victims published on October 14, 2025).
  3. 2026 re-acceleration (Q1–Q2 2026): Renewed high-tempo weeks including 2026-W17 (49 postings) and 2026-W20 (35 postings), with 77 postings in the trailing 30 days as of June 18, 2026.

Trends

Year-week Victims posted Notes
2025-W42 100 October batch (41 on Oct 14 alone)
2026-W17 49 April 2026 surge week
2025-W52 44 Late December cluster
2026-W10 41 Early March 2026
2026-W16 40 Mid-April buildup
2026-W20 35 May 2026 sustained output
2025-W49 42 Early December 2025
2026-W06 31 February 2026

We assess that Qilin's burst weeks reflect batch publication of victims compromised during preceding weeks, expanded affiliate output, or both. The pattern favors continuous monitoring over calendar-based threat windows.

Targeting distribution

Qilin's victim geography is US-heavy but genuinely global. Among incidents with country metadata:

Countries

  • North America (56%): United States (50%) plus Canada (6%) anchor the distribution. Mexico (15 victims) and Caribbean postings add regional depth.
  • Europe (22% combined): France, UK, Germany, Italy, and Spain each exceed 50 victims, with broad coverage across Western and Southern Europe.
  • East Asia & Pacific (8%): South Korea (43), Japan (28), Thailand (20), Singapore (19), Taiwan (15), and Malaysia (17) show sustained Asia-Pacific affiliate activity uncommon among US-centric groups.

Industry targeting shows a sharp manufacturing skew uncommon at this volume:

Industries

  • Manufacturing & Construction: 423 (25%)
  • Healthcare & Pharma: 127 (8%)
  • Technology & Telecom: 109 (7%)
  • Professional Services: 107 (6%)
  • Legal & Consulting: 102 (6%)
  • Financial Services: 100 (6%)
  • Retail & E-commerce: 82 (5%)

The one-in-four manufacturing concentration is a distinguishing characteristic: Qilin's leak-site metadata places industrial and construction targets well above their typical share in aggregate ransomware datasets.

Notable posting events

  • Oct 14, 2025 (41 victims posted in a single day; largest daily batch in DarkWebSonar telemetry)
  • Oct 19, 2025 (26 victims posted)
  • Apr 16, 2026 (24 victims posted)
  • Jun 15, 2026 (6 victims posted in one day across US, Portugal, Mexico, Türkiye, and Vietnam)
  • Jun 18, 2026 (4 victims: US, Malaysia, Türkiye, Chile)

Tactics, Techniques & Procedures (TTPs)

Extortion strategy

Qilin operates a ransomware-centric double-extortion model. The techniques inherent to this model, T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery), are consistent with operations that pair file encryption with backup disruption and leak-site pressure.

Note

Beyond encryption, Qilin applies layered pressure on its leak site: victim names, branding, sample data releases, and detailed compromise writeups. Public reporting notes that affiliates can invoke external legal counsel during negotiations to amplify reputational and regulatory pressure on victims.

Technical capabilities

Qilin's ransomware classification carries the core MITRE techniques common to encryption-based extortion:

  • T1486 Data Encrypted for Impact
  • T1027 Obfuscated Files or Information
  • T1490 Inhibit System Recovery

These reflect the operational model rather than per-incident observation. DarkWebSonar's profile also associates Qilin with a broader known-technique set spanning initial access (T1190, T1566), credential abuse (T1078), and lateral movement (T1021) in open-source reporting, though per-incident MITRE mapping in DWS is limited to the encryption core above.

Initial access and business model (open-source reporting)

DarkWebSonar visibility begins at the leak site; initial access and encryptor details below come from public reporting.

Public reporting indicates Qilin affiliates gain initial access through spearphishing, compromised VPN and RDP credentials (including brokered access), exploitation of exposed remote services, and supply-chain compromise of managed service providers. Fortinet vulnerability campaigns (CVE-2024-21762, CVE-2024-55591) feature prominently in 2024–2025 reporting. Encryptors are cross-platform (Windows, Linux, VMware ESXi) with Go and Rust variants. Cisco Talos documents an average dwell time of roughly six days between initial access and encryption in examined cases, creating a detection window for authentication and lateral-movement anomalies.

Advanced affiliates deploy EDR-killer tooling (e.g., Killer Ultra per Binary Defense) to terminate security processes before encryption.

Evolution & Trends

Qilin's operational timeline in DarkWebSonar telemetry aligns with open-source reporting on rapid RaaS maturation:

  • 2022: Agenda ransomware family first observed (open-source reporting); later Qilin branding.
  • October 2024: DarkWebSonar first observed Qilin leak-site activity (October 4, 2024).
  • Q2–Q3 2025: Sustained output growth; August 2025 Nissan design-studio posting.
  • October 2025: Batch publication surge (2025-W42, 100 postings in one ISO week).
  • April–June 2026: Re-acceleration (307 postings in 90 days; 77 in 30 days); activity through June 18, 2026.

We assess that Qilin benefited from affiliate migration after disruptions to other major RaaS brands, per SANS analysis, and has sustained volume through opportunistic targeting across manufacturing, healthcare, and professional services rather than a single-sector focus.

Notable Campaigns / Victims

Samples

Recent victims observed in DarkWebSonar telemetry (June 2026):

  • Q Link Wireless (United States, Technology & Telecom; posting dated June 15, 2026)
  • Misericórdia de Santo Tirso (Portugal, Healthcare & Pharma; posting dated June 15, 2026)
  • MAVA Behavioral Health (United States, Healthcare & Pharma; posting dated June 15, 2026)
  • Grupo Indi (Mexico, Manufacturing & Construction; posting dated June 15, 2026)
  • Can Hastanesi (Türkiye, Healthcare & Pharma; posting dated June 15, 2026)
  • Homes by J. Anthony (United States, Manufacturing & Construction; posting dated June 18, 2026)
  • Atcom Chile (Chile, Professional Services; posting dated June 18, 2026)

DarkWebSonar and open-source reporting also tracked earlier high-profile victims including Nissan (Japan, automotive design data, August 2025), Synnovis (United Kingdom, healthcare pathology services, 2024), and October 2025 campaign targets such as Asahi Group Holdings and the Spanish Tax Administration Agency per Cohesity reporting.

DarkWebSonar Insights

  • Batch-spike detection identified the October 14, 2025 single-day surge (41 postings) and the 2025-W42 week total (100) while quarterly threat summaries still cited lower annual figures from earlier snapshots.
  • Manufacturing skew surfaced a 25% industry concentration at 1,666-incident scale, a signal obscured in generic "top ransomware groups" rankings that weight only total volume.
  • Global footprint showed meaningful victim share in South Korea, Japan, France, and Canada alongside the 50% US concentration, relevant for regional SOCs that scope threats to locally prominent groups only.
  • 2026 re-acceleration tracked 77 postings in 30 days (May–June 2026) after a late-2025 batch week, indicating sustained affiliate output rather than a one-time spike.

Defender Outlook 2026

Persistent risk: Organizations in Manufacturing & Construction, Healthcare & Pharma, Technology & Telecom, Professional Services, and Financial Services should treat Qilin as an active RaaS threat. The 50% US share does not diminish risk elsewhere: Canada, Western Europe, and East Asia all show double-digit victim counts.

Tempo: Qilin's output arrives in ISO-week bursts (2025-W42, 2026-W17, 2026-W20) with 77 postings in the last 30 days. Detection and response readiness matter more than calendar-based monitoring windows; new affiliates can produce additional burst weeks with minimal warning.

Defensive actions:

  • Enforce phishing-resistant MFA on VPN, RDP, and RMM endpoints; prioritize exposed remote access identified in external attack surface scans.
  • Patch and harden internet-facing appliances (Fortinet, Veeam, Citrix) cited in Qilin access campaigns; segment backup infrastructure from production domain accounts.
  • Validate backup isolation and test restoration from air-gapped or immutable copies; recovery inhibition (T1490) is inherent to Qilin's ransomware model.
  • Monitor for EDR-killer precursors (suspicious driver loads, clustered security-process terminations) during the dwell window before encryption.
  • Establish early warning for your organization's exposure on leak sites so a Qilin listing surfaces before public disclosure; DarkWebSonar provides this coverage.

No public law enforcement takedown targeting Qilin has been identified as of June 2026; HHS HC3 and CISA have issued sector warnings, and the group remains operationally active on Tor.

Threat Intelligence Indicators

Key vulnerabilities exploited

DarkWebSonar CVE associations in Qilin's profile:

Open-source reporting additionally highlights Fortinet exploitation in affiliate campaigns:

Attack progression timeline

  1. Initial compromise through phishing, credential theft, brokered access, or vulnerability exploitation
  2. Discovery and lateral movement using living-off-the-land tools (WinRM, RDP, PsExec)
  3. Data exfiltration prior to encryption deployment
  4. Optional EDR-killer staging to impair endpoint defenses
  5. Ransomware deployment across Windows, Linux, and ESXi systems
  6. Extortion initiation with leak-site posting and negotiation demands

Conclusion

Qilin has scaled from an emerging RaaS brand to one of the highest-volume leak-site operators DarkWebSonar tracks, with 1,666 victim postings across roughly 90 countries in under two years. The group's manufacturing-sector concentration (25%), US-heavy but globally distributed victim map, and episodic batch-publication spikes make it a sustained priority for defenders in industrial, healthcare, and professional services sectors.

For defenders, the practical implication is that Qilin's threat picture cannot be reduced to a single geography or industry. The access patterns it exploits are consistent and addressable: exposed remote services without enforced MFA, unpatched edge appliances, and insufficient backup isolation. Closing those gaps, combined with leak-site early warning, is the highest-value control stack against this group.

Data notes: Statistics in this profile are derived from DarkWebSonar telemetry on Qilin's Tor leak site unless attributed to open-source reporting. Posting dates may lag compromise; batch publication can inflate single-week counts. Country and industry fields reflect leak-site metadata.

👉 Dark Web Most Wanted profiles are powered by DarkWebSonar's continuous monitoring of ransomware leak sites. Want real-time visibility into groups like Qilin? Contact Sales.

Ready to enhance your threat intelligence?

Start monitoring dark web threats with DarkWebSonar's comprehensive platform.

Start Free Trial View Pricing

Related Posts

  • Dark Web Most Wanted: Nova

    Nova ransomware has logged 129 victim postings across 45 countries since April 2025, with only 13% of victims in the United States. DarkWebSonar telemetry shows a May–June 2026 surge and a RaaS operation rebranded from RALord.

  • Dark Web Most Wanted: MEDUSA

    MEDUSA has established itself as one of the most persistent ransomware groups of 2025, with 201 confirmed victim postings tracked by DarkWebSonar. With 61.7% of victims in the United States and strong targeting of construction, healthcare, and education sectors, MEDUSA represents a critical threat.

  • Dark Web Most Wanted: CL0P

    CL0P remains one of the most dangerous ransomware groups tracked by DarkWebSonar, with 635 victim postings since October 2024 and a sustained January–February 2026 campaign wave. With 68.5% of victims in the United States and heavy targeting of manufacturing, technology, and retail, CL0P represents a critical threat to organizations worldwide.