Skip to main content

Operator dossier

Qilin is a ransomware operator currently active on public leak sites. Darkfield has indexed 2,028 public victims claimed by this operator between October 8, 2022 and July 15, 2026. Qilin is a ransomware group that emerged in October 2022, operating with primarily financial motivations through targeted attacks against organizations across multiple sectors. The group appears to operate independently with limited public information available regarding their specific country of origin or affiliations to other ransomware families. Qilin employs double extortion tactics, typically exfiltrating sensitive data before deploying their encryption payload, though specific details about their initial access vectors and technical tools remain less documented in public security research. The group has demonstrated a broad targeting approach, with their 1645 known victims spanning multiple countries including the United States, France, Canada, United Kingdom, and Germany, with particular focus on manufacturing, technology, healthcare, and business services sectors. Based on available intelligence reporting, Qilin remains an active threat as of recent assessments, continuing their ransomware operations without significant reported law enforcement disruption.

Most-targeted sectors

Most-affected countries

Recent disclosures by Qilin

Most recent 150 of 2,028 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Qilin

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Qilin

2,028 victims indexed · first seen 4 years ago · last activity 4 hours ago

2,028
Victims indexed
#3 of 364 tracked operators
3y 9m
Active period
Oct 2022 → Jul 2026
30
Countries hit
top United States · 798

At a glance

Status
active
First seen
4 years ago
Last activity
4 hours ago
Onion sites
3 known endpoints
Primary sector
Not Found · 565 hits

About

Qilin is a ransomware group that emerged in October 2022, operating with primarily financial motivations through targeted attacks against organizations across multiple sectors. The group appears to operate independently with limited public information available regarding their specific country of origin or affiliations to other ransomware families. Qilin employs double extortion tactics, typically exfiltrating sensitive data before deploying their encryption payload, though specific details about their initial access vectors and technical tools remain less documented in public security research. The group has demonstrated a broad targeting approach, with their 1645 known victims spanning multiple countries including the United States, France, Canada, United Kingdom, and Germany, with particular focus on manufacturing, technology, healthcare, and business services sectors. Based on available intelligence reporting, Qilin remains an active threat as of recent assessments, continuing their ransomware operations without significant reported law enforcement disruption.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 102024-08-01T00:00:00+00:00 · 192024-09-01T00:00:00+00:00 · 232024-10-01T00:00:00+00:00 · 52024-11-01T00:00:00+00:00 · 312024-12-01T00:00:00+00:00 · 182025-01-01T00:00:00+00:00 · 232025-02-01T00:00:00+00:00 · 432025-03-01T00:00:00+00:00 · 472025-04-01T00:00:00+00:00 · 752025-05-01T00:00:00+00:00 · 572025-06-01T00:00:00+00:00 · 832025-07-01T00:00:00+00:00 · 642025-08-01T00:00:00+00:00 · 872025-09-01T00:00:00+00:00 · 842025-10-01T00:00:00+00:00 · 2102025-11-01T00:00:00+00:00 · 1072025-12-01T00:00:00+00:00 · 1782026-01-01T00:00:00+00:00 · 1092026-02-01T00:00:00+00:00 · 1152026-03-01T00:00:00+00:00 · 1412026-04-01T00:00:00+00:00 · 1092026-05-01T00:00:00+00:00 · 1212026-06-01T00:00:00+00:00 · 45
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
798
🇺🇸 United States
96
🇫🇷 France
85
🇨🇦 Canada
78
🇬🇧 United Kingdom
71
🇩🇪 Germany
55
🇪🇸 Spain
53
🇮🇹 Italy
48

Top sectors

Manufacturing
242
Healthcare
162
Technology
159
Business Services
154
Construction
92
Financial Services
92
Consumer Services
67
Agriculture and Food Production
64

MITRE ATT&CK

10 techniques · 9 tactics

Tactics

Initial AccessExecutionPrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1548Abuse Elevation Control Mechanism
  • T1562Impair Defenses
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1083File and Directory Discovery
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known
  • http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
  • http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion
  • http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion

Source

Updated 4 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Qilin posts a victim.

Add Qilin to your watchlist — Pro pings you within 5 minutes of any new Qilin leak-site post, Telegram callout, or affiliate-rebrand inference.