Operator dossier

Qilin is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,857 public victims claimed by this operator between October 8, 2022 and May 20, 2026. Qilin is a ransomware group that emerged in October 2022, operating with primarily financial motivations through targeted attacks against organizations across multiple sectors. The group appears to operate independently with limited public information available regarding their specific country of origin or affiliations to other ransomware families. Qilin employs double extortion tactics, typically exfiltrating sensitive data before deploying their encryption payload, though specific details about their initial access vectors and technical tools remain less documented in public security research. The group has demonstrated a broad targeting approach, with their 1645 known victims spanning multiple countries including the United States, France, Canada, United Kingdom, and Germany, with particular focus on manufacturing, technology, healthcare, and business services sectors. Based on available intelligence reporting, Qilin remains an active threat as of recent assessments, continuing their ransomware operations without significant reported law enforcement disruption.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Qilin

1,857 victims indexed · first seen 4 years ago · last activity 4 hours ago

1,857

Victims indexed

#3 of 348 tracked operators

3y 7m

Active period

Oct 2022 → May 2026

Countries hit

top United States · 624

At a glance

Status: active
First seen: 4 years ago
Last activity: 4 hours ago
Onion sites: 3 known endpoints
Primary sector: Not Found · 527 hits

About

Qilin is a ransomware group that emerged in October 2022, operating with primarily financial motivations through targeted attacks against organizations across multiple sectors. The group appears to operate independently with limited public information available regarding their specific country of origin or affiliations to other ransomware families. Qilin employs double extortion tactics, typically exfiltrating sensitive data before deploying their encryption payload, though specific details about their initial access vectors and technical tools remain less documented in public security research. The group has demonstrated a broad targeting approach, with their 1645 known victims spanning multiple countries including the United States, France, Canada, United Kingdom, and Germany, with particular focus on manufacturing, technology, healthcare, and business services sectors. Based on available intelligence reporting, Qilin remains an active threat as of recent assessments, continuing their ransomware operations without significant reported law enforcement disruption.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/qilin

Timeline

24 months

2024-04-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

624

🇫🇷 France

🇨🇦 Canada

🇬🇧 United Kingdom

🇩🇪 Germany

🇪🇸 Spain

🇮🇹 Italy

🇯🇵 Japan

United States dossier →France dossier →Canada dossier →United Kingdom dossier →

Top sectors

Not Found

527

Manufacturing

196

Technology

139

Healthcare

132

Business Services

102

Financial Services

Construction

Transportation/Logistics

Not Found dossier →Manufacturing dossier →Technology dossier →Healthcare dossier →

MITRE ATT&CK

10 techniques · 9 tactics

Tactics

Initial AccessExecutionPrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1059Command and Scripting Interpreter
T1548Abuse Elevation Control Mechanism
T1562Impair Defenses
T1003OS Credential Dumping
T1021Remote Services
T1083File and Directory Discovery
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known

http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion
http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion

Source

Updated 4 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.