Qilin LOTL Double Extortion

Cohesity REDLab has released updates to the threat library in response to the active exploitation by the Qilin ransomware group in October 2025 based on its AGENDA and AGEDA.RUST ransomware. Users should closely monitor the ML-based anti-ransomware backup anomalies in Security Center. It is recommended to use the Threat Scan in tandem with anti-ransomware to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Overview

In October 2025, the Qilin ransomware group, known for its prolific and aggressive attacks, claimed responsibility for breaches against a diverse set of international and domestic targets. Most notably, the group was behind a significant attack that crippled Japanese brewing giant Asahi Group Holdings, disrupting its beer production and leaving systems inoperable for weeks. In Europe, the group targeted both the Spanish Tax Administration Agency and Volkswagen Group France, allegedly stealing massive volumes of sensitive financial, customer, and vehicle data. Qilin affiliates breached multiple U.S. organizations, including Texas electric cooperatives and a Michigan Indian tribe, alongside other entities like Canadian pharmaceutical firm Dalton Pharma Services and the U.S. based Executive Cabinetry and Victory Christian Center. The sheer breadth of these attacks, spanning manufacturing, government, energy, and smaller businesses, underscores Qilin's global reach and its tendency to cast a wide net for high-value targets.

Kill Chain Working

The Qilin group, using its AGENDA (Go) and AGENDA.RUST (Rust) malware and follows a sophisticated kill chain that involves initial network access, stealthy lateral movement, and a "double extortion" finale. Its approach is not a single, automated exploit but a methodical, multi-stage process. 

Initial access

Qilin and its affiliates use multiple techniques to gain initial access to a victim’s network, including spear-phishing emails with malicious attachments or links, exploiting publicly accessible applications and unpatched vulnerabilities such as those in VPN appliances, remote desktop services, and remote monitoring and management (RMM) tools, as well as purchasing valid but compromised credentials from underground forums.

Lateral movement and privilege escalation

Once inside, the group systematically expand access and escalate privileges by performing discovery to map the network, identify high-value assets and target user accounts by "living off the land" i.e. using legitimate system and remote-access tools such as Cobalt Strike, PsExec, and SSH to move laterally and evade detection.

Evasion

The group hides its activity and maintains persistence by using code obfuscation by building the AGENDA binary in Rust and Go to hinder analysis and reduce antivirus detection by terminating security and other critical processes. The Rust variant specifically targets the Windows AppInfo process to disable User Account Control and by erasing forensic traces such as PowerShell and Windows System logs. UAC bypass in employed in the AGENDA.RUST variant so the ransomware can run with administrative privileges.

Double extortion

In the final stage Qilin executes a multi-faceted extortion strategy: they first exfiltrate sensitive data using tools like FreeFileSync, FileZilla, and WinSCP so they have leverage beyond encryption. They then encrypt files with a mix of fast, intermittent and strong cryptographic methods to disrupt operations. To block simple recoveries, they delete volume shadow copies (vssadmin.exe), forcing victims to consider paying rather than restoring from backups – this malicious technique can be easily protected against by Cohesity products. They drop ransom notes and direct victims to dark-web portals or encrypted chat for negotiation. If victims refuse, the stolen data is posted on Qilin’s leak site. Together these steps create “double extortion” because the attackers can demand payment both to restore encrypted systems and to prevent the public release of stolen, potentially damaging or regulated data.

Final Remarks

Cohesity’s Anti-Ransomware module deploys inline ML-based techniques to identify new and unknown threats in backup data. The Threat Detection feature lets you scan backup data for known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership