Red Piranha’s threat intelligence team actively monitors ransomware groups and dark web activity. We track emerging threats and attack trends in real time.
In one recent case, we investigated a Qilin (also known as Agenda) ransomware attack. The attackers gained access through a compromised VPN. They then moved laterally across the network and used advanced techniques to evade detection.
Qilin operates as a Ransomware-as-a-Service (RaaS), enabling affiliates to launch attacks for a cut of the ransom.
This incident revealed the use of advanced kernel-level exploits. The attackers used a Bring-Your-Own-Vulnerable-Driver (BYOVD) method to disable EDR tools. This allowed them to bypass security controls deep within the Windows OS.
Figure 1: Screenshot of Leak Site used by Qilin Ransomware
Qilin is a ransomware group that first appeared in July 2022. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to launch attacks for a share of the ransom.
The group gained rapid notoriety for its aggressive tactics. In October 2022, Qilin posted its first victim on its darknet leak site. Since then, its activity has steadily increased.
What is the Kill Chain, Tactics, Techniques, and Procedures (TTPs) of Qilin Ransomware?
1. Initial Access: VPN Compromise & Covert Tunnelling
The attack began with unauthorized access via a compromised VPN account. Anomalous activity was observed from IP address 31.192.107[.]144, linked to a Russian cloud hosting provider. The session lasted over six hours, followed by a second session later, lasting another 90 minutes. This strongly suggests that the attackers had either stolen credentials or hijacked an active session token successfully bypassing multi-factor authentication (MFA) and other identity-based controls.
Once inside the network perimeter, the attacker deployed a reverse proxy tool main.exe, a Golang-based executable. It established an encrypted SSH tunnel to an external host (216.120.203[.]26, hosted by Shock Hosting). This allowed the adversary to covertly route internal traffic, effectively bypassing perimeter firewalls and segmentation. With this tunnel, the attacker gained remote access to internal systems via RDP and exfiltrated data without triggering standard outbound filters, using encrypted channels that obscured detection.
2. Privilege Escalation & Lateral Movement
After initial access, the attacker escalated privileges and moved laterally within the network. Using Remote Desktop Protocol (RDP) and previously compromised credentials, they accessed additional systems. To blend in, they mimicked legitimate user behavior and working hours, reducing the chance of alerting security analysts.
The attacker relied heavily on native Windows administrative tools, such as PsExec and Windows Management Instrumentation (WMI), to execute commands remotely. By avoiding custom malware and sticking to “living off the land” tactics, the attacker reduced their footprint and stayed below traditional detection thresholds.
3. EDR Evasion Phase 1: DLL Sideloading
To silently disable security tools, the attacker employed a DLL sideloading technique using a legitimate binary upd.exe, the updater for Carbon Black’s Cloud Sensor AV. Under normal conditions, this binary loads a trusted DLL (avupdate.dll) during software updates. The attacker replaced the DLL with a weaponized version to execute arbitrary code.
The modified avupdate.dll loaded an XOR-obfuscated payload named web.dat, containing a customized variant of EDRSandblast a tool built to disable endpoint detection and response systems. Before activating, it performed anti-analysis checks to detect debuggers or sandbox environments, further indicating the sophistication of the attack.
4. EDR Evasion Phase 2: Kernel-Level BYOVD Exploit
In the next phase, the attacker executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack. Rather than using well-known drivers (often blocked by EDRs), they introduced a signed but vulnerable driver: TPwSav.sys, originally built for Toshiba power management in 2015. This driver still held a valid signature and was not flagged by most security solutions.
The attacker used TPwSav.sys to manipulate kernel memory directly. Specifically, they hijacked the Beep.sys driver’s BeepDeviceControl function, injecting malicious shellcode into the kernel. With low-level access granted, they:
- Overwrote key EDR hooks in kernel space
- Used MmMapIoSpace to map arbitrary memory
- Hijacked IofCompleteRequest for stealthy execution of malicious functions
The goal was clear, the full EDR bypass. Once EDRSandblast was deployed, the attacker stripped out kernel callback routines, cut off event tracing, and eliminated the ability for forensic tools to collect telemetry. The attack was now nearly invisible at both the user and kernel level.
This multi-stage intrusion by Qilin highlights a mature threat actor capable of bypassing both identity and endpoint security layers. From VPN compromise to full kernel-level evasion, each phase was designed to evade modern defenses, remain undetected, and maintain persistence long enough to deploy ransomware or exfiltrate sensitive data.
What are the Indicators of Compromise (IOCs) of Qilin Ransomware?
Indicators of Compromise (IOCs) linked to the Qilin attack include the following file hashes:
- TPwSav.sys: 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6
- avupdate.dll: d3af11d6bb6382717bf7b6a3aceada24f42f49a9489811a66505e03dd76fd1af
- main.exe: aeddd8240c09777a84bb24b5be98e9f5465dc7638bec41fb67bbc209c3960ae1
- web.dat: 08224e4c619c7bbae1852d3a2d8dc1b7eb90d65bba9b73500ef7118af98e7e05
- upd.exe: 3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633
IPs used: 216.120.203[.]26, 31.192.107[.]144
FTP servers:
- ftp://dataShare:nX4aJxu3rYUMiLjCMtuJYTKS@85.209.11.49
- ftp://dataShare:2bTWYKNn7aK7Rqp9mnv3@188.119.66.189
Dark web leak and C2 URLs:
- http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/
- http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion
- http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog
- http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/
- http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
- https://31.41.244.100/
- http://ijzn3sicrcy7quixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvad.onion
- http://kbsqoiyihadmwczmxkbovk7ss2dcynitwhhfu5yw725dbogo5kthfaad.onion
How does Red Piranha Detect and Prevent attacks of Qilin Ransomware?
Red Piranha’s Threat Detection, Investigation, and Response (TDIR) solution, particularly the Crystal Eye solution, is uniquely equipped to detect and prevent Qilin ransomware’s Tactics, Techniques, and Procedures (TTPs) through a combination of advanced monitoring, integrated threat intelligence, and proactive defense strategies. Below is an analysis of how Crystal Eye’s capabilities can detect and prevent Qilin ransomware’s attack stages and techniques:
Red Piranha’s Crystal Eye platform is uniquely positioned to detect and stop advanced threats like Qilin ransomware at every stage of its kill chain. Qilin’s attack begins with VPN compromise, but Crystal Eye detects such unauthorized access through 10x increased network visibility, flagging anomalous login behavior, suspicious session durations, and IPs from untrusted regions. When attackers deploy tools to build SSH tunnels, Crystal Eye’s encrypted metadata analysis and network behavioral analytics catch covert tunneling attempts and alert defenders in real time.
As Qilin moves laterally using RDP, PsExec, and WMI, Crystal Eye’s multi-layered detection and AI-powered anomaly detection pick up on unusual privilege escalations, credential misuse, and living-off-the-land techniques. The platform's proactive threat hunting and contextual threat intelligence identify known TTPs and trigger alerts based on patterns from its integrated TDIR and Network Detection and Response (NDR)modules.
When Qilin tries to disable EDR using DLL sideloading (upd.exe + avupdate.dll) and BYOVD exploits (TPwSav.sys), Crystal Eye responds with kernel-level monitoring, automated containment, and machine-speed response orchestration through its SOAR engine.
Suspicious file hashes and behavior are detected using real-time threat intel feeds, while push-button escalation to Red Piranha's SOC ensures expert intervention without delay. Crystal Eye’s multi-layered defence approach combines Network Detection and Response (NDR), machine learning-driven anomaly detection, and Zero Trust architecture to counter Qilin ransomware’s tactics effectively.
For long-term defense and investigation, Crystal Eye offers 18+ months of data retention, integrated PCAP analysis, and centralized logging. This supports forensic tracing of actions like data exfiltration via FTP or C2 beaconing to .onion domains. With Policy-as-Code enforcement, automated compliance checks, and unified dashboards, Crystal Eye not only detects and responds but also hardens your environment against repeat attacks.
In short, Crystal Eye doesn’t just react to Qilin, it proactively hunts, blocks, and neutralizes it before ransomware can ever be deployed.
Does detecting malicious activity pose a significant challenge for your organisation?
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.