The Qilin ransomware group has emerged as a formidable threat in the cybersecurity landscape, leveraging advanced techniques to infiltrate and exploit networks. Known for its quiet yet effective methods, the group’s recent focus on Remote Desktop Protocol (RDP) authentication history marks a significant evolution in its tactics. Since its debut in 2022, Qilin has continuously refined its approach, posing a serious challenge to organizations worldwide.
Evolution of Qilin Ransomware
Initially flying under the radar, Qilin, also known as Agenda, originated from Russia and began to attract attention by 2023. The group escalated its operations, targeting essential sectors such as healthcare, manufacturing, and government entities. By 2025, Qilin had executed over 700 attacks in a single year, making it one of the most aggressive ransomware operators to date. The impact of Qilin’s attacks has been felt globally, with victims including NHS hospitals in London and county government systems across the United States.
Advanced Tactics and Techniques
Qilin’s modus operandi involves gaining initial access through spearphishing, exploiting known vulnerabilities, or misusing Remote Monitoring and Management (RMM) tools. Once inside, the group uses living-off-the-land techniques to blend into normal system activity, evading detection. Their strategy includes double extortion, where data is encrypted and threatened with exposure unless the ransom is paid, adding immense pressure on victims.
In a recent discovery, Maurice Fielenbach, an Information Security Researcher at Hexastrike, highlighted a sophisticated reconnaissance method employed by Qilin. The group used a PowerShell command to extract Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. This allowed them to identify RDP users, connected systems, and potential high-value targets quietly and efficiently.
Implications for Network Security
The quiet nature of Qilin’s RDP enumeration technique is particularly concerning. By avoiding noisy network scans, the group exploits gaps in security monitoring, as many organizations do not prioritize the logs where Event ID 1149 is recorded. This oversight provides attackers with a stealthy means to gather valuable intelligence without triggering alerts.
Security teams are urged to implement PowerShell ScriptBlock Logging across their networks, as non-administrative processes running such queries pose significant risks. Additionally, vigilance against unauthorized installations of remote access tools like ScreenConnect and monitoring for Windows Defender tampering are crucial steps in detecting potential Qilin activities. These measures, when combined, can help identify an intrusion before encryption occurs, offering a critical window for response.
To stay informed about the latest developments in cybersecurity, follow us on Google News, LinkedIn, and X. Set CyberWatch as a preferred source on Google for real-time updates and comprehensive analysis.
