-
Qilin ransomware group, which has been increasing in its cyber attacks, has been leveraging native Windows tools, like notepad.exe and mspaint.exe to steal user data.
-
The Talos threat intelligence team highlights that the hacking groups have demonstrated increased operational tempo and are focusing primarily on the manufacturing sector.
-
The group’s most notable trait is leaving what is known as a ransom note on the victim’s computer that indicates data will be recovered for a ransom payment.
According to the Talos threat intelligence team, Qilin has allegedly established itself as an increasing threat level during the latter half of 2025. The group has been actively posting over 40 victims each month on its public breach leak website.
Qilin Group Attacks Since Its Emergence
Formerly called Agenda, Qilin commenced operations in July 2022, and used a double-extortion tactic, which consisted of combining the victim’s file encryption and threatening victims of public data leaks. Talos threat intelligence team confirmed the ransomware group’s consistently growing tempo of operations.
As per the Talos report, companies in the manufacturing industry suffered the most from Qilin’s attacks, constituting about 23% of all incidents.
Following the manufacturing sector were companies in the Professional and scientific services sector, accounting for 18% of the cases. The third most affected sector was Wholesale trade, representing 10% of incidents.
The report also found that the United States had the highest number of victim counts, representing 333 (65.8%) of the 506 cases. Following the US were Canada, the United Kingdom, France, and Germany, with 35, 24, 22, and 16 cases, respectively.
Qilin usually uses its leaky website as a primary hub for extorting users, as the group posts evidence of an attack on the platform. Also, the group uses its leak site as one of its main pressure tactics, forcing victims toward ransom settlement and payment.
Leveraging Native Windows Programs
According to the incident analysis report, Talos revealed that Qilin employs a unique twist capitalizing on certain legitimate Windows apps to steal sensitive data. Qilin reportedly combs through victims’ files using notepad.exe and mspaint.exe, both of which are native programs in Windows OS.
This distinctive technique likely allows cyber hackers to quickly scan through sensitive credentials while evading antivirus and digital security platforms set to block, flag, or remove non-native programs.
Logs from victims’ devices show exploiting sensitive files and documents using Paint and Notepad. Also, the hackers leveraged the open-source program Cyberduck to exfiltrate the looted data to cloud locations, masking the activity within normal business traffic.
As per the report, artifacts connect hacker scripts to possible operators from Russian-speaking regions or Eastern Europe, using character encodings (windows-1251/Cyrillic). Analysts noted that these scripts could be credential theft scripts and warned that the attacker could use this as a deliberate false flag.
It is worth noting that the VPN affected in this case didn’t have multi-factor authentication (MFA) established, which would enable hackers with credentials to gain unauthorized access.
These VPN logins could have been exposed or sold on darknet forums. Certain cases involved group policy manipulations to allow RDP and enable lateral movement across Windows OS.
Notably, the Qilin hackers typically conduct reconnaissance, stealing user lists, privilege details, and domain controllers, using embedded tools such as tasklist, net, nltest, and whoami.
