Revisiting the Versatile Qilin Ransomware

Overview

AttackIQ released an updated attack graph in response to threat intelligence about the deployment of Qilin ransomware, a strain first appearing in July 2022 that remains highly active today. The update reveals new behaviors associated with Qilin operators, identified as recently as October 2025.

Formation and Evolution

Qilin is a ransomware strain operated under the Ransomware-as-a-Service (RaaS) model that emerged in July 2022. Initially, it was known as Agenda, with a codebase written primarily in Go (Golang), targeting Windows environments and implementing basic double extortion capabilities. Over time, the ransomware evolved into Qilin, being rewritten in Rust. This transition provided improved performance, cross‑platform compatibility, and more sophisticated evasion techniques.

Capabilities and Targeting

The rewrite to Rust enabled Qilin to expand targeting to Linux and ESXi environments, integrate advanced mechanisms to bypass endpoint protections, improve encryption efficiency, and support modular deployment for affiliates.

Impact and Position

Qilin rapidly grew to become one of the most prominent ransomware groups in 2025, surpassing RansomHub in Q2 after leading in the previous three quarters.

AttackIQ notes the updated behaviors of Qilin operators as recently identified in October 2025 and highlights the ongoing evolution of the strain within a RaaS model.

Summary

The Qilin ransomware, originally Agenda and built in Go for Windows with double extortion, evolved to Rust for better performance and cross‑platform reach, expanding to Linux and ESXi and adopting modular affiliate deployment to become a major force by 2025.

Author's summary: Qilin evolved from a Windows-focused Go-based ransomware to a Rust-powered, cross‑platform, modular RaaS operation that expanded Linux and ESXi targets and rose to prominence by 2025.

more

Security Boulevard Security Boulevard — 2025-11-20

More News