Qilin is reportedly reusing initial access obtained through the ZipLine phishing campaign to carry out encryption and extortion operations, with confirmed incidents in Austria and a reported case in Switzerland. The campaign uses recruitment-themed domains and long, deceptive recruiter-style email exchanges to lure targets into opening malicious ZIP files, while new domains and Microsoft 365 MX records indicate continued phishing activity. #Qilin #ZipLine #steinersearchat #haasrecruitingat #bergersearchat #valenzsearchat
Keypoints
- Qilin is using initial access from the ZipLine phishing campaign for its own operations.
- Confirmed incidents have been reported in Austria, with a related case identified in Switzerland.
- ZipLine targets critical manufacturing and export-oriented mid-sized companies.
- The campaign uses recruitment-themed .at domains and long, convincing email exchanges before delivering a ZIP file.
- New domains such as haasrecruiting.at and bergersearch.at should be added to block or watchlists.
Read More: https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas-update