The Qilin Ransomware group operates through a RaaS model with multiple affiliates, including “hastalamuerte,” who leaked affiliate panel credentials and exhibited extensive use of tools like Mimikatz and NetExec for attacks. The investigation reveals their targeting of Windows environments, use of obfuscation techniques, and interest in cryptocurrency via Bitkub API, along with a broad toolkit for offensive security operations. #QilinRansomware #hastalamuerte #Mimikatz #NetExec #Bitkub
Keypoints
- Qilin operates as a Ransomware-as-a-Service group since 2022, with over 600 victims worldwide.
- Affiliate “hastalamuerte” leaked credentials to the Qilin affiliate panel, exposing internal details and evidence of an exit scam.
- The affiliate uses Mimikatz, packed with Themida, as a key credential harvesting tool within their attacks.
- NetExec, an open-source network penetration tool targeting Active Directory environments, is used for extensive post-exploitation activities.
- Bitkub’s API is leveraged by the affiliate, indicating a possible interest or history in cryptocurrency trading.
- The affiliate maintains multiple GitHub projects and forks related to privilege escalation, EDR bypass, and offensive security.
- Several known CVEs appear in the actor’s repositories, reflecting an interest in recent Windows vulnerabilities.
MITRE Techniques
- [T1003] Credential Dumping – Use of Mimikatz packed with Themida for harvesting credentials (‘Found Mimikatz sample used by affiliate packed with Themida’).
- [T1059] Command and Scripting Interpreter – Execution of NetExec for remote command execution and post-exploitation in Active Directory (‘NetExec is a powerful tool used for network penetration testing and executing commands remotely’).
- [T1086] PowerShell – Use of scripts such as PowerHuntShares and other PowerShell-based tools for privilege auditing and exploitation (‘PowerHuntShares: audit script for excessive privileges on Active Directory’).
- [T1569] System Services – Manipulation of system services through tools like RealBlindingEDR to disable antivirus and EDR systems (‘RealBlindingEDR disables or blinds antivirus and EDR by removing kernel callbacks’).
- [T1071] Application Layer Protocol – Use of Bitkub API to interface with cryptocurrency trading platforms (‘Qilin affiliate found using Bitkub API for trading and withdrawals’).
- [T1083] File and Directory Discovery – Enumeration of files and SMB shares with NetExec (‘NetExec spider and access SMB shares (get/put files)’).
- [T1113] Screen Capture – Ability to take screenshots via RDP with NetExec (‘Take screenshots via RDP (with or without NLA)’).
Indicators of Compromise
- [File Hashes] Mimikatz sample and parents – mimikatz.exe_MD5: 740bcca20cf9b4adb7e68fff4d51fc39, mido_template.html_MD5: 1a1ae9751240944cffccfd52a197d151, what.htm_MD5: bcb1cfc823007ae9b33adcc08d20c499
- [Domains] Qilin Affiliate Panel Onion Domain – ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion
- [Credentials] Affiliate login credentials – LOGIN: 2v_QeDl9tqEt4iNX0nm4pgpYtjnT7K, PASS: JQtfpDcYh38uSooHQo761oPxnEKYfVf4
Read more: https://theravenfile.com/2025/08/01/inside-qilin-ransomware-affiliates-panel/