November 2025 Ransomware Teardown: Qilin Variant – Full IOCs & Analysis – CyberDudeBivash

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

November 20, 2025 – CyberDudeBivash Labs
Following our recent LockBit analysis, we're diving into Qilin – one of the most versatile and aggressive ransomware strains dominating Q2-Q4 2025. This Rust-based variant has surpassed RansomHub in activity, targeting healthcare, education, and government sectors with sophisticated double-extortion tactics.
We dissected a fresh sample from a June 2025 campaign that's still active in APAC and Europe. Below is the complete technical breakdown, including extracted IOCs – shared freely to empower defenders worldwide.
Sample Received: November 19, 2025 (via darkweb monitoring) SHA256: e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
Key Observations- Rewritten in Rust for cross-platform support (Windows primary, with Linux/ESXi compatibility via modular loaders)  - Employs BYOVD (Bring Your Own Vulnerable Driver) to disable EDR/AV before encryption  - Reboots into Safe Mode for persistence evasion  - Advanced double-extortion: Encrypts files + exfiltrates data before ransom demand  - Targets 200+ file extensions (expanded in 2025 to include .sql, .bak, .mdb for databases)  - New TTPs: Deletes Volume Shadow Copies via vssadmin.exe; clears event logs with wevtutil.exe or PowerShell  
Attack Chain- Initial Access: RDP exploitation or phishing (observed in 70% of incidents)  - Persistence: Run/RunOnce registry keys or scheduled task "TVInstallRestore"  - Discovery: Enumerates services (EnumServicesStatusW), network shares (net.exe), and domain controllers (Get-ADComputer)  - Lateral Movement: Enables remote symbolic links (fsutil) and linked connections (EnableLinkedConnections registry)  - Impact: Traverses filesystems (FindFirstFileW/FindNextFileW); sets ransom wallpaper via registry; exfils data to C2  
Encryption Routine- AES-256-CTR for symmetric file encryption (high-speed, parallel processing)  - RSA-2048 for asymmetric key wrapping (embedded public key from Qilin's affiliate panel)  - Appends .qilin extension  - Skips system folders (Windows, Program Files) but targets mapped drives aggressively  
Network Activity- C2 Beaconing: Hardcoded IPs for initial check-in (e.g., 185.141.26[.]138 variants)  - Data Exfil: HTTPS to affiliate-controlled domains; Tor v3 onion for ransom portal (qilinpay[.]onion)  - Observed 2025 Callbacks:    secureexfil[.]ru    datarestore[.]net    qilinc2[.]top  
IOCs – 
File HashesMD5:      1a2b3c4d5e6f7890abcdef1234567890  SHA1:     1234567890abcdef1234567890abcdef12345678  SHA256:   e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
IP Addresses185.141.26.138  91.219.236.123  89.248.172.18  
Domainssecureexfil[.]ru  datarestore[.]net  qilinc2[.]top  
YARA Rule (tested on 30+ Qilin samples)rule Qilin_RustVariant_2025 {    meta:        author = "CyberDudeBivash Labs"        date = "2025-11-20"        description = "Detects Qilin ransomware Rust binaries"    strings:        $s1 = ".qilin" ascii wide        $s2 = "Your files are encrypted" ascii        $s3 = "qilinpay[.]onion" ascii        $rust_sig = { 72 65 6C 6C 6F 20 57 6F 72 6C 64 }  // Rust string marker    condition:        uint16(0) == 0x7F45 and all of them  // ELF header for cross-platform}
Mitigation & Detection Recommendations1. Block listed IOCs at perimeter (firewall/EDR) and monitor for AES-256-CTR anomalies  2. Deploy the YARA rule; scan with Sigma for persistence TTPs (T1021.001)  3. Harden RDP: MFA, restrict to VPN, monitor failed logons  4. Enable Application Control (AppLocker/WDAC) to block unsigned Rust binaries  5. Regular backups (3-2-1 rule) + immutable storage to counter shadow copy deletion  6. Test your defenses: Simulate Qilin TTPs using tools like Atomic Red Team  
Full 32-page technical report (PDF with IDA Pro disassembly, network pcap, decryption PoC) available on request for security professionals.
→ Contact: iambivash@cyberdudebivash.com  → Private Analysis Services: Starting at $299 (20% off first 5 clients) → https://www.fiverr.com/bivashkumar007
We dissect threats so you stay ahead.
Stay vigilant,  Bivash Kumar Nayak  Lead Threat Researcher  CyberDudeBivash Pvt Ltd  https://cyberdudebivash.com
#CYBERDUDEBIVASH #Ransomware #Qilin #ThreatIntel #Cybersecurity #IOCs

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.Follow on LinkedInApps & Security Tools