Blog
/
Network
/
July 4, 2024

A Busy Agenda: Darktrace's Detection of Qilin Ransomware as a Service Operator

This blog breaks down how Darktrace detected and analyzed Qilin, a Ransomware-as-a-Service group behind recent high-impact attacks. You’ll see how Qilin affiliates customize attacks with flexible encryption, process termination, and double-extortion techniques, as well as why its cross-platform builds in Rust and Golang make it especially evasive. Darktrace highlights three real-world cases where its AI identified likely Qilin activity across customer environments, offering insights into how behavioral detection can spot novel ransomware before disruption occurs. Readers will gain a clear view of Qilin’s toolkit, tactics, and how self-learning defense adapts to these evolving threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Jul 2024

What is Qilin Ransomware and what's its impact?

Qilin ransomware has recently dominated discussions across the cyber security landscape following its deployment in an attack on Synnovis, a UK-based medical laboratory company. The ransomware attack ultimately affected patient services at multiple National Health Service (NHS) hospitals that rely on Synnovis diagnostic and pathology services. Qilin’s origins, however, date back further to October 2022 when the group was observed seemingly posting leaked data from its first known victim on its Dedicated Leak Site (DLS) under the name Agenda[1].

The Darktrace Threat Research team investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024.

How Qilin Ransowmare Operates as RaaS

Qilin operates as a Ransomware-as-a-Service (RaaS) that employs double extortion tactics, whereby harvested data is exfiltrated and threatened of publication on the group's DLS, which is hosted on Tor. Qilin ransomware has samples written in both the Golang and Rust programming languages, making it compilable with various operating systems, and is highly customizable.

Techniques Qilin Ransomware uses to avoid detection

When building Qilin ransomware variants to be used on their target(s), affiliates can configure settings such as:

  • Encryption modes (skip-step, percent, or speed)
  • File extensions, directories, or processes to exclude
  • Unique company IDs used as extensions on encrypted files
  • Services or processes to terminate during execution [1] [2].

    • Trend Micro analysts, who were the first to discover Qilin samples in August 2022, when the name "Agenda" was still used in ransom notes, found that each analyzed sample was customized for the intended victims and that "unique company IDs were used as extensions of encrypted files" [3]. This information is configurable from within the Qilin's affiliate panel's 'Targets' section, shown below.

    Qilin's affiliate panel and branding

    The panel's background image features the eponym Chinese legendary chimerical creature Qilin (pronounced “Ke Lin”). Despite this Chinese mythology reference, Russian language was observed being used by a Qilin operator in an underground forum post aimed at hiring affiliates and advertising their RaaS operation[2].

    Figure 1: Qilin ransomware’s affiliate panel.

    Qilin’s affiliate payment model

    Qilin's RaaS program purportedly has an attractive affiliates' payment structure,

    • Affiliates earn 80% of ransom payments under USD 3 million
    • Affiliates earn 85% of ransom payments above USD 3 million [2]

    Publication of stolen data and ransom payment negotiations are purportedly handled by Qilin operators. Qilin affiliates have been known to target companies located around the world and within a variety of industries, including critical sectors such as healthcare and energy.

    Qilin target industries and victims

    As Qilin is a RaaS operation, the choice of targets does not necessarily reflect Qilin operators' intentions, but rather that of its affiliates.  

    Similarly, the tactics, techniques, procedures (TTPs) and indicators of compromise (IoC) identified by Darktrace are associated with the given affiliate deploying Qilin ransomware for their own purpose, rather than TTPs and IoCs of the Qilin group. Likewise, initial vectors of infection may vary from affiliate to affiliate.

    Previous studies show that initial access to networks were gained via spear phishing emails or by leveraging exposed applications and interfaces.

    Differences have been observed in terms of data exfiltration and potential C2 external endpoints, suggesting the below investigations are not all related to the same group or actor(s).

    [related-resource]

    Darktrace’s threat research investigation

    Qlin ransomware attack breakdown

    June 2022: Qilin ransomware attack exploiting VPN and SCCM servers

    Key findings:

    • Initial access: VPN and compromised admin account
    • Lateral movement: SCCM and VMware ESXi hosts
    • Malware observed: SystemBC, Tofsee
    • Ransom notes: Linked to Qilin naming conventions
    • Darktrace visibility: Analysts worked with customer via Ask the Expert (ATE) to expand coverage, revealing unusual scanning, rare external connections, and malware indicators tied to Qilin

    Full story:

    Darktrace first detected an instance of Qilin ransomware back in June 2022, when an attacker was observed successfully accessing a customer’s Virtual Private Network (VPN) and compromising an administrative account, before using RDP to gain access to the customer’s Microsoft System Center Configuration Manager (SCCM) server.

    From there, an attack against the customer's VMware ESXi hosts was launched. Fortunately, a reboot of their virtual machines (VM) caught the attention of the security team who further uncovered that custom profiles had been created and remote scripts executed to change root passwords on their VM hosts. Three accounts were found to have been compromised and three systems encrypted by ransomware.  

    Unfortunately, Darktrace was not configured to monitor the affected subnets at the time of the attack. Despite this, the customer was able to work directly with Darktrace analysts via the Ask the Expert (ATE) service to add the subnets in question to Darktrace’s visibility, allowing it to monitor for any further unusual behavior.

    Once visibility over the compromised SCCM server was established, Darktrace observed:

    • A series of unusual network scanning activities  
    • The use of Kali (a Linux distribution designed for digital forensics and penetration testing).
    • Connections to multiple rare external hosts. Many of which were using the “[.]ru” Top Level Domain (TLD).

    One of the external destinations the server was attempting to connect was found to be related to SystemBC, a malware that turns infected hosts into SOCKS5 proxy bots and provides command-and-control (C2) functionality.

    Additionally, the server was observed making external connections over ports 993 and 143 (typically associated with the use of the Interactive Message Access Protocol (IMAP) to multiple rare external endpoints. This was likely due to the presence of Tofsee malware on the device.

    After the compromise had been contained, Darktrace identified several ransom notes following the naming convention “README-RECOVER-<extension/company_id>.txt”” on the network. This naming convention, as well as the similar “<company_id>-RECOVER-README.txt” have been referenced by open-source intelligence (OSINT) providers as associated with Qilin ransom notes[5] [6] [7].

    April 2023: Manufacturing sector breach with large-scale exfiltration

    Key findings:

    • Initial access & movement: Extensive scanning and lateral movement via SMB, RDP, and WMI
    • Credential abuse: Use of default credentials (admin, administrator)
    • Malware/Indicators: Evidence of Cobalt Strike; suspicious WebDAV user agent and JA3 fingerprint
    • Data exfiltration: ~30 GB stolen via SSL to MEGA cloud storage
    • Darktrace analysis: Detected anomalous SMB and DCE-RPC traffic from domain controller, high-volume RDP activity, and rare external connectivity to IPs tied to command-and-control (C2). Confirmed ransom notes followed Qilin naming conventions.

    Full story:

    The next case of Qilin ransomware observed by Darktrace took place in April 2023 on the network of a customer in the manufacturing sector in APAC. Unfortunately for the customer in this instance, Darktrace's Autonomous Response was not active on their environment and no autonomous actions were taken to contain the compromise.

    Over the course of two days, Darktrace identified a wide range of malicious activity ranging from extensive initial scanning and lateral movement attempts to the writing of ransom notes that followed the aforementioned naming convention (i.e., “README-RECOVER-<extension/company_id>.txt”).

    Darktrace observed two affected devices attempting to move laterally through the SMB, DCE-RPC and RDP network protocols. Default credentials (e.g., UserName, admin, administrator) were also observed in the large volumes of SMB sessions initiated by these devices. One of the target devices of these SMB connections was a domain controller, which was subsequently seen making suspicious WMI requests to multiple devices over DCE-RPC and enumerating SMB shares by binding to the ‘server service’ (srvsvc) named pipe to a high number of internal devices within a short time frame. The domain controller was further detected establishing an anomalously high number of connections to several internal devices, notably using the RDP administrative protocol via a default admin cookie.  

    Repeated connections over the HTTP and SSL protocol to multiple newly observed IPs located in the 184.168.123.0/24 range were observed, indicating C2 connectivity.  WebDAV user agent and a JA3 fingerprint potentially associated with Cobalt Strike were notably observed in these connections. A few hours later, Darktrace detected additional suspicious external connections, this time to IPs associated with the MEGA cloud storage solution. Storage solutions such as MEGA are often abused by attackers to host stolen data post exfiltration. In this case, the endpoints were all rare for the network, suggesting this solution was not commonly used by legitimate users. Around 30 GB of data was exfiltrated over the SSL protocol.

    Darktrace did not observe any encryption-related activity on this customer’s network, suggesting that encryption may have taken place locally or within network segments not monitored by Darktrace.

    May 2024: US enterprise compromise

    Key findings:

    • Initial access & movement: Abuse of administrative and default credentials; lateral movement via DCE-RPC and RDP
    • Malware/Indicators: Suspicious executables (‘a157496.exe’, ‘83b87b2.exe’); abuse of RPC service LSM_API_service
    • Data exfiltration: Large amount of data exfiltrated via FTP and other channels to rare external endpoint (194.165.16[.]13)
    • C2 communications: HTTP/SSL traffic linked to Cobalt Strike, including PowerShell request for sihost64.dll
    • Darktrace analysis: Flagged unusual SMB writes, malicious file transfers, and large-scale exfiltration as highly anomalous. Confirmed widespread encryption activity targeting numerous devices and shares.

    Full story:

    The most recent instance of Qilin observed by Darktrace took place in May 2024 and involved a customer in the US.

    In this case, Darktrace initially detected affected devices using unusual administrative and default credentials. Then Darktrace observed additional Internal systems conducting abnormal activity such as:

    • Making extensive suspicious DCE-RPC requests to a range of internal locations
    • Performing network scanning
    • Making unusual internal RDP connections
    • And transferring suspicious executable files like 'a157496.exe' and '83b87b2.exe'.  

    SMB writes of the file "LSM_API_service" were also observed, activity which was considered 100% unusual by Darktrace; this is an RPC service that can be abused to enumerate logged-in users and steal their tokens. Various repeated connections likely representative of C2 communications were detected via both HTTP and SSL to rare external endpoints linked in OSINT to Cobalt Strike use. During these connections, HTTP GET requests for the following URIs were observed:

    /asdffHTTPS

    /asdfgdf

    /asdfgHTTP

    /download/sihost64.dll

    Notably, this included a GET request a DLL file named "sihost64.dll" from a domain controller using PowerShell.  

    Over 102 GB of data may have been transferred to another previously unseen endpoint, 194.165.16[.]13, via the unencrypted File Transfer Protocol (FTP). Additionally, many non-FTP connections to the endpoint could be observed, over which more than 783 GB of data was exfiltrated. Regarding file encryption activity, a wide range of destination devices and shares were targeted.

    Figure 2: Advanced Search graph displaying the total volume of data transferred over FTP to a malicious IP.

    During investigations, Darktrace’s Threat Research team identified an additional customer, also based in the United States, where similar data exfiltration activity was observed in April 2024. Although no indications of ransomware encryption were detected on the network, multiple similarities were observed with the case discussed just prior. Notably, the same exfiltration IP and protocol (194.165.16[.]13 and FTP, respectively) were identified in both cases. Additional HTTP connectivity was further observed to another IP using a self-signed certificate (i.e., CN=ne[.]com,OU=key operations,O=1000,L=,ST=,C=KM) located within the same ASN (i.e., AS48721 Flyservers S.A.). Some of the URIs seen in the GET requests made to this endpoint were the same as identified in that same previous case.

    Information regarding another device also making repeated connections to the same IP was described in the second event of the same Cyber AI Analyst incident. Following this C2 connectivity, network scanning was observed from a compromised domain controller, followed by additional reconnaissance and lateral movement over the DCE-RPC and SMB protocols. Darktrace again observed SMB writes of the file "LSM_API_service", as in the previous case, activity which was also considered 100% unusual for the network. These similarities suggest the same actor or affiliate may have been responsible for activity observed, even though no encryption was observed in the latter case.

    Figure 3: First event of the Cyber AI Analyst investigation following the compromise activity.

    According to researchers at Microsoft, some of the IoCs observed on both affected accounts are associated with Pistachio Tempest, a threat actor reportedly associated with ransomware distribution. The Microsoft threat actor naming convention uses the term "tempest" to reference criminal organizations with motivations of financial gain that are not associated with high confidence to a known non-nation state or commercial entity. While Pistachio Tempest’s TTPs have changed over time, their key elements still involve ransomware, exfiltration, and extortion. Once they've gained access to an environment, Pistachio Tempest typically utilizes additional tools to complement their use of Cobalt Strike; this includes the use of the SystemBC RAT and the SliverC2 framework, respectively. It has also been reported that Pistacho Tempest has experimented with various RaaS offerings, which recently included Qilin ransomware[4].

    Conclusion

    Qilin is a RaaS group that has gained notoriety recently due to high-profile attacks perpetrated by its affiliates. Despite this, the group likely includes affiliates and actors who were previously associated with other ransomware groups. These individuals bring their own modus operandi and utilize both known and novel TTPs and IoCs that differ from one attack to another.

    Darktrace’s anomaly-based technology is inherently threat-agnostic, treating all RaaS variants equally regardless of the attackers’ tools and infrastructure. Deviations from a device’s ‘learned’ pattern of behavior during an attack enable Darktrace to detect and contain potentially disruptive ransomware attacks.

    [related-resource]

    Credit to: Alexandra Sentenac, Emma Foulger, Justin Torres, Min Kim, Signe Zaharka for their contributions.

    References

    [1] https://www.sentinelone.com/anthology/agenda-qilin/  

    [2] https://www.group-ib.com/blog/qilin-ransomware/

    [3] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

    [4] https://www.microsoft.com/en-us/security/security-insider/pistachio-tempest

    [5] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

    [6] https://www.bleepingcomputer.com/forums/t/790240/agenda-qilin-ransomware-id-random-10-char;-recover-readmetxt-support/

    [7] https://github.com/threatlabz/ransomware_notes/tree/main/qilin

    Darktrace Model Detections

    Internal Reconnaissance

    Device / Suspicious SMB Scanning Activity

    Device / Network Scan

    Device / RDP Scan

    Device / ICMP Address Scan

    Device / Suspicious Network Scan Activity

    Anomalous Connection / SMB Enumeration

    Device / New or Uncommon WMI Activity

    Device / Attack and Recon Tools

    Lateral Movement

    Device / SMB Session Brute Force (Admin)

    Device / Large Number of Model Breaches from Critical Network Device

    Device / Multiple Lateral Movement Model Breaches

    Anomalous Connection / Unusual Admin RDP Session

    Device / SMB Lateral Movement

    Compliance / SMB Drive Write

    Anomalous Connection / New or Uncommon Service Control

    Anomalous Connection / Anomalous DRSGetNCChanges Operation

    Anomalous Server Activity / Domain Controller Initiated to Client

    User / New Admin Credentials on Client

    C2 Communication

    Anomalous Server Activity / Outgoing from Server

    Anomalous Connection / Multiple Connections to New External TCP Port

    Anomalous Connection / Anomalous SSL without SNI to New External

    Anomalous Connection / Rare External SSL Self-Signed

    Device / Increased External Connectivity

    Unusual Activity / Unusual External Activity

    Compromise / New or Repeated to Unusual SSL Port

    Anomalous Connection / Multiple Failed Connections to Rare Endpoint

    Device / Suspicious Domain

    Device / Increased External Connectivity

    Compromise / Sustained SSL or HTTP Increase

    Compromise / Botnet C2 Behaviour

    Anomalous Connection / POST to PHP on New External Host

    Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

    Anomalous File / EXE from Rare External Location

    Exfiltration

    Unusual Activity / Enhanced Unusual External Data Transfer

    Anomalous Connection / Data Sent to Rare Domain

    Unusual Activity / Unusual External Data Transfer

    Anomalous Connection / Uncommon 1 GiB Outbound

    Unusual Activity / Unusual External Data to New Endpoint

    Compliance / FTP / Unusual Outbound FTP

    File Encryption

    Compromise / Ransomware / Suspicious SMB Activity

    Anomalous Connection / Sustained MIME Type Conversion

    Anomalous File / Internal / Additional Extension Appended to SMB File

    Compromise / Ransomware / Possible Ransom Note Write

    Compromise / Ransomware / Possible Ransom Note Read

    Anomalous Connection / Suspicious Read Write Ratio

    IoC List

    IoC – Type – Description + Confidence

    93.115.25[.]139 IP C2 Server, likely associated with SystemBC

    194.165.16[.]13 IP Probable Exfiltration Server

    91.238.181[.]230 IP C2 Server, likely associated with Cobalt Strike

    ikea0[.]com Hostname C2 Server, likely associated with Cobalt Strike

    lebondogicoin[.]com Hostname C2 Server, likely associated with Cobalt Strike

    184.168.123[.]220 IP Possible C2 Infrastructure

    184.168.123[.]219 IP Possible C2 Infrastructure

    184.168.123[.]236 IP Possible C2 Infrastructure

    184.168.123[.]241 IP Possible C2 Infrastructure

    184.168.123[.]247 IP Possible C2 Infrastructure

    184.168.123[.]251 IP Possible C2 Infrastructure

    184.168.123[.]252 IP Possible C2 Infrastructure

    184.168.123[.]229 IP Possible C2 Infrastructure

    184.168.123[.]246 IP Possible C2 Infrastructure

    184.168.123[.]230 IP Possible C2 Infrastructure

    gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

    gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

    Get the latest insights on emerging cyber threats

    This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025

    Written by
    Alexandra Sentenac
    Cyber Analyst
    Inside the SOC
    Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
    Written by
    Alexandra Sentenac
    Cyber Analyst

    Xillen Stealer Updates to Version 5 to Evade AI Detection

    Network
    November 20, 2025
    Tara Gould
    Threat Researcher
    Watch the NIS2 Webinar
    Trending blogs
    1
    Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
    Jul 2, 2025
    2
    Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
    Jun 2, 2025
    3
    Evaluating Email Security: How to Select the Best Solution for Your Organization
    May 21, 2025
    4
    2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
    Aug 5, 2025
    5
    Introducing the AI Maturity Model for Cybersecurity
    Jul 16, 2025

    More in this series

    No items found.
    Continue reading
    Network
    November 20, 2025

    Xillen Stealer Updates to Version 5 to Evade AI Detection

    Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
    Tara Gould
    Threat Researcher
    Read more
    Network
    November 12, 2025

    Unmasking Vo1d: Inside Darktrace’s Botnet Detection

    Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
    Christina Kreza
    Cyber Analyst
    Read more
    Network
    November 6, 2025

    Darktrace Named the Only 2025 Gartner® Peer Insights™ Customers’ Choice for Network Detection and Response

    Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response, earning a 4.8/5 rating from 242 reviews and being named both Gartner Customers’ Choice and a Magic Quadrant Leader recognition.
    Mikey Anderson
    Product Marketing Manager, Network Detection & Response
    Read more

    Blog

    /

    OT

    /

    November 20, 2025

    Managing OT Remote Access with Zero Trust Control & AI Driven Detection

    managing OT remote access with zero trust control and ai driven detectionDefault blog imageDefault blog image

    The shift toward IT-OT convergence

    Recently, industrial environments have become more connected and dependent on external collaboration. As a result, truly air-gapped OT systems have become less of a reality, especially when working with OEM-managed assets, legacy equipment requiring remote diagnostics, or third-party integrators who routinely connect in.

    This convergence, whether it’s driven by digital transformation mandates or operational efficiency goals, are making OT environments more connected, more automated, and more intertwined with IT systems. While this convergence opens new possibilities, it also exposes the environment to risks that traditional OT architectures were never designed to withstand.

    The modernization gap and why visibility alone isn’t enough

    The push toward modernization has introduced new technology into industrial environments, creating convergence between IT and OT environments, and resulting in a lack of visibility. However, regaining that visibility is just a starting point. Visibility only tells you what is connected, not how access should be governed. And this is where the divide between IT and OT becomes unavoidable.

    Security strategies that work well in IT often fall short in OT, where even small missteps can lead to environmental risk, safety incidents, or costly disruptions. Add in mounting regulatory pressure to enforce secure access, enforce segmentation, and demonstrate accountability, and it becomes clear: visibility alone is no longer sufficient. What industrial environments need now is precision. They need control. And they need to implement both without interrupting operations. All this requires identity-based access controls, real-time session oversight, and continuous behavioral detection.

    The risk of unmonitored remote access

    This risk becomes most evident during critical moments, such as when an OEM needs urgent access to troubleshoot a malfunctioning asset.

    Under that time pressure, access is often provisioned quickly with minimal verification, bypassing established processes. Once inside, there’s little to no real-time oversight of user actions whether they’re executing commands, changing configurations, or moving laterally across the network. These actions typically go unlogged or unnoticed until something breaks. At that point, teams are stuck piecing together fragmented logs or post-incident forensics, with no clear line of accountability.  

    In environments where uptime is critical and safety is non-negotiable, this level of uncertainty simply isn’t sustainable.

    The visibility gap: Who’s doing what, and when?

    The fundamental issue we encounter is the disconnect between who has access and what they are doing with it.  

    Traditional access management tools may validate credentials and restrict entry points, but they rarely provide real-time visibility into in-session activity. Even fewer can distinguish between expected vendor behavior and subtle signs of compromise, misuse or misconfiguration.  

    As a result, OT and security teams are often left blind to the most critical part of the puzzle, intent and behavior.

    Closing the gaps with zero trust controls and AI‑driven detection

    Managing remote access in OT is no longer just about granting a connection, it’s about enforcing strict access parameters while continuously monitoring for abnormal behavior. This requires a two-pronged approach: precision access control, and intelligent, real-time detection.

    Zero Trust access controls provide the foundation. By enforcing identity-based, just-in-time permissions, OT environments can ensure that vendors and remote users only access the systems they’re explicitly authorized to interact with, and only for the time they need. These controls should be granular enough to limit access down to specific devices, commands, or functions. By applying these principles consistently across the Purdue Model, organizations can eliminate reliance on catch-all VPN tunnels, jump servers, and brittle firewall exceptions that expose the environment to excess risk.

    Access control is only one part of the equation

    Darktrace / OT complements zero trust controls with continuous, AI-driven behavioral detection. Rather than relying on static rules or pre-defined signatures, Darktrace uses Self-Learning AI to build a live, evolving understanding of what’s “normal” in the environment, across every device, protocol, and user. This enables real-time detection of subtle misconfigurations, credential misuse, or lateral movement as they happen, not after the fact.

    By correlating user identity and session activity with behavioral analytics, Darktrace gives organizations the full picture: who accessed which system, what actions they performed, how those actions compared to historical norms, and whether any deviations occurred. It eliminates guesswork around remote access sessions and replaces it with clear, contextual insight.

    Importantly, Darktrace distinguishes between operational noise and true cyber-relevant anomalies. Unlike other tools that lump everything, from CVE alerts to routine activity, into a single stream, Darktrace separates legitimate remote access behavior from potential misuse or abuse. This means organizations can both audit access from a compliance standpoint and be confident that if a session is ever exploited, the misuse will be surfaced as a high-fidelity, cyber-relevant alert. This approach serves as a compensating control, ensuring that even if access is overextended or misused, the behavior is still visible and actionable.

    If a session deviates from learned baselines, such as an unusual command sequence, new lateral movement path, or activity outside of scheduled hours, Darktrace can flag it immediately. These insights can be used to trigger manual investigation or automated enforcement actions, such as access revocation or session isolation, depending on policy.

    This layered approach enables real-time decision-making, supports uninterrupted operations, and delivers complete accountability for all remote activity, without slowing down critical work or disrupting industrial workflows.

    Where Zero Trust Access Meets AI‑Driven Oversight:

    • Granular Access Enforcement: Role-based, just-in-time access that aligns with Zero Trust principles and meets compliance expectations.
    • Context-Enriched Threat Detection: Self-Learning AI detects anomalous OT behavior in real time and ties threats to access events and user activity.
    • Automated Session Oversight: Behavioral anomalies can trigger alerting or automated controls, reducing time-to-contain while preserving uptime.
    • Full Visibility Across Purdue Layers: Correlated data connects remote access events with device-level behavior, spanning IT and OT layers.
    • Scalable, Passive Monitoring: Passive behavioral learning enables coverage across legacy systems and air-gapped environments, no signatures, agents, or intrusive scans required.

    Complete security without compromise

    We no longer have to choose between operational agility and security control, or between visibility and simplicity. A Zero Trust approach, reinforced by real-time AI detection, enables secure remote access that is both permission-aware and behavior-aware, tailored to the realities of industrial operations and scalable across diverse environments.

    Because when it comes to protecting critical infrastructure, access without detection is a risk and detection without access control is incomplete.

    Continue reading
    About the author
    Pallavi Singh
    Product Marketing Manager, OT Security & Compliance

    Blog

    /

    Network

    /

    November 21, 2025

    Xillen Stealer Updates to Version 5 to Evade AI Detection

    xillen stealer updates to version 5 to evade ai detectionDefault blog imageDefault blog image

    Introduction

    Python-based information stealer “Xillen Stealer” has recently released versions 4 and 5, expanding its targeting and functionality. The cross-platform infostealer, originally reported by Cyfirma in September 2025, targets sensitive data including credentials, cryptocurrency wallets, system information, browser data and employs anti-analysis techniques.  

    The update to v4/v5 includes significantly more functionality, including:

    • Persistence
    • Ability to steal credentials from password managers, social media accounts, browser data (history, cookies and passwords) from over 100 browsers, cryptocurrency from over 70 wallets
    • Kubernetes configs and secrets
    • Docker scanning
    • Encryption
    • Polymorphism
    • System hooks
    • Peer-to-Peer (P2P) Command-and-Control (C2)
    • Single Sign-On (SSO) collector
    • Time-Based One-Time Passwords (TOTP) and biometric collection
    • EDR bypass
    • AI evasion
    • Interceptor for Two-Factor Authentication (2FA)
    • IoT scanning
    • Data exfiltration via Cloud APIs

    Xillen Stealer is marketed on Telegram, with different licenses available for purchase. Users who deploy the malware have access to a professional-looking GUI that enables them to view exfiltrated data, logs, infections, configurations and subscription information.

    Screenshot of the Xillen Stealer portal.
    Figure 1: Screenshot of the Xillen Stealer portal.

    Technical analysis

    The following technical analysis examines some of the interesting functions of Xillen Stealer v4 and v5. The main functionality of Xillen Stealer is to steal cryptocurrency, credentials, system information, and account information from a range of stores.

    Xillen Stealer specifically targets the following wallets and browsers:

    AITargetDectection

    Screenshot of Xillen Stealer’s AI Target detection function.
    Figure 2: Screenshot of Xillen Stealer’s AI Target detection function.

    The ‘AITargetDetection’ class is intended to use AI to detect high-value targets based on weighted indicators and relevant keywords defined in a dictionary. These indicators include “high value targets”, like cryptocurrency wallets, banking data, premium accounts, developer accounts, and business emails. Location indicators include high-value countries such as the United States, United Kingdom, Germany and Japan, along with cryptocurrency-friendly countries and financial hubs. Wealth indicators such as keywords like CEO, trader, investor and VIP have also been defined in a dictionary but are not in use at this time, pointing towards the group’s intent to develop further in the future.

    While the class is named ‘AITargetDetection’ and includes placeholder functions for initializing and training a machine learning model, there is no actual implementation of machine learning. Instead, the system relies entirely on rule-based pattern matching for detection and scoring. Even though AI is not actually implemented in this code, it shows how malware developers could use AI in future malicious campaigns.

    Screenshot of dead code function.
    Figure 3: Screenshot of dead code function.

    AI Evasion

    Screenshot of AI evasion function to create entropy variance.
    Figure 4: Screenshot of AI evasion function to create entropy variance.

    ‘AIEvasionEngine’ is a module designed to help malware evade AI-based or behavior-based detection systems, such as EDRs and sandboxes. It mimics legitimate user and system behavior, injects statistical noise, randomizes execution patterns, and camouflages resource usage. Its goal is to make the malware appear benign to machine learning detectors. The techniques used to achieve this are:

    • Behavioral Mimicking: Simulates user actions (mouse movement, fake browser use, file/network activity)
    • Noise Injection: Performs random memory, CPU, file, and network operations to confuse behavioral classifiers
    • Timing Randomization: Introduces irregular delays and sleep patterns to avoid timing-based anomaly detection
    • Resource Camouflage: Adjusts CPU and memory usage to imitate normal apps (such as browsers, text editors)
    • API Call Obfuscation: Random system API calls and pattern changes to hide malicious intent
    • Memory Access Obfuscation: Alters access patterns and entropy to bypass ML models monitoring memory behavior

    PolymorphicEngine

    As part of the “Rust Engine” available in Xillen Stealer is the Polymorphic Engine. The ‘PolymorphicEngine’ struct implements a basic polymorphic transformation system designed for obfuscation and detection evasion. It uses predefined instruction substitutions, control-flow pattern replacements, and dead code injection to produce varied output. The mutate_code() method scans input bytes and replaces recognized instruction patterns with randomized alternatives, then applies control flow obfuscation and inserts non-functional code to increase variability. Additional features include string encryption via XOR and a stub-based packer.

    Collectors

    DevToolsCollector

    Figure 5: Screenshot of Kubernetes data function.

    The ‘DevToolsCollector’ is designed to collect sensitive data related to a wide range of developer tools and environments. This includes:

    IDE configurations

    • VS Code, VS Code Insiders, Visual Studio
    • JetBrains: Intellij, PyCharm, WebStorm
    • Sublime
    • Atom
    • Notepad++
    • Eclipse

    Cloud credentials and configurations

    • AWS
    • GCP
    • Azure
    • Digital Ocean
    • Heroku

    SSH keys

    Docker & Kubernetes configurations

    Git credentials

    Database connection information

    • HeidiSQL
    • Navicat
    • DBeaver
    • MySQL Workbench
    • pgAdmin

    API keys from .env files

    FTP configs

    • FileZilla
    • WinSCP
    • Core FTP

    VPN configurations

    • OpenVPN
    • WireGuard
    • NordVPN
    • ExpressVPN
    • CyberGhost

    Container persistence

    Screenshot of Kubernetes inject function.
    Figure 6: Screenshot of Kubernetes inject function.

    Biometric Collector

    Screenshot of the ‘BiometricCollector’ function.
    Figure 7: Screenshot of the ‘BiometricCollector’ function.

    The ‘BiometricCollector’ attempts to collect biometric information from Windows systems by scanning the C:\Windows\System32\WinBioDatabase directory, which stores Windows Hello and other biometric configuration data. If accessible, it reads the contents of each file, encodes them in Base64, preparing them for later exfiltration. While the data here is typically encrypted by Windows, its collection indicates an attempt to extract sensitive biometric data.

    Password Managers

    The ‘PasswordManagerCollector’ function attempts to steal credentials stored in password managers including, OnePass, LastPass, BitWarden, Dashlane, NordPass and KeePass. However, this function is limited to Windows systems only.

    SSOCollector

    The ‘SSOCollector’ class is designed to collect authentication tokens related to SSO systems. It targets three main sources: Azure Active Directory tokens stored under TokenBroker\Cache, Kerberos tickets obtained through the klist command, and Google Cloud authentication data in user configuration folders. For each source, it checks known directories or commands, reads partial file contents, and stores the results as in a dictionary. Once again, this function is limited to Windows systems.

    TOTP Collector

    The ‘TOTP Collector’ class attempts to collect TOTPs from:

    • Authy Desktop by locating and reading from Authy.db SQLite databases
    • Microsoft Authenticator by scanning known application data paths for stored binary files
    • TOTP-related Chrome extensions by searching LevelDB files for identifiable keywords like “gauth” or “authenticator”.

    Each method attempts to locate relevant files, parse or partially read their contents, and store them in a dictionary under labels like authy, microsoft_auth, or chrome_extension. However, as before, this is limited to Windows, and there is no handling for encrypted tokens.

    Enterprise Collector

    The ‘EnterpriseCollector’ class is used to extract credentials related to an enterprise Windows system. It targets configuration and credential data from:

    • VPN clients
      • Cisco AnyConnect, OpenVPN, Forticlient, Pulse Secure
    • RDP credentials
    • Corporate certificates
    • Active Directory tokens
    • Kerberos tickets cache

    The files and directories are located based on standard environment variables with their contents read in binary mode and then encoded in Base64.

    Super Extended Application Collector

    The ‘SuperExtendedApplication’ Collector class is designed to scan an environment for 160 different applications on a Windows system. It iterates through the paths of a wide range of software categories including messaging apps, cryptocurrency wallets, password managers, development tools, enterprise tools, gaming clients, and security products. The list includes but is not limited to Teams, Slack, Mattermost, Zoom, Google Meet, MS Office, Defender, Norton, McAfee, Steam, Twitch, VMWare, to name a few.

    Bypass

    AppBoundBypass

    This code outlines a framework for bypassing App Bound protections, Google Chrome' s cookie encryption. The ‘AppBoundBypass’ class attempts several evasion techniques, including memory injection, dynamic-link library (DLL) hijacking, process hollowing, atom bombing, and process doppelgänging to impersonate or hijack browser processes. As of the time of writing, the code contains multiple placeholders, indicating that the code is still in development.

    Steganography

    The ‘SteganographyModule’ uses steganography (hiding data within an image) to hide the stolen data, staging it for exfiltration. Multiple methods are implemented, including:

    • Image steganography: LSB-based hiding
    • NTFS Alternate Data Streams
    • Windows Registry Keys
    • Slack space: Writing into unallocated disk cluster space
    • Polyglot files: Appending archive data to images
    • Image metadata: Embedding data in EXIF tags
    • Whitespace encoding: Hiding binary in trailing spaces of text files

    Exfiltration

    CloudProxy

    Screenshot of the ‘CloudProxy’ class.
    Figure 8: Screenshot of the ‘CloudProxy’ class.

    The CloudProxy class is designed for exfiltrating data by routing it through cloud service domains. It encodes the input data using Base64, attaches a timestamp and SHA-256 signature, and attempts to send this payload as a JSON object via HTTP POST requests to cloud URLs including AWS, GCP, and Azure, allowing the traffic to blend in. As of the time of writing, these public facing URLs do not accept POST requests, indicating that they are placeholders meant to be replaced with attacker-controlled cloud endpoints in a finalized build.

    P2PEngine

    Screenshot of the P2PEngine.
    Figure 9: Screenshot of the P2PEngine.

    The ‘P2PEngine’ provides multiple methods of C2, including embedding instructions within blockchain transactions (such as Bitcoin OP_RETURN, Ethereum smart contracts), exfiltrating data via anonymizing networks like Tor and I2P, and storing payloads on IPFS (a distributed file system). It also supports domain generation algorithms (DGA) to create dynamic .onion addresses for evading detection.

    After a compromise, the stealer creates both HTML and TXT reports containing the stolen data. It then sends these reports to the attacker’s designated Telegram account.

    Xillen Killers

     Xillen Killers.
    FIgure 10: Xillen Killers.

    Xillen Stealer appears to be developed by a self-described 15-year-old “pentest specialist” “Beng/jaminButton” who creates TikTok videos showing basic exploits and open-source intelligence (OSINT) techniques. The group distributing the information stealer, known as “Xillen Killers”, claims to have 3,000 members. Additionally, the group claims to have been involved in:

    • Analysis of Project DDoSia, a tool reportedly used by the NoName057(16) group, revealing that rather functioning as a distributed denial-of-service (DDos) tool, it is actually a remote access trojan (RAT) and stealer, along with the identification of involved individuals.
    • Compromise of doxbin.net in October 2025.
    • Discovery of vulnerabilities on a Russian mods site and a Ukrainian news site

    The group, which claims to be part of the Russian IT scene, use Telegram for logging, marketing, and support.

    Conclusion

    While some components of XillenStealer remain underdeveloped, the range of intended feature set, which includes credential harvesting, cryptocurrency theft, container targeting, and anti-analysis techniques, suggests that once fully developed it could become a sophisticated stealer. The intention to use AI to help improve targeting in malware campaigns, even though not yet implemented, indicates how threat actors are likely to incorporate AI into future campaigns.  

    Credit to Tara Gould (Threat Research Lead)
    Edited by Ryan Traill (Analyst Content Lead)

    Appendicies

    Indicators of Compromise (IoCs)

    395350d9cfbf32cef74357fd9cb66134 - confid.py

    F3ce485b669e7c18b66d09418e979468 - stealer_v5_ultimate.py

    3133fe7dc7b690264ee4f0fb6d867946 - xillen_v5.exe

    https://github[.]com/BengaminButton/XillenStealer

    https://github[.]com/BengaminButton/XillenStealer/commit/9d9f105df4a6b20613e3a7c55379dcbf4d1ef465

    MITRE ATT&CK

    ID Technique

    T1059.006 - Python

    T1555 - Credentials from Password Stores

    T1555.003 - Credentials from Password Stores: Credentials from Web Browsers

    T1555.005 - Credentials from Password Stores: Password Managers

    T1649 - Steal or Forge Authentication Certificates

    T1558 - Steal or Forge Kerberos Tickets

    T1539 - Steal Web Session Cookie

    T1552.001 - Unsecured Credentials: Credentials In Files

    T1552.004 - Unsecured Credentials: Private Keys

    T1552.005 - Unsecured Credentials: Cloud Instance Metadata API

    T1217 - Browser Information Discovery

    T1622 - Debugger Evasion

    T1082 - System Information Discovery

    T1497.001 - Virtualization/Sandbox Evasion: System Checks

    T1115 - Clipboard Data

    T1001.002 - Data Obfuscation: Steganography

    T1567 - Exfiltration Over Web Service

    T1657 - Financial Theft

    Continue reading
    About the author
    Tara Gould
    Threat Researcher
    Your data. Our AI.
    Elevate your network security with Darktrace AI