INSIDE QILIN RANSOMWARE AFFILIATE’s PANEL

NOTE: This article strictly sticks to the leaked scenario of Qilin Ransomware Affiliate Panel and uncovers the affiliates Hastalamuerte’s  Scope of Interest for Ransomware Attacks.

INTRODUCTION

Qilin is a well-known Ransomware Group operating on RaaS Model (Ransomware as a Service) since 2022, attacking 600+ victims including Palau Health Ministry 🇵🇼, Utsunomiya Cancer Center 🇯🇵, Lee Enterprises 🇺🇸, etc. As they are working in RaaS Model, the infection rate is relatively high (as more affiliates takes part) when compared to individual players like Play. 

INCIDENT

On 31st July 2025, a Post appeared on a Dark Web Forum where an affiliate member “hastalamuerte” had posted about the exit scam performed by Qilin Group defrauding $48K [Referenced from Twitter].

Here is the Login Panel:-

Here is the inside leaked Panel of Qilin Ransomware Affiliate Channel

Another user who goes by the handle “Nova” had given up the Affiliate Panel with Login Credentials 

Domain: ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion
LOGIN: 2v_QeDl9tqEt4iNX0nm4pgpYtjnT7K
PASS: JQtfpDcYh38uSooHQo761oPxnEKYfVf4

With the following message in Russian:-

Их счета полны агентов ФБР и исследователей безопасности, и они используют свои собственные кошельки, поэтому вы должны понимать, что ваши деньги будут конфискованы, если вы внесете средства на их счета, особенно если это крупные суммы в миллионы долларов.

Защитник Windows быстро обслуживает все и сразу программы, так как она использует удобное программное обеспечение для сборки или, по крайней мере, для мобильных устройств, мере, другие комбинации.

Их система безопасности будет конфискована вместе со всеми деньгами в течение нескольких минут. Если правоохранительные органы будут сотрудничать, информация об используемом ними программном обеспечении для сборки вскоре будет раскрыта исследователями.

Считайте их мошеннической операцией будущего, и это один из ярких примеров.

Which translates to:

Their accounts are full of FBI agents and security researchers, and they use their own wallets, so you should understand that your money will be confiscated if you deposit funds into their accounts, especially if it’s large amounts in the millions of dollars. Windows Defender quickly serves all programs at once, as it uses convenient software to build, or at least for mobile devices, at least other combinations. Their security system will be confiscated along with all the money within a few minutes. If law enforcement agencies cooperate, information about the assembly software they use will soon be disclosed by the researchers. Consider them a fraudulent operation of the future, and this is one of the clearest examples.

NOTE: It is important to note that NOVA is a new Ransomware Group that quickly gains traction by announcing Affiliate Panels and competing in the Ransomware Ecosystem. This type of “internal exposure” is common as Ransomware Rival tries to magnify the OPSEC Failures of their competitors. 

FOUND MIMIKATZ SAMPLE IN QILIN RANSOMWARE OPERATION

During the investigation of the affiliate “hastalamuerte”, I came across a few interesting factors. Among them, Mimikatz is a primary tool used by the affiliate in their operations.

I have uncovered the sample of Mimikatz used by this affiliate which is packed with Themida. 

Below is the Rule that detects Themida Packer Executables, which became a hit:-

rule INDICATOR_EXE_Packed_Themida {
    meta:
        author = "ditekSHen"
        description = "Detects executables packed with Themida"
        snort2_sid = "930067-930069"
        snort3_sid = "930024"
    strings:
        $s1 = ".themida" fullword ascii
    condition:
        uint16(0) == 0x5a4d and all of them or
        for any i in (0 .. pe.number_of_sections) : (
            (
                pe.sections[i].name == ".themida"
            )
        )
}

The affiliate had created this file, named it “mim.exe”.

MD5: 740bcca20cf9b4adb7e68fff4d51fc39
SHA-1: 0312f6e6cbb37d44da3e15d528a21fe14f621095
SHA-256: 97f9b989c3b3d6f87120e7f550b29b205d23d052bf455379d8bb5b9a01b7d92f
Filename: mimikatz.exe

The file is uploaded to GitHub on July 27th, 2024, which is evident from the GitHub History, that marks his/her first project in GitHub. 

Upon inspecting deeper, I have found 2 files as Execution Parents from which the Mimikatz was dropped:-

-> MD5: 1a1ae9751240944cffccfd52a197d151
SHA-1: 8ad8def9bb887efd11ba959215bd705ff67b5abb
SHA-256: 7712d0305aef11256977c321f4e1b201652cdfc7d2ee5765ff24503f7525ad7e
Filename: mido_template.html

-> MD5: bcb1cfc823007ae9b33adcc08d20c499
SHA-1: 83db493de9c0d91d7f3e86b3f0d24853ab34326e
SHA-256: b31bae87c6a2ad24380af9f6b7e57e05a631e73d8e063ae1ab476b0caec8a38c
Filename: what.htm

In the above 2 samples, the following sample was dropped upon execution:-

C:\Users\user\Downloads\file2.exe (copy)

This circles back to the same Mimikatz sample which I had found above.

NETEXECRU — The Russian Version of Netexex

This Repo was uploaded by the Threat Actor on 7th May 2025 with the title Шпаргалка по NetExec, which translates to NetExec Cheat Sheet in Russian. All the headlines in this repo are titled in Russian.

NetExec is a powerful open-source tool used primarily for network penetration testing, especially in Active Directory (AD) environments.

Capabilities of NetExec

• → Scan for vulnerabilities across network services
• →Enumerate users, groups, domains, trusts, and SCCM
• → Perform password spraying across multiple protocols
• → Authenticate and execute commands remotely
• → Spider and access SMB shares (get/put files)
• → Dump credentials and sensitive data (e.g., gMSA secrets)
• → Exploit Active Directory Certificate Services (ESC8)
• → Defeat LAPS (Local Administrator Password Solution)
• → Impersonate logged-on users
• → Change user passwords
• → Dump local security questions
• → Conduct Kerberos attacks (ASREPRoast, Kerberoasting, TGT generation)
• → Exploit delegation misconfigurations (unconstrained, admin count)
• → Extract DACL rights and subnet info
• → Integrate with BloodHound for AD mapping
• → Enumerate and exploit MSSQL servers
• → Upload/download files via MSSQL, FTP, SSH, NFS
• → Take screenshots via RDP (with or without NLA)
• → Escape to root filesystem via NFS
• → Enumerate Entra ID (Azure AD)

Considering its recency, we can strongly understand that the actor is targeting Windows Environment.

BITKUB — SPECIAL INTEREST SPOTTED

Qilin Affiliate also found using Bitkub — Thailand’s Top Bitcoin Exchange. This Python Library is used as an API from Bitkub, which has various functionalities such as Trading, Address Creation, Fiat Deposit/Withdrawal, and many more. 

The threat actor might have a track record of dealing with Bitkub earlier.

GITHUB ACTIVITIES OF HASTALAMUERTE

Among the repos, there are a few forked projects that include: php-mysql-dump, which is a Tiny script to dump the whole databases / tables in HTML format. (Support column names).

Interest in DeepSeek AI 

Also, query with SQLMAP Credentials

It is interesting to note that this affiliate is interested in Crypto-Trading which is evident from the “Starred Topics” by the Qilin Affiliate — Hastalamuerte.

Here is the list of projects used by the affiliate:-

• PowerHuntShares: An audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains
• DonPAPI: Dumping DPAPI Creds remotely
• RealBlindingEDR: Disables or blinds antivirus and EDR systems by removing kernel-level callbacks using signed drivers
• Mythril: A symbolic-execution-based securty analysis tool for EVM bytecode
• QwenLM: AI Model
• DeepSeek: AI Model
• Subfind: Subdomain Enumeration Tool
• MeshCentralInstaller: Windows installer for MeshCentral 
• Javascript-Obfuscator-UI: A web UI to the JavaScript Obfuscator node.js package
• Find-GH-POC: Find CVE POCs on GitHub
• PyFuscator: Python source random obfuscation
• ChromeKatz: Dump cookies and credentials directly from Chrome/Edge process memory
• Chlonium: Chromium Cookie import / export tool
• PyPyCatz: Mimikatz implementation in pure Python
• SharpRDP: Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
• XenoRAT: Xeno-RAT is an open-source remote access tool (RAT) developed in C#
• Caro-Kann: Encrypted shellcode Injection to avoid Kernel triggered memory scans
• GoPhish: Open-Source Phishing Toolkit
• SigmaPotato: SeImpersonate privilege escalation tool for Windows 8–11 and Windows Server 2012–2022 with extensive PowerShell and .NET reflection support
• EntropyReducer: Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists
• ElusiveMice: Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
• ipfuscator: A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go
• HackBot: AI-powered cybersecurity chatbot designed to provide helpful and accurate answers to your cybersecurity-related queries and also do code analysis and scan analysis
• Malleable C2: Cobalt Strike Malleable C2 Design
• FollinaPY: POC to replicate the full ‘Follina’ Office RCE vulnerability for testing purposes
• Mubeng: An incredibly fast proxy checker & IP rotator with ease
• awvs14-scan: Batch scanning script developed for Acunetix AWVS scanner, supporting log4j vulnerabilities, SpringShell, SQL injection, XSS, weak passwords
• ScareCrow: Payload creation framework designed around EDR bypass
• Subra: A Web-UI for subdomain enumeration (subfinder)
• PetitPotato: Local privilege escalation via PetitPotam (Abusing impersonate privileges)
• Empire: Post-Exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers
• Venom: C2 shellcode generator/compiler/handler
• FlareSolverr: Proxy server to bypass Cloudflare protection
• Amass: In-depth attack surface mapping and asset discovery
• Atlas: Quick SQLMap Tamper Suggester
• XSSer: Automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications
• TamperDev: Extension that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy
• jSQL Injection: Java application for automatic SQL database injection
• SQLMap: Automatic SQL injection and database takeover tool
• OpenBullet: Webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results

While searching the Affiliate on other code-sharing platforms, we can see the interest:-

The above 2 projects are starred by the threat actor.

EXPLOIT INTEREST

These are the CVEs interacted with by the threat actor at various time interval in GitHub. This does not mean the actor had confidently used for Qilin Operations, but the chances are high.

• CVE-2021–40444 (Remote Code Execution 0-day)
• CVE-2022–30190 (Follina)
• CVE-2023–36025 (Windows SmartScreen Security Feature Bypass Vulnerability)
• CVE-2024–30090 (Microsoft Streaming Service Elevation of Privilege Vulnerability)
• CVE-2025–53770 (Sharepoint Toolshell Exploit)

CONCLUSION

From the leaked credentials and panel, it is found that the Affiliate Panel is also being hosted with NGINX Server, and the same infrastructure is being used by the Victim Panel. The login credentials are in the same format, which is also seen in the Victim Negotiation Panel.

RECOMMENDATION

• Monitor for Mimikatz packed with Themida
• Watch for NetExec usage, especially in non-red-team environments
• Correlate Bitkub API usage in suspicious contexts
• Use the YARA rule provided to detect obfuscated payloads
• Treat any use of the listed tools (e.g., DonPAPI, RealBlindingEDR) in combination as potential Qilin-affiliated activity

So if any of the above mentioned tools are found in the Qilin’s Victims, you may refer this as a concrete evidence to attribute to Qilin Ransomware Group.

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings!

NOTE:- The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.