The group’s recent campaign has primarily leveraged critical vulnerabilities in Fortinet’s enterprise security appliances, specifically targeting CVE-2024-21762 and CVE-2024-55591 in unpatched FortiGate and FortiProxy devices. The researchers noted that Qilin’s approach differs significantly from traditional ransomware operations, incorporating zero-day exploits and leveraging widely deployed perimeter security devices as primary attack vectors. The scope of Qilin’s operations extends beyond conventional ransomware deployment, encompassing a comprehensive cybercrime ecosystem that includes spam distribution, DDoS attacks, petabyte-scale data storage capabilities, and even in-house journalists for psychological pressure campaigns. The ransomware landscape witnessed a dramatic shift in June 2025 as the Qilin ransomware group surged to become the most active threat actor, recording 81 victims and representing a staggering 47.3% increase in activity compared to previous months. The malware’s modular architecture allows for automated negotiation tools and psychological pressure tactics, including the recently introduced “Call Lawyer” feature that simulates legal engagement during ransom negotiations, maximizing the psychological impact on victims while streamlining the extortion process. Despite CVE-2024-21762 being patched in February 2025, tens of thousands of systems remain exposed, creating an expansive attack surface that Qilin has systematically exploited through partially automated deployment mechanisms. The exploitation process involves sending specially crafted requests to the vulnerable Fortinet devices, enabling remote code execution that establishes a foothold within the target network. These vulnerabilities enable authentication bypass and remote code execution capabilities, providing threat actors with direct pathways into enterprise networks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This Ransomware-as-a-Service operation, which has accumulated over 310 victims since its emergence, has distinguished itself through sophisticated attack methodologies and strategic exploitation of critical infrastructure vulnerabilities. The attack chain initiates when threat actors conduct reconnaissance to identify unpatched FortiGate and FortiProxy devices exposed to the internet. The group’s rapid ascension reflects the evolving nature of ransomware threats, where technical innovation and opportunistic targeting converge to create unprecedented cybersecurity challenges. Once inside, Qilin’s payload, written in Rust and C programming languages, employs advanced persistence mechanisms including Safe Mode execution and network propagation capabilities. Qilin’s infection mechanism represents a sophisticated multi-stage process that begins with the systematic identification and exploitation of vulnerable Fortinet appliances. Cyfirma analysts identified that the campaign, observed intensively between May and June 2025, initially focused on Spanish-speaking regions but has since evolved into opportunistic targeting that transcends geographical and sectoral boundaries. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This strategic pivot demonstrates the group’s technical maturity and ability to adapt quickly to emerging vulnerabilities in enterprise environments. This multi-faceted approach positions Qilin to fill the operational vacuum left by defunct groups like LockBit and BlackCat, attracting affiliates and expanding their reach across global markets. Upon discovering vulnerable systems, the group leverages CVE-2024-21762’s authentication bypass capability to gain initial access without requiring valid credentials. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Jul 2025 07:15:14 +0000