The cybercrime group behind the Qilin ransomware-as-a-service (RaaS) operation is now offering legal counsel for affiliates to increase pressure on victims to pay ransom. This move comes as the group aims to capitalize on the void left by other ransomware groups that have recently ceased operations.
According to Israeli cybersecurity company Cybereason, the new feature introduced by Qilin is a “Call Lawyer” function on the affiliate panel. This development marks a resurgence of the group, also known as Gold Feather and Water Galura, which has been active since October 2022.
Recent data from dark web leak sites reveals that Qilin had 72 victims in April 2025. In May, the group is estimated to be behind 55 attacks, ranking behind Safepay and Luna Moth. Qilin is also the third most active group after Cl0p and Akira this year, with a total of 304 victims, as reported by ransomware.live.
Qualys highlighted Qilin’s growing marketplace due to its mature ecosystem, extensive client support options, and effective ransomware attacks that demand significant payments.
It has been observed that affiliates previously associated with RansomHub have shifted to Qilin, leading to a surge in Qilin ransomware activity. The group’s infrastructure includes payloads developed in Rust and C, loaders with advanced evasion capabilities, and an affiliate panel offering various features such as Safe Mode execution and network spreading.
Qilin has expanded its services beyond just ransomware by offering spam services, PB-scale data storage, legal guidance, and operational features, positioning itself as a comprehensive cybercrime platform.
The recent updates to the Qilin affiliate panel include a legal assistance feature, a team of in-house journalists, and the ability to conduct distributed denial-of-service (DDoS) attacks. Another notable addition is a tool for spamming corporate email addresses and phone numbers.
This feature expansion indicates Qilin’s efforts to establish itself as a full-fledged cybercrime service provider rather than just a ransomware group.
Recent developments also include an affiliate of Rhysida utilizing an open-source utility called Eye Pyramid C2, likely as a post-compromise tool to maintain access to compromised endpoints and deliver additional payloads.
Additionally, a threat actor known as “tinker” has been identified as a key player in the Black Basta ransomware group, involved in securing initial access to organizations and conducting phishing attacks to breach networks.
The recent extradition of a foreign member of the Ryuk ransomware group to the United States highlights law enforcement efforts to combat cybercrime. The suspect, arrested in Kyiv, was allegedly involved in searching for vulnerabilities in corporate networks to facilitate cyber attacks.
Furthermore, police in Thailand have arrested Chinese nationals and other suspects involved in a ransomware operation that targeted Chinese companies. The suspects distributed malicious links to infect companies with ransomware, operating from a hotel in Pattaya.
Operation Firestorm in Thailand also led to the arrest of more than a dozen foreigners accused of running an online investment scam that defrauded victims in Australia.
These developments underscore the ongoing efforts by law enforcement agencies to combat cybercrime and protect individuals and organizations from malicious activities.
