The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals.
The new feature takes the form of a “Call Lawyer” feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022.
Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks, putting it behind Safepay (72) and Luna Moth (67). It’s also the third most active group after Cl0p and Akira since the start of the year, claiming a total of 304 victims.
“Qilin stands above the rest with its rapidly rising marketplace due to a mature ecosystem, extensive support options for clients, and robust solutions to ensure highly targeted, high-impact ransomware attacks designed to demand substantial payouts,” Qualys said in an analysis of the group this week.
There is evidence to suggest that affiliates working for RansomHub have migrated to Qilin, contributing to the spike in Qilin ransomware activity in recent months.
“With a growing presence across forums and ransomware activity trackers, Qilin operates a technically mature infrastructure: payloads built in Rust and C, loaders with advanced evasion features, and an affiliate panel offering Safe Mode execution, network spreading, log cleanup, and automated negotiation tools,” researchers Mark Tsipershtein and Evgeny Ananin said.
“Beyond the malware itself, Qilin offers spam services, PB-scale data storage, legal guidance, and a full set of operational features—positioning itself not just as a ransomware group, but as a full-service cybercrime platform.”
The decline and demise of other groups have been complemented by new updates to the Qilin affiliate panel, incorporating a new legal assistance function, a team of in-house journalists, and the ability to conduct distributed denial-of-service (DDoS) attacks. Another notable addition is a tool for spamming corporate email addresses and phone numbers.
The feature expansion indicates an attempt on the part of the threat actors to market themselves as a full-fledged cybercrime service that goes beyond just ransomware.
“If you need legal consultation regarding your target, simply click the ‘Call lawyer’ button located within the target interface, and our legal team will contact you privately to provide qualified legal support,” reads a translated version of a forum post announcing the new capabilities.
“The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings.”
The development comes as Intrinsec assessed that at least one affiliate of Rhysida has started using an open-source utility named Eye Pyramid C2 likely as a post-compromise tool to maintain access to compromised endpoints and deliver additional payloads.
It’s worth noting that the Eye Pyramid C2 refers to the same Python-based backdoor that was deployed by threat actors linked to the RansomHub crew in Q4 2024.
It also follows a fresh analysis of the leaked Black Basta chat logs, which has shed light on a threat actor who went by the online alias “tinker.” Their real-world identity is presently unknown.
Tinker, per Intel 471, is said to be one of the trusted aides of tramp, the group’s leader, and joined the criminal enterprise as a “creative director” after having prior experience running call centers, including for the now-defunct Conti group, and as a negotiator for BlackSuit (aka Royal).
“The actor tinker played an important role in securing initial access to organizations,” the cybersecurity company said. “The leaked conversations reveal tinker would analyze the financial data and evaluate a victim’s situation before direct negotiations.”
The threat actor, besides conducting open-source research to obtain contact information for the company’s senior staff in order to extort them either via phone calls or messages, was tasked with writing phishing emails designed to breach organizations.
Tinker, notably, also came up with the Microsoft Teams-based phishing scenario, wherein the attackers would masquerade as an IT department employee, warning victims that they are at the receiving end of a spam attack and urging the employees to install remote desktop tools like AnyDesk and grant them access to purportedly secure their systems.
“After the RMM software was installed, the caller would contact one of Black Basta’s penetration testers, who would then move to secure persistent access to the system and domain,” Intel 471 said.
The leaked messages also reveal that tinker received no less than $105,000 in cryptocurrency for their efforts between December 18, 2023, and June 16, 2024. That said, it’s currently not clear what group they may be working for.
The findings coincide with the extradition of an unnamed 33-year-old foreign member of the Ryuk ransomware group to the United States for their alleged role as an initial access broker (IAB) and facilitating access to corporate networks. The suspect was arrested from Kyiv earlier this April at the request of U.S. law enforcement.
The member “was engaged in the search for vulnerabilities in the corporate networks of the victim enterprises,” the National Police of Ukraine said in a statement. “The data obtained by the hacker was used by his accomplices to plan and carry out cyber attacks.”
Authorities said they were able to trace the suspect following a forensic analysis of equipment seized in a previous raid that took place in November 2023 targeting members of the LockerGoga, MegaCortex, and Dharma ransomware families.
Elsewhere, police officials in Thailand have apprehended several Chinese nationals and other Southeast Asian suspects after raiding a hotel in Pattaya that was used as a gambling den and as an offices to conduct ransomware operations.
The ransomware scheme is said to have been run by six Chinese nationals, who sent malicious links to companies in order to infect them with ransomware. Local media reports say they were employees of a cybercrime gang, who were paid to distribute the booby-trapped links to Chinese firms.
Thailand’s Central Investigation Bureau (CIB), this week, also announced the arrest of more than a dozen foreigners as part of Operation Firestorm for allegedly running an online investment scam that defrauded several victims in Australia by calling them and deceiving them into investing their money in long-term bonds with a promise of high returns.
