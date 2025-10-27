A surge in Qilin ransomware activity has continued through the second half of 2025, with the group publishing more than 40 victim listings per month on its leak site.

The attacks have primarily targeted the manufacturing sector, followed by professional and scientific services and wholesale trade, according to new findings from Cisco Talos.

The sustained rate of publication underscores Qilin’s position as one of the most active and damaging ransomware operations worldwide.

Using a double-extortion model, the group encrypts data while threatening to leak stolen information if ransoms are not paid.

A Growing Global Footprint

Since emerging in mid-2022, Qilin, formerly known as Agenda, has expanded its reach through a ransomware-as-a-service (RaaS) model.

Affiliates use Qilin’s platform and tools to compromise organizations across the United States, Canada, the United Kingdom, France and Germany.