Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Red Hot Cyber Academy
TM RedHotCyber 970x120 042543
Qilin Ransomware Strikes Deep into South Korean Finance

Qilin Ransomware Strikes Deep into South Korean Finance

Inva Malaj : 19 September 2025 10:43

Imagine waking up one morning and discovering that your sensitive financial data—contracts, customer lists, investment strategies—is exposed on a hidden site on the dark web, with a timer threatening to make it public unless you pay a ransom. This is exactly what happened to ten asset management firms in South Korea, victims of the “Korean Leak” campaign orchestrated by the Qilin ransomware group.

The “Korean Leak” Campaign: The Ten Victims and the Exposed Data

Through CTI and OSINT monitoring—with sources such as Ransomware.live and H4ckmanac—it emerged that the Qilin group targeted the South Korean asset management sector. Direct verification on their onion site confirmed the publication, on September 14, of victim profiles identified as Korean Leak, accompanied by exfiltrated data samples. Below are the ten affected organizations, based on verified claims and IOCs extracted from the Data Leak Site (DLS):

  1. Human & Bridge Asset Management: Claim with sample financial reports and customer lists; IOC includes FTP endpoint for exfiltration.
  2. Vanchor Asset Management: Details on investor portfolios published; MD5 hashes associated with leaked files.
  3. Klarman Asset Management: Card with screenshots of internal documents; IPs tracked for command and control.
  4. Taurus Investment & Securities Co: HR and partnership data exposed; exfiltration tools such as WinSCP identified in logs.
  5. Apex Asset Management: Risk analysis leak; hash file.
  6. LX Asset Management: Budgets and projections published; IOC includes Proxychains for networking.
  7. Majesty Asset Management Co: Compliance and accounting data; evasion tools like EDRSandBlast mentioned.
  8. Melon Asset Management Co: Investor lists exfiltrated; credential theft via Mimikatz.
  9. Pollex Asset Management Co: Internal M&A Analysis; IP C2.
  10. Awesome Asset Management Co: Marketing plans and master data; exfiltration via EasyUpload.io.

These claims show a progressive publication pattern: initial previews followed by full dumps if the ransom is not paid.

The Origin of Qilin: From Mythology to Cyber Threat

Qilin isn’t just a name: it derives from a Chinese mythological creature symbolizing epochal change, and the group uses it to assert a mission that goes beyond criminal profit. As emerges from Red Hot Cyber exclusive interview, Qilin presents itself as a supporter of a “multipolar world,” with anti-Western tones and a decentralized structure involving teams in multiple countries. But behind the rhetoric lies a sophisticated RaaS (Ransomware-as-a-Service) operation, with payloads developed in-house in Rust and C to evade defenses.

The group has been active since 2022 and has climbed the threat rankings: in April 2025 alone, it claimed 72 victims, including the South Korean wave. Their infrastructure includes a Data Leak Site (DLS) on Tor, known as “WikiLeaks V2,” accessible via onion addresses as ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion, where they publish data for extortion purposes.

How the Attack Works: Claimed Tactics and Tools

From the Red Hot Cyber interview, Qilin reveals they use “everything”: phishing, internally researched 0-day/1-day exploits, and prolonged exposure to networks to study processes before encryption. Their stack includes:

  • Discovery: Nmap, Nping for network mapping.
  • RMM Tools: ScreenConnect for remote access.
  • Defense Evasion: EDRSandBlast, PowerTool, drivers like Toshiba power management for BYOVD.
  • Credential Theft: Mimikatz for credential extraction.
  • OffSec: Cobalt Strike, Evilginx, NetExec for advanced execution.
  • Networking: Proxychains for anonymization.
  • LOLBAS: fsutil, PsExec, WinRM for abusing legitimate tools.
  • Exfiltration: EasyUpload.io for data upload.

Specific extracted IOCs include C2 IPs such as 176.113.115.97 and numerous MD5 payload hashes, confirming the use of FTP for the stolen data transfer.

The Business Model: RaaS and Legal Pressure

Qilin operates as a RaaS with an 80/20 split (affiliates/service), and part of the revenue is declared to be allocated to “freedom movements.” The “double extortion” has evolved: in addition to encryption, they threaten auctions, sale to competitors, or full disclosure. They even offer preemptive “immunity” for a fee, likened to a “vaccine.”

In 2025, they added the “intimidation package”: in-house legal and journalist teams for negotiations and media campaigns, with 1 PB of storage and integrated DDoS tools. Qilin isn’t just code: it’s a hybrid threat that mixes crime, ideology, and innovation. Understanding it is the first step to countering it.

Immagine del sitoInva Malaj
Student with a strong background in cybersecurity threat management, artificial intelligence, AI ethics and digital transformation. Currently engaged in an 800-hour curricular internship in Security Threat Management at TIM, which is an integral part of the “Digital Transformation Specialist” training course at ITS Agnesi in Rome. I have completed the Dark Web - Threat Management course and am an active part of the DarkLab Team at Red Hot Cyber.

Lista degli articoli