Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Home/Threats/Qilin Ransomware Scans RDP Authentication History on Compromised Servers
Threats

Qilin Ransomware Scans RDP Authentication History on Compromised Servers

Key Takeaways Qilin ransomware, also known as Agenda, is employing a stealthy new technique to map compromised networks by scanning Remote Desktop Protocol (RDP) authentication history. The group...

Jennifer sherman
Jennifer sherman
April 30, 2026 3 Min Read
49 0

Key Takeaways

  • Qilin ransomware, also known as Agenda, is employing a stealthy new technique to map compromised networks by scanning Remote Desktop Protocol (RDP) authentication history.
  • The group uses a PowerShell command to query Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log, which is often overlooked by security tools.
  • This method allows attackers to identify RDP users, connected client systems, and potentially privileged accounts for lateral movement without triggering common security alerts.
  • Qilin is a prolific Ransomware-as-a-Service (RaaS) group that has claimed over 700 attacks in a single year, targeting critical sectors globally.

Qilin Ransomware Adopts Stealthy RDP Authentication History Scan for Network Reconnaissance

The Qilin ransomware group, a persistent and destructive force in the cyber threat landscape, has refined its operational tactics. Researchers have identified a new, highly discreet method employed by the group to conduct reconnaissance on compromised servers: scanning Remote Desktop Protocol (RDP) authentication history. This technique provides Qilin operators with a silent and efficient pathway to map network topography and pinpoint high-value targets for subsequent attacks.

Table Of Content

  • Key Takeaways
  • Qilin Ransomware Adopts Stealthy RDP Authentication History Scan for Network Reconnaissance
  • Under the Radar: Qilin’s RDP Log Exploitation
  • RDP Enumeration as a Lateral Movement Strategy

Emerging in July 2022, Qilin, also recognized as Agenda, operates as a Ransomware-as-a-Service (RaaS) model and is widely believed to be based in Russia. Initially, the group garnered minimal attention, but its activity escalated significantly by 2023, with 45 recorded attacks against vital sectors including healthcare, manufacturing, finance, and government entities. By 2025, Qilin’s reach expanded dramatically, surpassing 700 confirmed attacks within a single year, cementing its status as one of the most active ransomware operations to date. Its victims have included London’s NHS hospitals and county government systems in the United States, underscoring the indiscriminate nature of its campaigns.

Qilin typically establishes initial access through various vectors, such as spearphishing emails, exploiting known software vulnerabilities, or misusing Remote Monitoring and Management (RMM) tools. Once inside a network, the attackers prioritize covert expansion, leveraging “living-off-the-land” techniques that mimic legitimate system activities to evade detection. The group also employs a double extortion strategy, encrypting victim data while simultaneously threatening its public release if ransom demands are not met, intensifying pressure on organizations to comply.

Under the Radar: Qilin’s RDP Log Exploitation

Maurice Fielenbach, an Information Security Researcher at Hexastrike, recently brought to light a sophisticated reconnaissance maneuver executed by Qilin operators on a compromised server. Fielenbach observed the group utilizing a PowerShell command to extract all instances of Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. This singular query provided the attackers with a comprehensive overview of which accounts had used RDP on the host, the client systems that connected, and which accounts held sufficient privileges to warrant further targeting. The malicious script was deployed via a rogue ScreenConnect installation during the initial intrusion, as detailed in a report from Hexastrike.

The significance of this tactic lies in its low-noise footprint. Instead of employing overt network scanning or Active Directory enumeration tools, which are commonly flagged by security systems, Qilin leverages an intrinsic Windows logging mechanism. This subtle approach allows the group to gather critical reconnaissance data while remaining undetected, reflecting a growing trend among ransomware operators to prioritize stealth before launching the encryption phase. More information on Qilin’s broader tactics can be found in a Picus Security blog post.

RDP Enumeration as a Lateral Movement Strategy

Qilin’s RDP authentication enumeration technique is central to its lateral movement strategy. By querying Event ID 1149, which logs every RDP connection request, attackers can extract usernames, domain names, and the source client machines involved in each session. This single command enables them to construct a prioritized list of accounts to target for further compromise, as detailed in the Hexastrike’s analysis.

This approach is particularly effective because Event ID 1149 resides in the RemoteConnectionManager Operational log, rather than

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingransomwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Phoenix PhaaS Platform Fuels Smishing Attacks Against Finance, Telecom

Human-Centric
Next Post

Human-centric Phishing Defense: Beyond the Click

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Critical Apache Tomcat flaws let attackers bypass authentication
July 1, 2026
Chrome Update Patches 382 Vulnerabilities, Including 15 Critical Flaws
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us