What Is Qilin?
Qilin, sometimes spelled Qulin and also known as Agenda, emerged in 2024 and has become one of the most active and disruptive ransomware-as-a-service operations through 2025. Highly modular and affiliate-driven, Qilin combines cross-platform encryptors, credential theft, SaaS abuse, and double extortion to inflict operational and reputational damage.
As Qilin and similar groups scale, organizations must adopt a preventative posture that treats the browser not as a passive client, but as a primary enforcement point.
This post explains how Qilin typically operates and why Seraphic’s preventative, browser-centric security is effective at stopping these attacks before they cause encryption or data loss.
How Qilin Operates: Key Tactics, Techniques, and Procedures
Qilin’s affiliates are technically skilled and opportunistic. The group offers configurable ransomware builds and has grown by absorbing affiliates from other families. Common patterns in Qilin campaigns include:
1. Spear Phishing and Phishing
Affiliates launch targeted spear phishing emails that contain malicious links or attachments. Those lures deliver stealers, loaders, or direct ransomware payloads, and they frequently direct victims to convincing phishing pages that harvest credentials or MFA codes.
2. Malicious or Over-Permissive Browser Extensions
Threat actors weaponize browser extensions, either by distributing malicious extensions or exploiting legitimate extensions that request excessive permissions. Extensions can exfiltrate credentials, siphon session tokens, or inject additional payloads into browser sessions.
3. SaaS Application Exploitation
After credentials or tokens are harvested, attackers move into SaaS environments. They abuse compromised accounts, OAuth misconfigurations, and weak access policies to escalate privileges, move laterally, and stage payloads in cloud environments.
4. Lateral Movement from Compromised Hosts
After gaining a foothold, Qilin affiliates use living-off-the-land binaries and remote management tools, and deploy scripts or encryptors to propagate across networks and encrypt backups and shares.
5. Password and Token Theft
Campaigns commonly deploy stealers to harvest saved browser passwords, cookies, and session tokens, enabling rapid account takeover, SaaS misuse, and persistent access.
6. Exploits and Vulnerability Chaining
Actors employ both n-day and zero-day exploits, often chaining browser, plugin, and server vulnerabilities to bypass detection and broaden access. Taken together, these techniques show why modern ransomware is as much about identity, sessions, and SaaS access as it is about file encryption.
Why the Browser Is the Critical Control Plane
Most of Qilin’s entry vectors involve the browser: phishing pages, credential theft, malicious extensions, and initial exploit chains. Traditional perimeter or post-execution defenses, such as legacy proxies, antivirus, or old-school EDRs that act after execution, often arrive too late. They may miss credential theft or fail to prevent SaaS token misuse. To stop Qilin, organizations must prevent attackers from stealing credentials, launching payloads, or using a compromised session in the first place.
Seraphic treats the browser as an active, inline enforcement point, consolidating phishing protection, extension governance, SaaS access controls, session protection, exploit mitigation, and ZTNA so attacks are blocked client-side in real time.
How Seraphic Maps to Qilin’s TTPs
Below are the primary ways Seraphic’s layered, preventative browser security blocks Qilin-style campaigns.
1. Spear Phishing and Phishing: Real-Time Behavioral Detection
Seraphic’s phishing protection goes beyond URL reputation. It performs local, real-time behavioral analysis of pages, looking at structure, form behavior, network calls, domain signals, and other indicators to detect zero-day phishing pages and credential-harvesting attempts. When a page is suspicious, the browser blocks credential input and returns a client-side verdict, closing the window that attackers rely on to harvest credentials and tokens.
2. Extension Governance: Detect, Block, and Remove Risky Extensions
Seraphic continuously evaluates installed extensions across major browsers, computing risk scores from permissions, behaviors, and threat intelligence. Administrators can enforce allow and block policies and remotely disable or remove high-risk extensions. This mitigates a common vector where extensions are used to siphon credentials or inject malicious behavior into sessions.
3. SaaS Access Control: Context-Aware Policies at the Browser
Seraphic enforces SaaS access policies at the browser layer. Administrators can require that users authenticate only from Seraphic-protected browsers, only from devices that meet OS posture checks, and only after specific contextual checks, such as user, device, and location. Policies can force read-only mode, block downloads, or prevent corporate SaaS logins from unmanaged browsers, reducing the damage possible from stolen credentials or tokens.
4. ZTNA and Network Isolation for Private Apps
Seraphic’s zero trust network access (ZTNA) model not only ensures that only authorized, policy-compliant browser sessions can access private web apps, it also continuously validates the OS posture of the device. Even if malware runs on the host, only sessions from devices with the right OS posture and session attributes can reach sensitive resources, making lateral movement and data staging via internal web apps much harder.
5. Password and Session Token Protection
Seraphic restricts insecure auto-save and auto-fill behavior and encrypts cookie and session storage so stolen browser artifacts are unusable outside of legitimate, policy-compliant sessions. This prevents session hijacking and lateral movement stemming from exfiltrated tokens.
6. Exploit Prevention Engine: Breaks Exploitation Chains
Seraphic’s runtime protections create a hardened and less predictable browser runtime, disrupting exploit chains including JavaScript runtime attacks and memory corruption exploits. By preventing or significantly reducing the reliability of exploitation, the platform stops attackers from converting a click into code execution.
Real-World Impact
Organizations that deploy browser-centric prevention report fewer successful phishing events and reduced remediation time. Organizations using SEB also enjoy a reduction in security tool alerts, because SEB prevents the initial attack vectors; fewer EDR alerts mean less time spent by analysts chasing secondary IOCs. By stopping credential theft, extension-based spying, and exploit chains at the browser, prevention reduces the likelihood that attackers will gain the footholds that lead to destructive ransomware events.
Why Seraphic Succeeds Where Others Fall Short
- Inline, real-time protection that intervenes inside the browser and stops attacks before credentials, tokens, or payloads are stolen or executed.
- Comprehensive coverage that combines phishing protection, extension governance, SaaS access controls, session protection, exploit prevention, and ZTNA to eliminate gaps.
- Low friction, with controls applied without disruptive user experience changes or forced browser migration.
- Enforcement that extends to both managed and unmanaged devices through a mix of agents and browser protections.
Conclusion
Qilin’s evolution shows that modern ransomware is no longer solely about file encryption. Groups weaponize identity, sessions, extensions, and SaaS platforms. To stop these attacks, organizations must protect the browser as the core control plane.
Seraphic’s preventative, browser-centric approach defends against phishing, extension-based threats, SaaS exploitation, and exploit chains, preventing attackers from gaining the footholds that lead to destructive ransomware events.
Want to see Seraphic in action? Contact us for a demo or to discuss a targeted assessment that shows how Seraphic blocks the browser-based vectors commonly used by Qilin and other ransomware families.
About the Author
