Malaysia Airlines landed on the Qilin ransomware gang’s dark web victim site Thursday, but the group has released no proof, no samples, and no details on what data, if any, was stolen.

The claim leaves much uncertainty about the scope of the incident and whether traveler data, operational systems, or internal files may have been accessed.

The country's flagship airline did not appear on Qilin’s site until now, although the entry is actually dated February 22nd.

No proof posted – yet

Headquartered at Kuala Lumpur International Airport, the Southeast Asian carrier has roughly 5,000 employees, covers 29 domestic and 48 international destinations in 22 countries, and serves more than 16 million passengers each year, according to its website.

As of publication, the post contains only the airline's name – the group has not shared file samples or an estimated cache size – a departure from its usual pattern of teasing stolen documents to pressure victims into negotiations.

Still, cybersecurity analysts often caution that victim blog posts can precede data dumps by days or weeks – or, in some cases, disappear entirely if talks progress behind the scenes.

Qilin, the most active ransomware group of 2025, has also been known to withhold data samples and public threats until negotiations formally break down.

As for how Qilin purportedly gained unauthorized access, without forensic confirmation from investigators or airline officials, it remains unclear whether this reflects a “confirmed network breach, a failed intrusion attempt, or a negotiation tactic.”

Cybernews has reached out to to Malaysia Airlines for clarification and is awaiting a response.

Are passenger records exposed?

The aviation sector has become an increasingly attractive target for ransomware gangs in recent years, with attackers seeking both operational leverage and access to valuable personal data.

Past attacks on airlines and airport operators have exposed passenger names, contact details, passport information, and internal employee records.

If Qilin did gain access to airline systems, potential data at risk could include:

• Passenger booking and contact records
• Employee personnel files
• Vendor contracts and operational documents
• Internal communications

Furthermore, even limited personal information can fuel targeted phishing campaigns, identity fraud, and social engineering attacks.

Malaysia’s aviation sector under repeated pressure

This is not the first time ransomware has hit Malaysia’s aviation sector.

In March 2025, Kuala Lumpur International Airport (KLIA) – part of the network run by Malaysia Airports Holdings Berhad (MAHB), which runs most of the country’s airports – was hit by ransomware linked to the Qilin gang.

The attack disrupted flight information displays, check-in counters, baggage systems, and other digital infrastructure for more than 10 hours, forcing staff to implement manual workarounds and causing significant delays.

At the time, Malaysian Prime Minister Anwar Ibrahim publicly confirmed the incident and announced he refused to pay the hackers' $10 million ransom demand.

Additionally, in 2022, the AirAsia Group – Malaysia’s largest low-cost airline – was hit by a ransomware attack claimed by the Daixin Team.

Although operations were reportedly unaffected, the lesser-known criminal group exfiltrated the personal data of around 5 million passengers and employees.

Negotiations were made, but a ransom was never paid, according to a report by local news outlet The Edge Malaysia, which also noted that Malaysia Airlines disclosed two data security incidents between 2020 and 2021.

Qilin is no newcomer to targeting critical infrastructure

First identified by researchers in 2022, the Russian-linked group has rapidly eclipsed many of its rivals, emerging as the most active ransomware gang of 2025.

Its victims span manufacturers, finance firms, retailers, healthcare providers, government agencies – and increasingly, transportation-linked entities.

Last month, the gang claimed a ransomware attack on Tulsa International Airport, posting more than a dozen leaked files, including internal operations documents and executive and employee data.

Just last week, Qilin listed New York City’s TWU Local 100 – representing more than 67,000 active and retired transit workers – in a breach that risks exposing sensitive employee data tied to the nation’s largest public transportation system.

Operating a ransomware-as-a-service (RaaS) model, Qilin allows affiliates to deploy its malware and leverage its negotiation infrastructure in exchange for a cut of ransom payments.

According to Cybernews’ in-house surveillance tool Ransomlooker, the gang listed more than 1,000 victims in 2025 and has extended that surge into 2026, claiming more than 200 additional victims as of February 23.

High-profile claims in 2025 included Japan's Asahi Holdings., digital gaming giant International Game Technology (IGT), Korea’s SK Group, US newspaper group Lee Enterprises, Nissan Japan's design arm, Creative Box, and the controversial religion Scientology.

Cybernews has documented repeated cyberattacks across the aviation sector throughout 2025, causing disruptions for airlines, airports, and travelers alike.

Last September, ransomware group Everst targeted Collins Aerospace and its MUSE check-in software, disrupting flights for days at major European hubs including London Heathrow, Dublin, Brussels, and Berlin Brandenburg airports.

The hacking collective Scattered Spider also targeted North American carriers Hawaiian Airlines and Alaska Airlines.

Other aviation victims reported in 2025 included Iberia Airlines, American Airlines, and Qantas.

---

Unlock more exclusive Cybernews content on YouTube