Asahi hackers Qilin’s domination fueled by network of bulletproof hosting – report

Published: 16 October 2025
Last updated: 16 October 2025
Qilin ransomware
Image by Cybernews.

Qilin ransomware, recently responsible for crippling Asahi breweries in Japan, has emerged as by far the world’s most active ransomware group. A new report by Resecurity revealed that the cartel’s deep connections with shadowy infrastructure providers keep its operations running.

Qilin is believed to be behind the crippling attack on Asahi, Japan’s largest brewer. The attack disrupted operations and caused a shortage of the country’s most popular beers, soft drinks, and cold teas.

It has recently joined forces with two other notorious ransomware gangs, forming a coalition with LockBit and DragonForce, ReliaQuest’s report unveiled.

ADVERTISEMENT

Since then, its activity seems to have skyrocketed.

qilin-victims

Cybernews' Ransomlooker tool revealed that Qilin has claimed more victims in six months than the three top other top gangs combined, and the gang in fifth place, DragonForce, is now Qilin’s ally.

qilin-stats

For comparison, in 2024, Qilin claimed 186 victims. Since the beginning of October 2025 alone, the cartel has been extorting 115 new victims, according to the statistics by ransomware.live.

One of the most prolific and formidable threat groups is having its best month so far, easily holding the crown of the most active ransomware cartel.

On October 14th, Qilin claimed alleged data breaches at Volkswagen Group France, a subsidiary of Volkswagen, Texas’ San Bernard Electric Cooperative, and Karnes Electric Cooperative.

On October 15th, it announced alleged breaches at the Spanish Tax Administration Agency and nine other organizations.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“The month of October could be considered one of the most ‘fruitful’ for Qilin, given the number of victims published and new organizations targeted. It is also evident that the group is increasing its focus on the US, attacking local municipalities such as the City of Riviera Beach, Florida, and Cobb County earlier,” Resecurity said in its cyber threat intelligence report.

The researchers shed light on what keeps the cartels’ operations going, with many ties leading to Russia.

A web of bulletproof hosting infrastructure

Qilin’s ransomware operation is highly dependent on bulletproof hosting (BPH) services to stay hidden and resilient. Rogue BPH services turn a blind eye to what customers are doing with rented domains and servers.

“Frequently incorporated in pro-secrecy jurisdictions and structured across complex webs of anonymous and geographically distributed shell companies, BPH services are designed to be resilient to abuse complaints and even law enforcement intervention,” the Resecurity researchers said.

This critical backbone enables Qilin to use file-sharing to retrieve victim data, rotate IPs and domains, and host other illicit content and infrastructure beyond the reach of law enforcement.

Qilin ransomware attack - Asahi Holdings post

In 2024, the gang operated a domain hosted on Russian IP addresses supplied by the Hong Kong-based provider, Cat Technologies Co. Limited. An anonymous individual, “Alexander,” claiming to be from Seoul, South Korea, registered the malicious website using domain name servers located in Russia.

This IP led to a wide network of BPH services, including an IP address with extensive malicious activity and a shell company connected to the Aerza Group. The US Treasury Department sanctioned this group for providing BPH services to criminals – it was also linked to the Doppelganger disinformation campaign. Aeza Group was located in the former business center of the Russian Wagner Group until it was raided by police in April 2025.

ADVERTISEMENT

Qilin was also found to advertise Bearhost Servers, one of the largest BPH providers, also known as Underground and Voodoo Servers. Tied to the company in Russia, the “hosting provider” advertises services for cybercriminals on Telegram, including the availability of servers for mass network scanning activities.

“The service has been operating since at least 2019 and has registered accounts on multiple underground forums, including XSS and Exploit. The pricing for their services varies from $95 to $500 and more, depending on the configuration of the server,” Resecurity researchers noted.

Has my data been leaked?
Check Now

The legal entities' addresses overlap, leading to more companies related to the same BPH conglomerate, including a Russian-based hosting provider, Hostway[.]ru. One director, Lenar Davletshin, has been identified as a director for at least eight companies providing BPH services. Qilin also misused another BPH operator in Russia, IPX-FZCO.

However, the cartel had also been using a host from Kyrgyzstan. Resecurity found that the IP was also linked to the same address in Hong Kong. Several other companies were also found to be linked to US sanctions bypass.

All the hosting services used by Qilin seem to revolve around Chang Way Technologies, a company in Hong Kong with the same address. It was associated with other extensive malware activity, hosting command-and-control servers for many tools used by cybercriminals.

“It is common for BPH operators to use confusing network descriptions to complicate further investigation of the exact organization or individual managing those networks,” the researchers said.

The researchers also said that it’s unlikely that this hosting conglomerate is unaware of the malicious activities, given the numerous abuse reports by telecoms, cybersecurity companies, and victims.

ransomware-dna
Image by Cybernews.

The actors behind Bearhost, Underground, and Voodoo recently announced the termination of services. However, it is highly probable that threat actors are regrouping following major breaches to improve their OPSEC. The researchers expect a shift to other operators and Hong Kong entities “using the same address in Hong Kong.”

ADVERTISEMENT

To combat this organized and interconnected criminal enterprise, Resecurity calls for coordinated efforts among governments, law enforcement, the banking industry, and cybersecurity professionals.

What is Qilin Ransomware?

Qilin emerged in mid-2022 as a ransomware-as-a-service (RaaS) gang. Initially, it was named “Agenda” but rebranded later that year. This ransomware has variants written in Golang and Rust. Threat actors often gain initial access through spear phishing and leverage Remote Monitoring and Management (RMM) and other common tools in their attacks.

The gang practices double extortion, demanding ransom payments to prevent data from being leaked.

Qilin divides profits with its network of affiliates: the attackers, who carry out operations, typically retain ~80–85%, while the operators take ~15–20%

Threat actors from other countries are likely to have joined the group. Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT