Avcon Jet: Qilin Ransomware Attack

"Austrian business aviation firm Avcon Jet has been listed on the dark web leak site of the Russia-linked Qilin ransomware gang, which claims to have exfiltrated internal company data including sensitive flight and…"

Austrian business aviation firm Avcon Jet has been listed on the dark web leak site of the Russia-linked Qilin ransomware gang, which claims to have exfiltrated internal company data including sensitive flight and personnel documentation. Avcon Jet is one of Europe's major private aviation operators, generating over €250 million in annual revenue, according to reporting by Cybernews.

What Happened

The Qilin ransomware group claimed responsibility for an intrusion at Avcon Jet, publishing a series of sample images on its dark web leak portal that allegedly originated from the company's internal systems. Avcon Jet specializes in business jet management and charter flights, operating across Europe and internationally. The company has not yet responded to requests for comment. The listing follows a sustained Qilin campaign targeting aviation and critical infrastructure sectors, with the gang escalating throughout 2025 and into 2026.

What Was Taken

The leaked samples reportedly include highly sensitive operational and personnel documentation. Among the data published as proof:

Applications for Export Certificate of Airworthiness, documents certifying that exported aircraft meet design requirements of the destination country
Sensitive customer information
Internal maintenance and operational records
Personnel data relating to Avcon Jet staff

Researchers flagged that the exposed material extends beyond typical corporate data and into aviation safety workflows and internal security procedures, raising the stakes well above a routine data theft incident.

Why It Matters

The exposure of airworthiness applications, maintenance logs, and internal security procedures introduces risks that go beyond reputational damage. Leaked maintenance documents could reveal recurring mechanical issues tied to specific airframes, creating operational security concerns for high-net-worth charter clients and corporate customers. Exposure of internal incident response and security procedures also gives future attackers a roadmap for bypassing the controls Avcon Jet has in place. Staff named in the leak face elevated risk of identity theft, phishing, and targeted social engineering.

The Attack Technique

Qilin operates as a ransomware-as-a-service (RaaS) platform first identified in 2022, with affiliates deploying the malware and leveraging the group's negotiation infrastructure in exchange for a share of ransom payments. The initial access vector for the Avcon Jet intrusion has not been disclosed. Qilin affiliates have historically gained entry through phishing, exploitation of exposed remote services, and abuse of valid credentials, followed by data exfiltration prior to encryption. Recent Qilin victims in 2025 and 2026 include Tulsa International Airport, Airbus and Boeing supplier LISI Group, Malaysia Airlines, Tennessee Valley Electric Cooperative, Asahi Holdings, IGT, SK Group, Lee Enterprises, and Nissan's Creative Box.

What Organizations Should Do

Audit external-facing services: Inventory and patch internet-exposed VPNs, remote access portals, and management interfaces commonly abused by Qilin affiliates for initial access.
Enforce phishing-resistant MFA: Deploy FIDO2 or hardware-backed authentication on all privileged accounts, particularly for staff handling regulatory and customer-facing documentation.
Segment sensitive document repositories: Isolate airworthiness, maintenance, and personnel records from general corporate file shares and apply strict access controls and logging.
Monitor for exfiltration patterns: Tune detections for large outbound transfers to cloud storage, anonymizing services, and Tor exit nodes, which are common in Qilin double-extortion playbooks.
Rehearse incident response in isolation: Assume internal IR documentation could be compromised and maintain offline copies of runbooks, contacts, and recovery procedures.
Brief named staff on social engineering risk: Personnel whose identities may appear in leaked data should receive targeted guidance on phishing, vishing, and impersonation attempts in the weeks following any disclosure.

Sources: Aviation firm Avcon hit by ransomware attack, sensitive flight data allegedly exposed