The Qilin ransomware group added two industrial sector victims to its dark web leak site on April 25, 2026: Buckley Powder, a US based explosives and blasting services provider, and Leistritz Turbine Technology, a German precision turbine component manufacturer. The listings were surfaced by the ThreatMon Threat Intelligence Team through dark web monitoring, indicating both organizations are now subject to Qilin's signature double extortion playbook of encryption paired with data leak threats.

What Happened

On April 25, 2026, Qilin posted both victims to its data leak site within close timing, a coordinated disclosure tactic the group has used repeatedly to maximize reputational and operational pressure. The first listing named Buckley Powder, a Colorado headquartered supplier of bulk explosives and drilling services to the mining, quarrying, and construction sectors. Shortly after, Leistritz Turbine Technology, a subsidiary of the German Leistritz Group specializing in precision blades and components for industrial and aerospace turbines, was added to the same leak portal.

ThreatMon analysts flagged both posts as fresh entries on Qilin's victim board, consistent with the group's pattern of publishing teaser samples or full file trees once initial ransom negotiations stall or are ignored. Neither company has issued a public statement at the time of writing, and there is no confirmed dollar figure attached to the ransom demands.

What Was Taken

Qilin has not yet published a full inventory of the stolen archives, but the group's standard tradecraft involves exfiltrating substantial data troves prior to encryption. Based on prior Qilin operations against industrial targets, the data at risk likely includes:

• Engineering drawings, CAD files, and proprietary manufacturing specifications
• Customer and supplier contracts, pricing data, and procurement records
• Employee personally identifiable information, payroll, and HR files
• Financial statements, banking records, and internal accounting data
• Operational technology documentation, including SCADA and ICS configuration details

For Buckley Powder, the exposure of explosives handling procedures, regulated material inventories, and customer site data carries heightened regulatory and physical security implications. For Leistritz, the loss of turbine blade engineering IP could damage competitive position in the aerospace and energy markets it serves.

Why It Matters

Qilin has emerged as one of the most prolific ransomware as a service operations of the past year, consistently appearing in monthly victim count rankings alongside RansomHub and Akira. The group's continued focus on mid market industrial firms reflects a deliberate targeting calculus: these organizations hold valuable intellectual property and operational data, often run legacy OT environments, and typically lack the security maturity of larger enterprises while still being able to pay meaningful ransoms.

The simultaneous targeting of an explosives supplier and a turbine component manufacturer also underscores the supply chain risk dimension. Both companies sit upstream of critical infrastructure customers in mining, energy, and aerospace, meaning a successful extortion or data leak could cascade into downstream operational and safety concerns for their clients.

The Attack Technique

Qilin, also tracked as Agenda, is a Rust and Go based ransomware family operated as an affiliate program. While the specific intrusion vectors used against Buckley Powder and Leistritz have not been disclosed, Qilin affiliates are well documented for the following access methods:

• Exploitation of unpatched edge devices, particularly Fortinet, Citrix, and Veeam appliances
• Use of valid credentials purchased from initial access brokers, often harvested via infostealers
• Phishing campaigns delivering loaders such as SocGholish or initial Cobalt Strike beacons
• Abuse of exposed RDP and VPN endpoints lacking multi factor authentication

Once inside, Qilin operators typically conduct lateral movement using legitimate tooling such as PsExec, AnyDesk, and Splashtop, escalate privileges through Active Directory misconfigurations, and stage exfiltration via Rclone or MEGA before deploying the encryptor across ESXi and Windows hosts.

What Organizations Should Do

Industrial sector defenders, particularly those in manufacturing, mining services, and aerospace supply chains, should treat this disclosure as confirmation that Qilin remains an active and capable threat:

1. Audit and patch all internet facing edge devices, prioritizing Fortinet, Citrix NetScaler, Veeam, and VPN concentrators against known exploited vulnerabilities.
2. Enforce phishing resistant multi factor authentication on every remote access pathway, including RDP, VPN, and management portals.
3. Hunt for known Qilin precursor activity such as unauthorized AnyDesk or Splashtop installations, Rclone executions, and suspicious PsExec usage in OT adjacent networks.
4. Segment IT and OT networks rigorously, ensuring that a ransomware detonation in the corporate domain cannot pivot into manufacturing or production control systems.
5. Validate immutable, offline backup integrity and rehearse restoration of both file servers and ESXi virtualization hosts.
6. Deploy infostealer focused detection and rotate credentials for any accounts surfaced in stealer log marketplaces, a common Qilin initial access source.

Sources: Qilin Ransomware Strikes Again: Buckley Powder and Leistritz Turbine Technology Added to Growing Victim List - UNDERCODE NEWS