ZeroFox Intelligence Flash Report - Qilin's Latest Spree of Alleged Victims

In this Flash Report, ZeroFox researchers report on Qilin's most recent group of alleged victims and the collective's activity so far in 2026.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here

Between June 2–5, 2026, ransomware and digital extortion (R&DE) threat actor Qilin claimed 15 new victims across nine countries in 72 hours; its targets spanned the healthcare, hospitality, manufacturing, consumer services, and critical infrastructure sectors.
Qilin (also known as Agenda) is a sophisticated Russian-language R&DE threat collective that primarily offers ransomware-as-a-service (RaaS) to affiliates and targets high-value critical infrastructure with a double extortion model.
On June 4, 2026, Qilin posted sensitive data samples allegedly from Avcon Jet—an Austrian-based and major European aviation company offering business jet management and chartered flights internationally—on its dark web leak site.
ZeroFox assesses that Qilin will very likely conclude Q2 2026 as the most active ransomware collective globally. This would signify both dominance in the first half of 2026 and an unbroken 12-month period as the leading ransomware threat actor, beginning in Q2 2025.