“`html
The ransomware threat environment saw a troubling increase in July 2025, with the Qilin ransomware collective sustaining its leading role for the third occasion in four months.
The group successfully reported 73 victims on its data leak platform, which constitutes 17.3% of the month’s total 423 ransomware occurrences.
This indicates a notable consolidation of illegal operations under well-known threat entities, as the ransomware ecosystem continues to transform following the decline of previously dominant groups such as RansomHub.
Qilin’s ongoing leadership status underscores the group’s advanced operational capabilities and relentless targeting methodologies.
.webp)
The ransomware-as-a-service operation has exhibited impressive consistency in victim acquisition, outpacing its nearest rival, INC Ransom, which reported 59 victims during the same timeframe.
The United States was significantly impacted by these attacks, accounting for 223 victims—eight times more than second-place Canada—highlighting the ongoing emphasis on high-value Western targets.
Cyble researchers discovered 25 critical infrastructure ransomware incidents throughout July, with Qilin operations having a pronounced effect on sectors including government and law enforcement, energy and utilities, and telecommunications.
An additional 20 incidents presented potential supply chain ramifications due to compromised application software providers.
The group’s targeting tactics reveal a strategic approach aimed at maximizing both financial gain and operational disruption.
Exploitation of Enterprise Vulnerabilities
Qilin’s achievements are partly attributed to its systematic exploitation of recognized enterprise vulnerabilities.
The collective has weaponized seven critical security weaknesses, including CVE-2023-48788, a SQL injection flaw in Fortinet FortiClientEMS affecting versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10.
This specific vulnerability permits attackers to execute arbitrary SQL commands via crafted HTTP requests:
' UNION SELECT user(), database(), version()-- Other attack vectors include CVE-2019-18935, targeting Progress Telerik UI for ASP.NET AJAX through deserialization attacks, and CVE-2025-5777, exploiting out-of-bounds read conditions in Citrix NetScaler ADC and Gateway implementations.
Microsoft SharePoint environments are particularly vulnerable due to four newly identified vulnerabilities: CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706.
The persistence of these exploitation patterns underscores the critical necessity for proactive patch management and vulnerability remediation strategies.
Organizations must place high priority on securing internet-facing applications and implementing effective network segmentation to limit the impact of successful initial compromise attempts.
“`