We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Linux/Qilin!rfn
Aliases: No associated aliases
Summary
Ransom:Linux/Qilin!rfn is a Linux/ESXi-targeting payload that is part of a Qilin ransomware-as-a-service (RaaS) operation. Qilin has operated since 2022, however, it re-emerged as a major threat in 2025 by targeting Linux environments with C (Linux/ESXi) payloads.
Once a Linux/ESXi device is infected, it encrypts files with .qilin extensions and provided ransomware notes that demand ransom payment via Tor. It uses Bring Your Own Vulnerable Driver (BYOVD) tactics to deactivate antivirus software. It exploits known vulnerabilities including CVE-2024-21762 (remote code execution) and CVE-2023-27532 (credential theft).
The !rfn suffix denotes heuristic detection, where “r” signifies ransomware behavior, “f” indicates file encryption/manipulation, and “n” represents network propagation and communication with command and control servers.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
