We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Qilinloader!rfn
Aliases: No associated aliases
Summary
Ransom:Win32/Qilinloader!rfn is a malicious loader used by the Qilin ransomware, a ransomware-as-a-service (RaaS) that was first documented in August 2022. Its payload is the main Qilin ransomware binary which is multi-platform, it targets Windows, Linux and VMware ESXi hosts that also includes embedded devices. Qilin is also associated with state-sponsored threat actors known as Moonstone Sleet that shared resources since February 2025.
The Qilinloader infects devices through phishing emails, trojanized apps, malicious npm packages, or fake software development tools. After deployment, it establishes data encryption and exfiltration as well extortion with ransom demands from small medium enterprises to large firms.
The !rfn suffix of Microsoft's naming scheme signifies heuristic detection of a Qilinloader variant, not through a full static signature. It is identified through behavior monitoring and not by any previously defined signatures, which points to its ever-evolving evasive mechanism.
Devices infected with the Qilinloader can be mitigated with the following actions:
- Disconnect infected devices from networks/internet to halt data exfiltration.
- Delete the %User Temp%\QLOG directory and associated .LOG/.jpg files
- Manually remove malicious auto-start entries under HKEY_LOCAL_MACHINE\...\Run and revert filesymlink policies to defaults (SymlinkRemoteToLocalEvaluation=0 and SymlinkRemoteToRemoteEvaluation=0)
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
