We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Qilinloader.AL!MTB
Aliases: No associated aliases
Summary
Ransom:Win32/Qilinloader.AL!MTB is a malicious loader that contains the functionality of Qilin ransomeware in itself, a ransomware-as-a-service (RaaS) that was first documented in August 2022. It distinguishes itself from Ransom:Win32/Qilinloader!rfn, as it is identified via signature-based detection as denoted by its !MTB designation. It is a self-contained ransomware with encryption logic, exclusion lists, and ransom note generation.
It targets Windows, Linux and VMware ESXi hosts that also include embedded devices. Qilin is also associated with state-sponsored threat actors known as Moonstone Sleet that shared resources since February 2025.
The Qilinloader infects devices through phishing emails, trojanized apps, malicious npm packages, or fake software development tools. After deployment, it establishes data encryption and exfiltration as well extortion with ransom demands from small medium enterprises to large firms.
Devices infected with the Qilinloader can be mitigated with the following actions:
- Disconnect infected devices from networks/internet to halt data exfiltration.
- Delete the %User Temp%\QLOG directory and associated .LOG/.jpg files
- Manually remove malicious auto-start entries under HKEY_LOCAL_MACHINE\...\Run and revert filesymlink policies to defaults (SymlinkRemoteToLocalEvaluation=0 and SymlinkRemoteToRemoteEvaluation=0)
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
