Safeguard.sh
Ransomware

Qilin Ransomware and the Chrome Credential Harvesting Gambit

Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browser credentials across entire domains.

James
Senior Security Engineer
6 min read

In August 2024, the Sophos X-Ops team documented a technique from a Qilin ransomware affiliate that raised eyebrows across the threat intelligence community. The attackers used Active Directory Group Policy to deploy a script that harvested saved credentials from Google Chrome browsers across every machine in the domain. This was not a new capability per se -- credential dumping tools have existed for years -- but the scale and automation of the approach represented a meaningful evolution.

The technique had implications far beyond the immediate victim organization. Saved browser credentials often include access to cloud services, SaaS platforms, vendor portals, and supply chain management systems. A single Qilin compromise could yield credentials for dozens of connected organizations.

The Technique in Detail

The attack flow was methodical:

  1. Initial access came through compromised VPN credentials for an account without MFA enabled
  2. The attacker moved laterally for 18 days, eventually compromising a domain controller
  3. A Group Policy Object (GPO) was created that deployed a PowerShell script to all domain-joined machines
  4. The script targeted Chrome's Login Data SQLite database, extracting saved usernames and passwords
  5. Harvested credentials were written to a shared network location for collection
  6. After credential collection, the GPO was removed and logs were cleared
  7. Standard ransomware deployment followed, encrypting systems across the domain

The critical insight is that steps 3-6 happened before the ransomware deployment. The credential harvesting was a separate, deliberate operation designed to maximize the long-term value of the compromise, even if the victim recovered from the ransomware itself.

Supply Chain Implications

The supply chain risk from mass credential harvesting is substantial. Consider what a typical employee's Chrome browser might contain:

  • Cloud platform credentials: AWS, Azure, GCP console logins
  • SaaS application passwords: Salesforce, Jira, Confluence, Slack
  • Vendor portal access: procurement systems, supplier management platforms
  • Code repository credentials: GitHub, GitLab, Bitbucket
  • CI/CD platform access: Jenkins, CircleCI, GitHub Actions
  • Package registry credentials: npm, PyPI, Maven Central publish tokens

A single organization's Chrome credential dump could contain the keys to compromise dozens of upstream and downstream partners. The attacker does not need to exploit any software vulnerability -- they just log in with stolen credentials.

The Multiplier Effect

Qilin's credential harvesting creates a multiplier effect for supply chain attacks. Each compromised organization yields credentials that can be used to:

  1. Access vendor portals and modify orders or shipments
  2. Log into code repositories and inject malicious code
  3. Access CI/CD pipelines and tamper with build processes
  4. Compromise SaaS platforms that serve multiple organizations
  5. Access cloud environments hosting shared services

This makes every Qilin compromise a potential upstream supply chain attack. The ransomware itself is almost a distraction -- the real damage may come weeks or months later when harvested credentials are used to compromise connected organizations.

Browser Credential Storage: The Uncomfortable Truth

Chrome stores credentials using the Data Protection API (DPAPI) on Windows. This provides encryption at rest, but the decryption key is tied to the user's Windows login session. Any process running in the user's context can decrypt saved passwords. Administrative access to the machine (or domain admin access via GPO) trivially bypasses this protection.

The uncomfortable truth is that billions of credentials are stored in browsers with protection that is essentially theater against an attacker with administrative access. Password managers with master password protection provide stronger guarantees, but adoption rates remain low, particularly in organizations that do not mandate them.

Qilin's Evolution

Qilin (also known as Agenda) has been operating since mid-2022, initially targeting VMware ESXi environments with a Golang-based encryptor. The group has evolved significantly:

2022-2023: Focus on Linux/ESXi environments, targeting virtualization infrastructure. Developed encryptors in both Golang and Rust.

2023-2024: Expanded to Windows environments and adopted a more aggressive double-extortion model. The group's leak site became one of the more active in the ecosystem.

2024: Introduction of the credential harvesting technique and increased focus on supply chain implications. The group also began targeting healthcare organizations, drawing attention from law enforcement.

The credential harvesting innovation suggests that Qilin's operators (or at least some affiliates) are thinking beyond immediate ransomware revenue and considering the longer-term strategic value of compromised credentials.

Detection and Response

Detecting the credential harvesting technique requires monitoring at several layers:

Group Policy monitoring. New GPOs that deploy scripts should trigger alerts. In most environments, GPO creation is infrequent enough that any new GPO warrants review.

Chrome database access. Monitor for processes accessing Chrome's Login Data file outside of Chrome itself. EDR solutions can detect this access pattern.

Network share activity. The collection of harvested credentials to a shared location creates detectable network traffic. Monitoring for unusual SMB activity to administrative shares is valuable.

Post-incident credential rotation. If Qilin (or any attacker) had domain admin access, assume all browser-saved credentials are compromised. This means rotating not just domain credentials, but every password saved in browsers across all affected machines. This is an enormous operational burden but essential for preventing downstream attacks.

The Rotation Challenge

The credential rotation challenge is worth emphasizing. After a Qilin incident, the victim organization needs to:

  1. Identify all machines where the GPO executed
  2. Determine which Chrome profiles existed on those machines
  3. Enumerate all credentials stored in those profiles
  4. Notify every service provider whose credentials may be compromised
  5. Rotate credentials across all affected services
  6. Implement MFA where it was not previously enabled

This process can take weeks and requires cooperation from dozens of third-party service providers. Many organizations underestimate the scope of this effort during incident response.

Mitigation Strategies

Eliminate saved browser credentials. Use a dedicated password manager rather than browser-based credential storage. Enterprise password managers provide stronger encryption and do not expose credentials to any process running in the user's context.

Enforce MFA universally. Even if credentials are stolen, MFA prevents their use. This is the single most effective mitigation against credential harvesting attacks.

Monitor GPO changes. Implement real-time alerting on Group Policy modifications. Any new GPO that deploys scripts should require human approval.

Segment administrative access. Domain administrators should use dedicated workstations that do not browse the internet or save credentials. Tiered administrative access prevents a single compromised account from reaching all machines.

Implement credential hygiene policies. Regular credential rotation, prohibition of password reuse, and elimination of shared credentials reduce the blast radius of any credential theft incident.

How Safeguard.sh Helps

Safeguard.sh addresses the downstream supply chain risks that Qilin's credential harvesting creates. The platform's continuous monitoring detects unauthorized access to code repositories and CI/CD pipelines -- the systems most likely to be targeted using stolen developer credentials. Safeguard's SBOM tracking identifies when software components change unexpectedly, which can indicate that a compromised credential was used to inject malicious code upstream. The platform's integration with identity providers enables automated alerts when access patterns change after a credential theft incident at a connected organization. For organizations recovering from a Qilin attack, Safeguard's supply chain mapping helps identify which downstream partners and customers need to be notified about potential credential exposure, turning what is often a chaotic manual process into a structured response.

QilinRansomwareCredential TheftChromeGroup Policy
Back to all articles

More on #Qilin

View all →
Threat Intelligence

Qilin Ransomware Supply Chain Tactics 2025

8 min read
Threat Intelligence

Qilin Ransomware Group: Dissecting a Rising Threat Actor

5 min read

Related articles in Ransomware

Ransomware

Fog Ransomware: Why the Education Sector Keeps Getting Hit

Fog ransomware has carved a niche targeting schools and universities, exploiting chronic underfunding and SonicWall VPN vulnerabilities to devastating effect.

January 14, 2025Read
Ransomware

Play Ransomware: Supply Chain Exploitation Through Managed Service Providers

Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.

November 15, 2024Read
Ransomware

Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move

Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.

November 5, 2024Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.