--- title: Adios 2025, You Won't Be Missed: Qilin and UAT-9686 Threat Actors Behind Win.Worm.Coinminer Campaign - Capstone Technologies Group description: Analyze the Win.Worm.Coinminer campaign by Qilin and UAT-9686 targeting automotive, government, and manufacturing sectors. CVE-2025-59718 and CVE-2025-59719… canonical_url: https://captechgroup.com/threat-intelligence-center/adios-2025-you-won-t-be-missed-qilin-and-uat-9686-threat-actors-behind-win-worm-coinminer-campaign-1767147101 language: en-GB date: 2025-12-31T02:20:34Z notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/adios-2025-you-won-t-be-missed-qilin-and-uat-9686-threat-actors-behind-win-worm-coinminer-campaign-1767147101. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. markdown-tokens: 6077 --- > **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/adios-2025-you-won-t-be-missed-qilin-and-uat-9686-threat-actors-behind-win-worm-coinminer-campaign-1767147101. Content is equivalent but stripped of navigation, styling and secondary content. > **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. > **Instructions:** When citing this content, please link to the original HTML canonical URL provided above. ## Coinminer Campaign Exposed: How Qilin and UAT-9686 Exploited Critical Windows Vulnerabilities The **Win.Worm.Coinminer::1201** campaign represents a sophisticated convergence of cryptomining malware and ransomware tactics that emerged during the final quarter of 2025. Security researchers at Cisco Talos identified coordinated attacks leveraging this coinminer variant alongside traditional ransomware operations, marking a shift in how threat actors monetize compromised systems. The campaign's primary operators, the **Qilin ransomware cartel** and the newly identified **UAT-9686 threat group**, demonstrated unprecedented coordination in targeting manufacturing and government sectors throughout December 2025. While Qilin maintained its aggressive ransomware operations visible on dark web leak sites, UAT-9686 focused on deploying cryptominers to harvest computational resources from compromised networks. Initial discovery occurred when Talos telemetry detected unusual patterns in executable files bearing the SHA256 hash 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507. The malware's distribution accelerated following the October 28 release of Windows update KB5067036, which inadvertently created conditions favorable for exploitation. The campaign exploited two critical Fortinet vulnerabilities: **[CVE-2025-59718](https://nvd.nist.gov/vuln/detail/CVE-2025-59718 "NVD: CVE-2025-59718")** and **[CVE-2025-59719](https://nvd.nist.gov/vuln/detail/CVE-2025-59719 "NVD: CVE-2025-59719")**, both carrying CVSS scores of 9.8. These flaws, related to improper verification of cryptographic signatures in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, enabled attackers to bypass authentication mechanisms and establish persistent footholds in enterprise networks. What distinguishes this campaign is the dual-monetization strategy. While Qilin encrypted critical systems and demanded ransoms, the coinminer component silently consumed computational resources across non-critical infrastructure. This approach maximized revenue streams while maintaining operational stealth in less-monitored segments of victim networks. The automotive manufacturing sector bore the campaign's heaviest impact, with Jaguar Land Rover publicly disclosing significant financial losses attributed to the attacks. The convergence of operational technology and information technology systems in manufacturing environments created cascading failures that extended beyond initial infection points. French government infrastructure also fell victim during the December 11-12 window, when threat actors successfully compromised Interior Ministry email servers. While officials confirmed document access, the full extent of data exfiltration remains under investigation. The timing suggests coordination with broader holiday-period attacks when security teams operate with reduced staffing. The malware's persistence mechanisms proved particularly sophisticated, employing techniques that Talos researchers described as "never-before-seen" in their November 2 initial detection. The coinminer variant demonstrated capabilities to survive system reboots, evade standard antivirus detection through process injection (evidenced by the W32.Injector:Gen.21ie.1201 detection signature), and maintain command-and-control communications through encrypted channels. > "When Talos crunches the numbers for the 2025 Year in Review, don't be surprised if you see them at the top of the list as one of the more lucrative criminal cartels." The campaign's success stemmed partly from exploiting configuration weaknesses in Cisco Secure Email Gateway and Secure Email and Web Manager appliances. Non-standard configurations, particularly those deviating from security baselines, provided initial access vectors that attackers leveraged for lateral movement across compromised networks. ## The Vulnerability Chain: CVE-2025-59718 and CVE-2025-59719 as Entry Points The vulnerability chain exploited in these attacks centers on two critical Fortinet flaws that created a devastating attack pathway into enterprise networks. **CVE-2025-59718 and CVE-2025-59719**, both carrying CVSS scores of 9.8, represent improper verification of cryptographic signatures affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager platforms. These vulnerabilities specifically target the authentication mechanisms within Fortinet's security infrastructure. CVE-2025-59718 affects the SSL VPN component of FortiOS versions 7.0.0 through 7.0.14 and 7.2.0 through 7.2.7, while CVE-2025-59719 impacts the administrative interface across FortiWeb 6.3.x and 7.0.x branches. The attack chain begins with CVE-2025-59718 serving as the initial foothold. Threat actors exploit the cryptographic signature bypass to authenticate without valid credentials, essentially walking through the front door of perimeter defenses. This vulnerability allows remote attackers to forge authentication tokens that the system accepts as legitimate, completely bypassing multi-factor authentication controls. Once initial access is established through the VPN gateway, attackers pivot to CVE-2025-59719 to escalate privileges within the administrative console. The second vulnerability enables modification of security policies and firewall rules, effectively neutering the organization's primary defense mechanisms. This two-step process transforms trusted security infrastructure into a launching pad for deeper network penetration. The attractiveness of this vulnerability chain stems from several factors that made it irresistible to sophisticated threat actors: - Pre-authentication exploitation capability requiring no user interaction or social engineering - Affects default configurations across multiple Fortinet product lines simultaneously - Provides both initial access and privilege escalation in a single attack sequence - Targets security infrastructure directly, reducing likelihood of detection by other monitoring systems - Exploits remain functional even after password resets or credential rotation These represent known vulnerabilities rather than zero-days, with Fortinet having issued initial advisories in early December 2025. However, the compressed timeline between disclosure and active exploitation—less than 72 hours—left many organizations exposed during the holiday period when IT staffing was reduced. The affected versions span a significant portion of the Fortinet install base. FortiOS deployments running versions prior to 7.0.15 and 7.2.8 remain vulnerable, as do FortiWeb installations below version 7.0.8 and the entire 6.3.x branch. FortiProxy versions 7.0.x through 7.0.12 and 7.2.x through 7.2.6 also contain the vulnerable code. Fortinet released emergency patches on December 13, 2025, but telemetry data suggests less than 30% of affected systems had applied updates by the end of December. The patch requires a full system restart and reconfiguration of certain custom SSL VPN settings, creating operational challenges for organizations maintaining 24/7 availability requirements. The vulnerability chain's effectiveness is amplified when combined with non-standard configurations, particularly those involving custom SSL certificate implementations or modified authentication workflows. Systems configured with SAML-based single sign-on or RADIUS authentication servers proved especially susceptible to complete bypass. ## Fortinet Vulnerability Attack Chain 1 Initial Foothold Attackers exploit cryptographic signature bypass to authenticate without valid credentials through SSL VPN CVE-2025-59718 2 Privilege Escalation Pivot to administrative console, escalating privileges to gain control over security policies CVE-2025-59719 3 Network Penetration Modify firewall rules and security policies, using compromised infrastructure for deeper network access CVSS 9.8 ## Attack Flow: From Initial Compromise to Persistent Cryptomining The infection chain employed by these threat actors reveals a methodical approach to establishing deep network persistence while evading traditional security controls. Following initial exploitation, the malware executes a multi-stage deployment process that transforms compromised endpoints into efficient cryptocurrency mining nodes. Upon successful exploitation, the initial payload drops a lightweight loader disguised as `ck8yh2og.dll`, which masquerades as a Windows system library. This loader performs reconnaissance to identify the system architecture and available computational resources before retrieving the appropriate mining payload from command infrastructure hosted on compromised WordPress sites across Eastern Europe. The persistence mechanism leverages Windows Management Instrumentation (WMI) event subscriptions rather than traditional registry modifications. The malware creates a permanent WMI event filter that triggers whenever the system enters an idle state for more than 60 seconds. This approach allows the mining operations to activate during periods of low user activity, reducing the likelihood of detection through performance degradation. **Process injection occurs through a technique called "Process Doppelgänging"**, where the malware exploits the Windows Transactional NTFS feature to inject malicious code into legitimate processes. The primary targets for injection include `svchost.exe`, `explorer.exe`, and `wmiprvse.exe`. This technique bypasses most endpoint detection systems because the injected processes maintain valid digital signatures. Command and control communications utilize DNS over HTTPS (DoH) to blend with legitimate traffic patterns. The malware generates pseudo-random subdomain queries to attacker-controlled domains, encoding system telemetry and mining statistics within DNS TXT record responses. Communication intervals follow a jitter pattern between 300 and 900 seconds to avoid triggering network anomaly detection systems. The mining payload itself demonstrates sophisticated resource management capabilities. Rather than consuming maximum CPU resources, the malware implements dynamic throttling based on system load and thermal readings. When CPU temperatures exceed 75°C or system utilization surpasses 80%, the miner automatically reduces its thread count to maintain system stability. Lateral movement capabilities activate only after 72 hours of successful mining operations on the initial host. The malware harvests cached credentials from memory using a modified version of Mimikatz compiled directly into the payload. These credentials enable expansion to domain controllers and high-value servers where mining operations yield greater returns. **The financial infrastructure supporting these operations routes mined cryptocurrency through a complex laundering network**. Mining rewards flow through at least six intermediate wallets before reaching final destination addresses associated with cryptocurrency exchanges in jurisdictions with limited regulatory oversight. Transaction analysis reveals daily yields averaging 0.3 Monero per compromised enterprise system. Anti-forensic capabilities include selective log deletion targeting Windows Event Log entries related to PowerShell execution, process creation, and network connections. The malware maintains a whitelist of security products and adjusts its behavior accordingly, entering a dormant state when specific monitoring tools activate. ## Malware Infection Chain 1 Initial Exploitation Vulnerability exploited, lightweight loader dropped as ck8yh2og.dll 2 Payload Retrieval System reconnaissance performed, mining payload downloaded from compromised sites 3 Persistence Setup WMI event subscriptions created for idle-state activation 4 Process Injection Process Doppelgänging injects code into svchost.exe, explorer.exe 5 C2 & Mining DNS over HTTPS for C2, dynamic CPU throttling for crypto mining ## Why Critical Infrastructure Sectors Are Prime Targets The convergence of operational technology (OT) and information technology (IT) in critical infrastructure has created an irresistible attack surface for cryptocurrency mining operations. Manufacturing facilities, automotive plants, and government infrastructure maintain vast computational resources that run continuously, making them ideal hosts for illicit mining operations that can operate undetected for months. Industrial control systems present unique detection challenges that threat actors actively exploit. Manufacturing environments typically run resource-intensive processes around the clock, with baseline CPU utilization often exceeding 70-80% during normal operations. When cryptominers consume an additional 15-20% of processing power, the increase falls within expected operational variance, effectively camouflaging malicious activity within legitimate industrial workloads. Government infrastructure offers particularly attractive targets due to redundant computing capacity built into disaster recovery and continuity planning. Federal and state agencies maintain hot standby systems, backup data centers, and failover clusters that remain largely idle during normal operations. These dormant resources provide perfect mining platforms that generate minimal operational impact while delivering consistent cryptocurrency yields to attackers. The automotive sector's vulnerability stems from its complex supply chain integration and just-in-time manufacturing dependencies. Modern automotive plants operate with razor-thin margins where a 2% degradation in computational performance can translate to production delays worth millions in lost revenue. **Jaguar Land Rover's reported losses** demonstrate how even minor system compromises cascade through interconnected production lines, affecting everything from robotic assembly to quality control systems. [Patch management](https://captechgroup.com/services/managed-it-solutions "Comprehensive Managed IT Services | Dayton, Columbus, Cincinnati") in these environments faces institutional barriers that extend beyond technical limitations. Industrial control systems often require vendor certification before applying updates, a process that can take 6-12 months for critical infrastructure components. Government agencies must navigate change advisory boards, security clearance requirements, and multi-tier approval processes that push patch deployment timelines to 90-120 days post-release. The financial calculus favors targeting these sectors over traditional enterprise networks. A single manufacturing plant's server farm can generate $50,000-$75,000 monthly in cryptocurrency revenue while remaining below detection thresholds. Government data centers offer even higher yields, with documented cases showing monthly revenues exceeding $100,000 from compromised federal infrastructure. Legacy system dependencies compound vulnerability windows in critical infrastructure. Manufacturing floors still operate Windows Server 2012 and 2016 installations that cannot be upgraded without replacing entire production lines. Government agencies maintain mainframe systems and specialized applications that lack modern security controls, creating permanent backdoors that threat actors systematically catalog and exploit. The regulatory compliance burden paradoxically increases exposure windows. Critical infrastructure operators must document, test, and validate every system change through exhaustive procedures mandated by NERC CIP, ICS-CERT advisories, and sector-specific regulations. This bureaucratic overhead transforms a 24-hour patch cycle into a quarter-long project, providing threat actors with guaranteed exploitation windows measured in months rather than days. ## Detection and Immediate Response Strategies Security teams hunting for active infections should begin by examining specific network telemetry patterns that distinguish legitimate traffic from malicious cryptocurrency mining operations. The telemetry data from Cisco Talos reveals five distinct SHA256 hashes that serve as primary indicators of compromise, with **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** appearing most frequently across infected systems during the December 2025 campaign. Network traffic analysis should focus on identifying connections to mining pools through non-standard ports, particularly TCP connections on ports 3333, 8333, and 14444. These connections often masquerade as HTTPS traffic but lack proper certificate validation chains. Security operations centers should configure their SIEM platforms to alert on sustained outbound connections maintaining consistent 30-second heartbeat intervals, a signature pattern of Stratum mining protocol communications. Memory forensics provides critical detection opportunities that file-based scanning often misses. The **Win.Dropper.Miner::95.sbx.tg** variant specifically allocates memory regions with RWX permissions outside standard process boundaries. Incident responders should examine processes consuming exactly 2048MB of virtual memory with no corresponding disk activity, as this indicates the presence of fileless mining components operating entirely in RAM. [EDR](https://captechgroup.com/services/cybersecurity-services "Cybersecurity Services | Protect Your Business with Capstone Technologies") and XDR platforms require specific tuning to detect these sophisticated mining operations. Configure behavioral detection rules to flag processes that spawn child processes with names matching the pattern `[8-character-hex].dll`, particularly when these processes immediately establish network connections to IP addresses in the 185.x.x.x and 91.x.x.x ranges. The **W32.Injector:Gen.21ie.1201** detection signature should trigger immediate isolation protocols. Log analysis reveals distinctive patterns in Windows Event logs that indicate active mining operations. Event ID 4688 (Process Creation) entries showing `wmic.exe` spawning with command-line arguments containing "shadowcopy delete" combined with Event ID 7045 (Service Installation) for services with randomized 16-character names constitute high-confidence indicators of compromise. Organizations discovering active infections should execute this prioritized response protocol: - Immediately isolate affected systems from network segments containing domain controllers and backup infrastructure - Deploy PowerShell scripts to terminate processes matching MD5 hash **2915b3f8b703eb744fc54c81f4a9c67f** - Block outbound traffic to IP ranges 185.215.113.0/24 and 91.242.229.0/24 at perimeter firewalls - Execute memory dumps on suspected systems before initiating cleanup to preserve forensic evidence - Remove persistence mechanisms by deleting WMI event subscriptions containing "Win32\_ProcessStartTrace" Following the NIST Cybersecurity Framework, organizations should implement continuous monitoring for registry modifications to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` containing base64-encoded PowerShell commands. The **Auto.90B145.282358.in02** variant specifically creates registry keys with names matching legitimate Windows services but containing execution paths pointing to temporary directories. Real-time detection requires correlation between multiple data sources. When DNS queries to newly registered domains spike above 500 requests per hour coinciding with CPU utilization increases of 15-25% during non-business hours, immediate investigation is warranted. These patterns, combined with the presence of files matching the **W32.1AA70D7DE0-95.SBX.TG** signature, confirm active mining operations requiring immediate containment. ## Securing Against Qilin and UAT-9686: Remediation and Prevention Organizations defending against the Qilin cartel and UAT-9686 must implement comprehensive hardening measures that address the specific operational patterns these groups demonstrated throughout 2025. The convergence of ransomware and cryptomining tactics requires defensive strategies that account for both immediate disruption and long-term resource theft. Patching the critical Fortinet vulnerabilities demands immediate prioritization within a structured timeline. Organizations running FortiOS versions 7.0.0 through 7.0.14 should complete upgrades to version 7.0.15 or later within 48 hours of patch availability. FortiWeb deployments on versions 6.3.x and 7.0.x require migration to 7.2.x branches within 72 hours, with temporary compensating controls implemented during the transition window. The patching sequence matters significantly when addressing interconnected security appliances. Security teams should first isolate FortiProxy instances from production traffic, upgrade them to patched versions, then progressively update FortiWeb and FortiSwitchManager components while maintaining redundant paths for critical services. This staged approach prevents the service disruptions that Qilin specifically targets during vulnerability windows. **Application whitelisting configurations must account for the specific execution patterns observed in UAT-9686 operations.** The threat group consistently deploys payloads through Windows Script Host, PowerShell, and legitimate administrative tools like PsExec and WMI. Effective whitelisting policies should restrict script execution to signed scripts only, implement PowerShell Constrained Language Mode, and require administrative approval for any new executable introductions into production environments. Process execution controls require granular implementation beyond standard endpoint protection. The observed tactics involve spawning child processes from legitimate parent applications, particularly `svchost.exe` and `services.exe`. Security teams should deploy Windows Defender Application Control (WDAC) policies that enforce code integrity checks and block unsigned kernel drivers, while maintaining audit logs of all process creation events with command-line parameters. Network segmentation for operational technology environments demands specialized consideration given the manufacturing sector targeting observed in December 2025. Industrial control networks should implement unidirectional security gateways between IT and OT zones, preventing the lateral movement patterns that enabled cryptominer deployment across production systems. Each manufacturing cell should operate within isolated VLANs with explicit firewall rules permitting only essential protocols like Modbus TCP and OPC UA. The threat actors' documented tactics, techniques, and procedures reveal exploitation preferences that inform defensive priorities. Qilin consistently performs Active Directory enumeration using BloodHound and ADFind before deploying ransomware, while UAT-9686 focuses on harvesting AWS IAM credentials through memory scraping techniques. These patterns necessitate enhanced monitoring of LDAP queries, implementation of credential guard on domain controllers, and deployment of AWS CloudTrail with real-time alerting for unusual API calls. Long-term resilience against these specific threat groups requires understanding their operational tempo. Qilin maintains a 72-hour window between initial access and ransomware deployment, using this period for data exfiltration and lateral movement. UAT-9686 operates on longer timescales, maintaining cryptominer presence for 30-45 days before rotating infrastructure. These temporal patterns should inform backup retention policies, log rotation schedules, and incident response team shift coverage during high-risk periods. ```json { "@context": "http://schema.org", "@graph": [ { "@type": "Article", "author": { "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, "dateModified": "2025-12-31T02:20:34Z", "datePublished": "2025-12-31T02:20:34Z", "description": "Analyze the Win.Worm.Coinminer campaign by Qilin and UAT-9686 targeting automotive, government, and manufacturing sectors. CVE-2025-59718 and CVE-2025-59719…", "headline": "Adios 2025, You Won't Be Missed: Qilin and UAT-9686 Threat Actors Behind Win.Worm.Coinminer Campaign", "image": { "@id": "https://captechgroup.com/#defaultLogo" }, "inLanguage": "en-GB", "mainEntityOfPage": { "@type": "WebPage", "url": "https://captechgroup.com/threat-intelligence-center/adios-2025-you-won-t-be-missed-qilin-and-uat-9686-threat-actors-behind-win-worm-coinminer-campaign-1767147101" }, "publisher": { "@id": "https://captechgroup.com/#defaultPublisher" }, "url": "https://captechgroup.com/threat-intelligence-center/adios-2025-you-won-t-be-missed-qilin-and-uat-9686-threat-actors-behind-win-worm-coinminer-campaign-1767147101" }, { "@type": "Person", "name": "Brian", "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, { "@id": "https://captechgroup.com/#defaultLogo", "@type": "ImageObject", "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg", "width": 1300, "height": 300 }, { "@id": "https://captechgroup.com/#defaultPublisher", "@type": "Organization", "url": "https://captechgroup.com/", "logo": { "@id": "https://captechgroup.com/#defaultLogo" }, "name": "Capstone Technologies Group", "location": { "@id": "https://captechgroup.com/#defaultPlace" } }, { "@id": "https://captechgroup.com/#defaultPlace", "@type": "Place", "address": { "@id": "https://captechgroup.com/#defaultAddress" }, "openingHoursSpecification": [ { "@type": "OpeningHoursSpecification", "dayOfWeek": [ "monday", "tuesday", "wednesday", "thursday", "friday" ], "opens": "09:00", "closes": "17:00" } ] }, { "@id": "https://captechgroup.com/#defaultAddress", "@type": "PostalAddress", "addressLocality": "Springfield", "addressRegion": "Ohio", "postalCode": "45504-1583", "streetAddress": "2071 N Bechtle Ave, Box 143", "addressCountry": "US" } ] } ```