Qilin lists Malaysia Airlines on leak site, no public confirmation

The Qilin ransomware group listed Malaysia Airlines on its extortion leak site on Feb. 27, claiming the carrier had been hit in a double‑extortion attack, according to security feeds and industry monitors. HookPhish, an incident aggregator, recorded a Date of Breach of 2026-02-26 16:38:17.580703 and a Discovery Date of 2026-02-26 16:38:36.776424 and identified the target domain as malaysiaairlines.com/my/en/home.html. Cybernews published a same‑day item noting the Qilin post.

SOCRadar, which monitors Qilin activity, described the group’s approach as a standard double‑extortion tactic. "The operators run a classic double extortion model. They steal data, encrypt systems, then threaten publication on a Tor leak site if talks fail," the firm said in its analysis. SOCRadar also refers to Qilin as Agenda ransomware and characterizes it as a Ransomware‑as‑a‑Service actor capable of tailoring attacks to victims’ environments. The vendor placed Qilin among the leading named groups active in Malaysia, while noting it accounts for less than one fifth of observed cases in the region.

Public details about the Malaysia Airlines claim are limited in the feeds reviewed. HookPhish includes a standard disclaimer: "HookPhish does not engage in the exfiltration, downloading, taking, hosting, viewing, reposting, or disclosure of any stolen information. All breach data reported here is sourced from publicly available threat intelligence feeds for awareness purposes only." The specific Qilin leak‑site post for Malaysia Airlines was not provided in the materials reviewed, and the Cybernews excerpt available to reporters was truncated.

Previous incidents attributed to Qilin or reported on its leak sites provide context for the threat the group poses. Industrialcyber Co reported an alleged March 2025 attack on Malaysia Airports Holdings Bhd that involved the theft of 2 terabytes of data and a reported $10 million demand, which the airport refused. Blackfog documented other claims associated with Qilin, including a listing for Spark Power that alleged possession of 222 GB of company data and a mid‑November posting claiming Cornerstone Staffing Services suffered a 300 GB exfiltration that included 120,000 resumes as part of a larger cache said to contain roughly 1 million files and 24 million pieces of personal information. Blackfog also noted that Bangchak Group publicly confirmed unauthorized access to certain personal data after a Qilin listing, saying no financial information was involved and that corrective actions had been taken.

Security vendors caution that Qilin seldom discloses ransom amounts in its initial public claims. "Qilin does not typically disclose its ransom demands when claiming attacks, so available data is limited," Industrialcyber Co noted.

The record assembled for this report contains no direct statement from Malaysia Airlines and no public comment from Malaysian investigators or national cyber authorities. SOCRadar and other monitors are continuing to track the Qilin leak site for corroborating evidence, but the available feeds do not include screenshots or sample files tied to the Malaysia Airlines entry. Verification steps outlined by threat intelligence providers include obtaining the leak‑site posting, confirming timestamps and samples, and seeking on‑the‑record responses from the carrier and Malaysian authorities.