Indcar Ransomware Attack by Qilin (April 2026)

Claim Summary

On April 21, 2026, the Qilin ransomware group allegedly added Industrial Carrocera Arbuciense (Indcar) to their leak site. Indcar, operating under the domain www.indcar.es, is a Spanish manufacturer of bus bodies and coaches. The threat actor claims to have compromised the organization’s systems, though no specific data samples or volume details have been released at this time. The attack date is listed as April 21, 2026. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) group first observed in 2022. According to available research, the group has allegedly claimed 1,617 victims to date, indicating a high-volume, opportunistic operational model. Qilin is known for targeting manufacturing, technology, and healthcare sectors globally.

The group’s known toolset includes:

• Mimikatz for credential dumping
• EDRSandBlast for endpoint detection and response evasion
• PCHunter and PowerTool for kernel-level process manipulation
• Nmap and Nping for network reconnaissance
• EasyUpload.io and MEGA for data exfiltration

Qilin has demonstrated technical sophistication, including custom PowerShell scripts for lateral movement and the ability to propagate to VMware vCenter and ESXi hypervisors, as documented by Trend Micro. The group also employs SMS phishing and SIM swapping tactics, per Google Cloud’s Threat Intelligence analysis. Their credibility is moderate to high given their established victim count, though they routinely exaggerate claims to pressure victims into payment.

Alleged Data Exposure

As of this report, Qilin has not published any data samples or disclosed the volume of data allegedly exfiltrated from Indcar. The group’s standard practice involves leaking a portion of stolen data as a proof-of-life before demanding payment. The absence of published data may indicate the attack is in its early negotiation phase, or that the claim is unsubstantiated. No specific file types, database dumps, or intellectual property have been cited.

Potential Impact

If verified, this incident could have significant consequences for Indcar:

• Operational disruption: Manufacturing processes, supply chain management, and vehicle production schedules may be impacted.
• Intellectual property theft: Design blueprints, engineering specifications, and proprietary manufacturing processes could be exposed.
• Regulatory exposure: As an EU-based company, Indcar may face GDPR penalties if personal data of employees or customers is compromised.
• Reputational damage: Trust from clients, partners, and public transit authorities could erode.

The manufacturing sector remains a prime target for ransomware groups due to the high cost of downtime and the value of proprietary data.

What to Watch For

• Leak site updates: Monitor Qilin’s leak site for any published data samples or full dumps.
• Public statements: Indcar may issue a press release or regulatory filing if the breach is confirmed.
• Third-party notifications: Partners and clients may receive breach notifications if data is shared.
• Detection guidance: For organizations using YARA, consider rules targeting Qilin’s known tools (e.g., EDRSandBlast, custom PowerShell scripts). Secureworks’ threat profile (Gold Feather) provides additional detection indicators.

Disclaimer

This report is based on an unverified claim posted by the Qilin ransomware group on their leak site. Yazoul Security has not independently confirmed the breach, the extent of data exfiltration, or the validity of the threat actor’s statements. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. Organizations should treat this information as intelligence, not fact, and await official confirmation from Indcar or relevant authorities. No PII, credentials, download links, or access methods are provided in this report.