Denso Ransomware Attack by Qilin (April 2026)

Claim Summary

On April 24, 2026, the Qilin ransomware group allegedly added Japanese automotive components manufacturer Denso to its dark web leak site. The claim, posted at 18:50 UTC, lists Denso’s corporate domain (www.denso-ts.com) and identifies the victim as operating in the manufacturing sector. No data samples, file listings, or specific data volume were disclosed by the threat actor at the time of this report. This claim remains unverified by Yazoul Security or any independent third party.

Threat Actor Profile

Qilin (also tracked as Agenda, Gold Feather, and UNC3944) is a sophisticated ransomware-as-a-service operation first observed in mid-2022. The group has allegedly claimed 1,617 victims to date, though this figure likely includes both confirmed and unconfirmed incidents. Qilin is known for targeting manufacturing, technology, and healthcare sectors globally.

Known Tools and Tactics:

• Credential theft: Mimikatz for credential dumping
• Defense evasion: EDRSandBlast, PCHunter, PowerTool to disable security tools
• Network reconnaissance: Nmap, Nping for lateral movement mapping
• Exfiltration: EasyUpload.io and MEGA for data theft
• Propagation: Custom PowerShell scripts, including variants targeting VMware vCenter and ESXi hypervisors

Qilin has demonstrated a high level of operational maturity, often employing double extortion tactics - encrypting systems while exfiltrating sensitive data to pressure victims into payment. Their credibility is moderate to high based on their track record of successfully breaching large enterprises, though they have been known to exaggerate victim counts and data volumes.

Alleged Data Exposure

According to the leak site entry, Qilin claims to have accessed Denso’s corporate network but has not yet published any data samples or detailed descriptions of stolen information. The absence of data volume disclosure is notable - this could indicate:

• The breach is in early stages of negotiation
• Qilin is still processing exfiltrated data
• The claim may be opportunistic or unsubstantiated

Without evidence, we cannot confirm what data, if any, was compromised.

Potential Impact

If confirmed, this incident could have significant consequences for Denso, a major Tier 1 automotive supplier to Toyota, Honda, and other manufacturers:

• Operational disruption: Manufacturing systems or supply chain management platforms could be encrypted, causing production delays
• Intellectual property theft: Proprietary designs, engineering data, or trade secrets may be at risk
• Supply chain risk: Denso’s partners and customers could face secondary impacts if shared data is exposed
• Regulatory exposure: Under Japan’s Act on Protection of Personal Information, Denso may face notification obligations if employee or customer PII is involved

What to Watch For

• Leak site updates: Monitor Qilin’s portal for any data publication or negotiation timeline
• Official statements: Denso has not publicly commented as of this report. Any confirmation or denial from the company should be treated as authoritative
• Detection guidance: Organizations using Qilin-related indicators should review the following resources:
  • Secureworks’ Gold Feather profile for behavioral detection
  • Trend Micro’s analysis of Agenda ransomware propagation to vCenter/ESXi
  • Google Cloud’s threat intelligence on UNC3944’s SMS phishing and SIM swapping tactics
• YARA rules: While no specific YARA rules for this incident exist, general Qilin detection rules are available through public repositories and commercial threat intelligence feeds

Disclaimer

This report is based on unverified claims posted by the Qilin ransomware group on their dark web leak site. Yazoul Security has not independently confirmed any data breach, network intrusion, or data exfiltration at Denso. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into negotiations. All information should be treated as preliminary and subject to verification. No sensitive data, credentials, or access methods have been disclosed in this report.