Jayeff Construction Ransomware Attack by Qilin (Apr 2026)

Claim Summary

The Qilin ransomware group has allegedly claimed responsibility for a cyberattack against Jayeff Construction, a UK-based construction company operating through the domain www.jayeff.com. The claim was posted to the group’s leak site on April 30, 2026. According to the threat actor, they have allegedly exfiltrated data from the organization, though the volume and nature of the stolen information remain undisclosed. This report is based solely on the group’s unverified claims and should be treated with appropriate skepticism.

Threat Actor Profile

Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) operation that has been active since at least 2022. The group has allegedly claimed 1,617 victims to date, though this number likely includes both confirmed and unverified incidents. Qilin is known for targeting a wide range of industries, with a particular focus on construction, manufacturing, and professional services.

The group’s known toolset is extensive and includes:

• Mimikatz: For credential dumping and lateral movement
• EDRSandBlast: To bypass endpoint detection and response systems
• PCHunter and PowerTool: For process and kernel manipulation
• Nmap and Nping: For network reconnaissance and scanning
• EasyUpload.io and MEGA: For data exfiltration and staging

Qilin has been observed using custom PowerShell scripts to propagate to VMware vCenter and ESXi environments, as documented by Trend Micro. The group also employs SMS phishing and SIM-swapping techniques, as noted by Google Cloud’s threat intelligence team. Secureworks tracks this group under the identifier Gold Feather.

Alleged Data Exposure

The Qilin group has not disclosed specific details about the data allegedly stolen from Jayeff Construction. The data volume is listed as “Undisclosed,” and no sample files or screenshots have been provided to substantiate the claim. This lack of evidence is notable and may indicate either a low-confidence claim or an attempt to pressure the victim into negotiations before releasing proof.

Given the construction industry’s reliance on project management data, blueprints, financial records, and employee information, any confirmed breach could expose sensitive operational and personal data.

Potential Impact

If the claim is verified, Jayeff Construction could face several consequences:

• Operational disruption: Construction projects may be delayed if critical systems are encrypted or data is inaccessible.
• Financial loss: Ransom demands, recovery costs, and potential regulatory fines under UK data protection laws (GDPR).
• Reputational damage: Clients and partners may lose trust in the company’s cybersecurity posture.
• Legal liability: If employee or client data is exposed, the company could face lawsuits or regulatory action.

The construction sector is increasingly targeted by ransomware groups due to its often fragmented IT infrastructure and reliance on third-party contractors.

What to Watch For

• Proof of data: Monitor for Qilin to release sample files or screenshots to substantiate their claim. Without this, the claim remains unverified.
• Regulatory notifications: The UK’s Information Commissioner’s Office (ICO) may issue guidance if the breach involves personal data.
• YARA rules: Security researchers may release detection rules for Qilin’s tools. Organizations should monitor for signatures related to Mimikatz, EDRSandBlast, and custom PowerShell scripts.
• Network indicators: Look for unusual outbound traffic to EasyUpload.io or MEGA, as these are known exfiltration endpoints for Qilin.

Disclaimer

This intelligence report is based on unverified claims made by the Qilin ransomware group on their leak site. Yazoul Security has not independently confirmed the validity of these claims, the extent of any data breach, or the identity of the victim. Ransomware groups frequently exaggerate or fabricate attacks to pressure victims into paying ransoms. This information is provided for defensive purposes only and should not be used as a basis for legal or financial decisions. Organizations should verify any claims through official channels before taking action.